Redirect NTP Servers
I have a device that is going to an NTP server in Russia. Is it possible to use Firewalla to redirect all NTP queries to a server of my choosing? OR at least this NTP server specifically?
-
It is for sure possible, will log this request down. For now, best is to use country /region block under rules to do this. NTP protocol will try the next entry if the previous one was blocked.
https://help.firewalla.com/hc/en-us/articles/360035080933-Geo-IP-Filtering
-
I could think of two scenarios where this might be common. NTP and DNS queries.
I read another post in this forum where someone pointed out that some devices hardcode their DNS queries, often to Google. It would be great to be able to force all NTP and DNS queries to servers of your choice.
-
Firewalla will redirect any DNS requests to the DNS servers configured in Firewalla. So even some devices in the network hard coded DNS server, it will be redirected by Firewalla too.
For NTP queries, we don't have the same type of redirection. It's good to have one. Added to our todo list.
-
On a related note, what is the best practice?
- set clients’ DNS severs to point at public DNS servers like 1.1.1.1 and set Firewalla DNS to the same)
- set clients’ DNS servers to point at firewalla’s LAN IP and set Firewalla DNS to public DNS servers like 1.1.1.1?
- makes no difference?
- set clients’ DNS severs to point at public DNS servers like 1.1.1.1 and set Firewalla DNS to the same)
-
Since legacy DNS is clear text,
Device -> Firewalla -> Router -> ISP -> Internet
Firewalla will intercept DNS requests from device (even if device specify the DNS on its own), and forward to upstream DNS servers. It is possible that router/isp may intercept/poison the DNS requests.
If DoH is used, router/ISP will not able to intercept or poison the request.
-
Yes, I love that DoH is able to be ran on firewalla now and I have it enabled for all my devices. My question was if a device on my network was using DoH itself, say through the 1.1.1.1 app, would firewalla still be able to intercept and redirect that DNS request? Because it would not be in clear text over port 53 in this situation. Thanks!
-
As part of our 1.60 app release + 1.978 box release, we've added an NTP Intercept feature. Enabling NTP Intercept allows Firewalla to catch NTP requests and process them locally using standard ntp.org servers. You can read more about how to try out this feature in our release notes or in our article about NTP Intercept.
-
@Help Desk NTP Intercept is a great step but is there any way to define a local NTP server to send the intercepted traffic to? i.e. Create an input pointing to which NTP server/pool to use under the "NTP Intercept" option with the default being "pool.ntp.com" (assuming this is what's configured). Pool.ntp.com (or any pool) can sometimes be very inaccurate. Just as many of us like Firewalla for giving us more control over our network, I feel like my network time is at the mercy of some algorithm I have no control over. And it would satisfy us NTP nuts who like to build our own Stratum 1 NTP servers with Raspberry Pi's!
-
@Firewalla You could build logic into the NTP Intercept to identify if the "custom NTP server IP" defined is local (RFC 1918) and exclude it (and only it) from the intercept (Policies built-in would be in place that allows Non-RFC 1918 IP's via Port 123 to interact only with the "custom NTP server IP"). That way the NTP server could reach out to the NTP servers online for Selection and Clustering (and can be used in conjunction with a GPS-based source for time & PPS for better accuracy), while local devices requesting NTP over Port 123 would be intercepted and redirected to the "custom NTP server IP".
-
Some clients ignore DHCP Option 42 or are hardcoded to public NTP servers. This script transparently redirects all LAN NTP (UDP 123) traffic to a local server using iptables + ipset.
Tested on Firewalla Gold (Box Version 1.980 / Stable) — works perfectly.
My setup:
- Local GPS/NTP server: 192.168.88.45 (Pi-hole + chrony + GPS HAT)
- LAN subnet: 192.168.88.0/23 (i.e. .88.1 through .89.254)
- Goal: Redirect all clients except .88.45 to .88.45 for NTP
Installation:
- Save the script to: /home/pi/.firewalla/config/post_main.d/ntp_redirect.sh
- Make executable: chmod +x ntp_redirect.sh
- Firewalla will auto-run after every reboot.
Why this method?
Because the built-in Services → NTP Intercept toggle doesn’t cut it:
- You still have to manually rewrite ntp.conf
- Any custom rules are ephemeral (wiped on reboot)
- Firewalla doesn’t give you fine control over which clients get intercepted
This script fixes that. It’s durable, precise, and doesn’t fight you every time you reboot.
#!/bin/bash
# Compatible with: Firewalla Gold / Gold Plus
# Version: 1.980 (3e707d3c) Stable Release
# Purpose: Redirect NTP traffic from clients ignoring DHCP Option 42
set -euo pipefail
# Config
IPSET_NAME="ntp_clients"
DEST_IP="192.168.88.45"
TAG_FILE="/home/pi/.firewalla/config/post_main.d/ntp_redirect_done"
# Remove old DNAT rule (if any)
sudo iptables -t nat -D PREROUTING -i br0 -p udp --dport 123 \
-m set --match-set $IPSET_NAME src \
-j DNAT --to-destination ${DEST_IP}:123 2>/dev/null || true
# Create or flush ipset
if ! sudo ipset create $IPSET_NAME hash:ip 2>/dev/null; then
sudo ipset flush $IPSET_NAME
fi
# Add all clients in 192.168.88.0/23, excluding .88.45
for i in $(seq 1 254); do
[ "$i" -eq 45 ] && continue
sudo ipset add $IPSET_NAME 192.168.88.$i
done
for i in $(seq 0 254); do
sudo ipset add $IPSET_NAME 192.168.89.$i
done
# Bypass redirect for the NTP server itself
sudo iptables -t nat -C PREROUTING -i br0 -p udp --dport 123 \
-s ${DEST_IP} -j RETURN 2>/dev/null || \
sudo iptables -t nat -I PREROUTING -i br0 -p udp --dport 123 \
-s ${DEST_IP} -j RETURN
# Redirect matching clients to the local NTP server
sudo iptables -t nat -C PREROUTING -i br0 -p udp --dport 123 \
-m set --match-set $IPSET_NAME src \
-j DNAT --to-destination ${DEST_IP}:123 2>/dev/null || \
sudo iptables -t nat -A PREROUTING -i br0 -p udp --dport 123 \
-m set --match-set $IPSET_NAME src \
-j DNAT --to-destination ${DEST_IP}:123
# Tag file (Firewalla uses this for tracking)
sudo touch "$TAG_FILE"How to verify if it is working:
On the Pi-hole / NTP server, run:
chronyc clients
Look for incoming requests from your LAN clients.
On Firewalla, try:
sudo tcpdump -n -i any udp port 123 and host 192.168.88.45
or:
sudo iptables -t nat -L PREROUTING -n -v | grep 123
You should see redirected requests from clients originally trying to hit public NTP servers.
Please sign in to leave a comment.
Comments
28 comments