Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Using NAT to achieve NTP proxy like functionality

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Table of Contents

Overview

The new engine provides great flexibility when solving interesting network problems.  I don't know if it has been shared here, but you can use NAT to achieve NTP proxy-like functionality.  A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:

  • The firewall has at least two interfaces: LAN and WAN. The LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
  • Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'. In this regard, the default gateway and NTP destination on your clients use the same address.  
  • The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.

Types of Transparent NTP

There are two different approaches to a transparent NTP solution. 

1. NTP must be forwarded to a specific external (WAN) host/host group.

2. NTP must be forwarded to its resources within the network, and this server must provide the information. 

1st Scenario

The first scenario is rather simple.

It would be best to have one NAT Rule, which translates everything NTP-based to a specific host. 

You can specify all internal hosts with "Interface matching criteria - Inbound Interfaces". 
This example shows ANY. You can select all internal network interfaces (except WAN). 

This rule will fetch all NTP-related traffic, forward it to a public NTP service, and use MASQ. MASQ is required for WAN-related traffic. 

It would be best if you had a firewall rule: 

You can attach IPS rules to this if you want.
Build your own NTP rule with all NTP-related IPS patterns. 

Regardless of the configured IP on a client behind Sophos Firewall, the NTP request will work.
(Example: 1.2.3.4)

2nd Scenario

The second scenario needs more rules, as you can easily generate an NTP loop. 
Your internal server needs its own NAT rule and firewall rule. 
Example = Windows2016 is a NTP server. 

NAT Rule 1# 
NTP Server to WAN (to get the NTP server to the WAN NTP servers.)
You can also force the internal NTP server to get the IP from a specific NTP pool, but we assume the NTP server has its own NTP request pool. 

NAT 2# 
It’ll forward the NTP traffic transparently to the internal NTP server. 

  Firewall rules:

Firewall rule #1

Allowing the traffic of the NTP server to the WAN to get current time. 

 Firewall rule #2

Allowing the Traffic from all internal clients to the internal NTP server. 
Notice the destination zone. 

 You can naturally create variations of this NAT policy based on your network configuration and the location of the NTP server.




Revamped RR
[edited by: Erick Jan at 9:14 AM (GMT -7) on 18 Sep 2024]
Parents Reply Children
  • That assumes you are using an external NTP service, if you are trying to use an internal server then that does not work, neither does the hairpin NAT.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I don't understand what you want to say to me. I (and everyone else here) want to use the XG as a NTP service internally. But the XG doesn't have this feature. So the idea is to forward NTP requests which are sent to the XG address to an external service which works like described here. The internal devices don't know that they are forwarded...

  • Hi,

    what I was pointing out is that I have tried all those ideas and a hairpin NAT and not all devices were happy with the result, hence I built my own internal NTP server.

    Ia

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Which device didn't work for you? I had several devices yesterday which I tested and everyone worked:

    - Windows Server

    - Unify X8

    - QNAPs

    - Printers

    What error do you get while using it on the faulty device?

  • One of my IoT devices kept trying to connect to a Chinese university helpdesk, the manufacturer could not help and did not understand. I have set up the NTP access rules again and this time the FQDN group is working and limiting access to NTP servers only.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • So you had traffic on udp/tcp 123 for other reasons than NTP as far as I understood? Good point, didn't think about that to restrict it further.

  • No,

    it is a bug inn the device that the manufacturers say does not exist. When the XG NAT is working the devices connects to the NTP internal server, it only tries to connect other Chinese site when the XG decided to block the NTP traffic. Sine then after much experimentation I have the hairpin firewall rule and NAT working for  most connection attempts enough so that the internal devices all talk to the NTP server. There are still issues where the XG decides that it will double NAT some traffic and appears to also corrupt some traffic. v18.0.5 mr-5  has an undocumented partial fix for the hairpin NAT issue.

    Before MR-5 the NAT would fail and require a configuration changes to restore the service, after MR-5 the issue is no longer apparent. The issue is reproducible.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.