Community discussions

MUM Europe 2020
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Firewall filter in 5.20ppc not filtering ntp traffic

Fri Oct 05, 2012 2:53 am

Why is my firewall filter rule
/ip firewall filter
add action=accept chain=forward disabled=no dst-port=123 protocol=udp
not working?
It's the first 'forward' rule and it worked in v5.14.

Also, LAN units requesting timestamps from this main gateway are 'registered' by the filter in the 'input' chain, but than the time server of this gateway itself gets no reply from internet time servers.
(ntp package installed) Server status is showing 'started' all the time.

Gateway:
/system ntp client
set enabled=yes mode=unicast primary-ntp=159.148.60.2 secondary-ntp=93.92.239.129

/system ntp server
set broadcast=no broadcast-addresses="" enabled=yes manycast=yes multicast=no

/ip firewall filter
add action=accept chain=output disabled=no protocol=udp src-port=123
Is the ntp package broken?
But udp:123 traffic going through the router (forward chain) is passing in big amounts according torch, but still the filter doesn't see it?

Any clues?
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Firewall filter in 5.20ppc not filtering ntp traffic

Fri Oct 05, 2012 3:03 am

We haven't had any problem with it.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
dankunwizard
just joined
Posts: 20
Joined: Thu Sep 30, 2010 1:23 pm

Re: Firewall filter in 5.20ppc not filtering ntp traffic

Fri Oct 05, 2012 6:47 am

if you're trying to filter locally generated traffic then it needs to be placed in input or output, not forward
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Firewall filter in 5.20ppc not filtering ntp traffic

Fri Oct 05, 2012 11:29 am

if you're trying to filter locally generated traffic then it needs to be placed in input or output, not forward
Maybe my topic was not completely clear; time server request from units on my LAN to server on the internet do pass my main gateway. So this happens in the 'forward' chain.
But although the 'torch' tool see these requests flying through the router, the filter I set to 'accept' these doesn't count any. So it doesn't 'see' it.


Secondly, units that are applying timeserver updates FROM that same gateway because that is their setting for their ntp server time request, this traffic hits the router in the 'input' chain. This traffic is 'seen' by the filter rule allowing it.
But now, the time server of this gateway needs its own update as well, otherwise it can't give an actual time set to its clients. Well, this is yet again also not happening. I can even set an 'output' chain rule that filter for port 123 udp traffic (=ntp protoco) and it does count its outgoing traffic. But still the timeserver itself is not getting an update....
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.
 
WirelessRudy
Forum Guru
Forum Guru
Topic Author
Posts: 3089
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Firewall filter in 5.20ppc not filtering ntp traffic

Fri Oct 05, 2012 11:31 am

We haven't had any problem with it.
Can you show me your code to check if I indeed have all settings right?
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.

Who is online

Users browsing this forum: MSN [Bot] and 98 guests