Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Foward NTP

Post Reply
 
abishur
just joined
Topic Author
Posts: 9
Joined: Fri May 13, 2022 6:37 pm

Foward NTP

Fri Jul 29, 2022 3:53 am

I want to grab any outgoing NTP request and reroute them to my internal NTP server.

Using winbox I've going into my Firewall area then NAT and set up a dstnat rule where I set:
protocol to 17 (udp)
dst port to 123
and for action I set it to dst-nat
and set the to addresses as 192.168.25.22 (the ip address of my ntp server)
Then from a windows machine I try and have it update from time.windows.com, but it fails.

I set up a log for the rule and can see it is triggered with the message:
Code: Select all
dstnat: in:bridge out:(unknown 0), src-mac 7c:c3:a1:b7:35:fe, proto UDP, 192.168.25.48:53409->17.253.126.125:123, len 76
But it doesn't seem to be reaching the destination address I set, any ideas what I need to change to get it to work?
Top
 
eduplant
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Dec 19, 2017 9:45 am

Re: Foward NTP

Fri Jul 29, 2022 5:54 am

Unfortunately, I'm not exactly sure how you're logging or whether or not something's configured incorrectly. If you wanted to post more of your firewall rules (redacted if necessary) and the NAT config, myself or others could put a second set of eyes on it.

A related question: is your NTP server on the same LAN as the hosts you're trying to intercept? I'm guessing they're all on 192.168.25.0/24. If that's the case, you're going to have a problem regardless:
ntp-dstnat.png
You might be able to get around that by also src-nating so that the NTP server sends the response back to the router, but I haven't tested what that would look like.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Foward NTP

Fri Jul 29, 2022 4:06 pm

try something like if NTP server is mikrotik itself:
Code: Select all
/ip firewall nat
add action=redirect chain=dstnat dst-port=123 in-interface-list=LAN protocol=udp
Top
 
abishur
just joined
Topic Author
Posts: 9
Joined: Fri May 13, 2022 6:37 pm

Re: Foward NTP

Fri Jul 29, 2022 7:43 pm

try something like if NTP server is mikrotik itself:
Code: Select all
/ip firewall nat
add action=redirect chain=dstnat dst-port=123 in-interface-list=LAN protocol=udp
My NTP server is separate from my Mikrotik Router
A related question: is your NTP server on the same LAN as the hosts you're trying to intercept? I'm guessing they're all on 192.168.25.0/24. If that's the case, you're going to have a problem regardless:
Yes my NTP server is on the same LAN. I was hoping it wouldn't care that the ip was different and only care that it got a valid NTP response back.
You might be able to get around that by also src-nating so that the NTP server sends the response back to the router, but I haven't tested what that would look like.
I'm very very ignorant on advanced routing, I'll give it a try and see if I can work it out though.
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1497
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: Foward NTP

Fri Jul 29, 2022 10:37 pm

I was hoping it wouldn't care that the ip was different and only care that it got a valid NTP response back.
Yes it cares - and be glad it does. Having your computing device accepting responses from a different IP address than they sent to would be a MASSIVE security problem.
Top
 
abishur
just joined
Topic Author
Posts: 9
Joined: Fri May 13, 2022 6:37 pm

Re: Foward NTP

Sat Jul 30, 2022 12:45 am

Unfortunately, I'm not exactly sure how you're logging or whether or not something's configured incorrectly. If you wanted to post more of your firewall rules (redacted if necessary) and the NAT config, myself or others could put a second set of eyes on it.

A related question: is your NTP server on the same LAN as the hosts you're trying to intercept? I'm guessing they're all on 192.168.25.0/24. If that's the case, you're going to have a problem regardless:
ntp-dstnat.png
You might be able to get around that by also src-nating so that the NTP server sends the response back to the router, but I haven't tested what that would look like.
That got me on the right track to solve it! I first set up my dstnat firewall rule as I previously described and then added a second srcnat where
protocol was 17 (udp)
Dst. Port was 123
and action was set to masquerade.

For those who like the command line when I did a /ip firewall nat print command the two relevant entries were:
Code: Select all
chain=dstnat action=dst-nat to-addresses=192.168.25.22 to-ports=123 protocol=udp in-interface=bridge dst-port=123 log=yes log-prefix=""
chain=srcnat action=masquerade to-addresses=192.168.25.22 protocol=udp dst-port=123 log=no log-prefix=""
Though now that it's working I'm going to turn off logging.

Thanks for your help!
Top
 
eduplant
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Dec 19, 2017 9:45 am

Re: Foward NTP

Sat Jul 30, 2022 1:58 am

Glad that’s working. You might want to give CZFan’s suggestion a shot. It seems like from reading the docs that action=redirect is a combination src and dest NAT that is designed to do this. I didn’t know it existed when replying :)
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 65 guests
  4. RouterOS
  5. Beginner Basics