Using V18 NAT to achieve NTP proxy like functionality

Hi,

The new NAT engine in V18 provides a high degree of flexibility when it comes to solving some interesting network problems.  I don't know if it has been shared here or not, but you can use NAT to achieve NTP proxy like functionality.  A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:

  • Firewall has at least 2 interfaces, LAN and WAN.  LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
  • Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'.  In this regard, the default gateway and NTP destination use the same address on your clients.  
  • The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.

 

To make this work, create a NAT policy like the following:

  • Original Source: Any host (or LAN subnets)
  • Original Service: NTP
  • Original Destination: XG LAN IP address 
  • Translated Source: Masqueraded (this is your WAN IP)
  • Translated Service: Original service
  • Translated Destination: pool.ntp.org (or pick NTP server of your liking)
  • Inbound Interface: Lan
  • Outbound Interface: ANY

Naturally, you can create variations of this NAT policy, based on your network configuration and the location of the NTP server.

In the new XG V18 architecture training course, there are a few more examples demonstrating how to control NTP and DNS traffic.   I encourage you to check out the training material as it provides more in-depth knowledge of the new V18 features.  

 

Parents
  • Thanks for the nice idea. Missing the NTP and also voted for it. But for now it works as a hack. As the last comment was from 2017 I won't suppose that it will be implemented as a feature like many other things competitors can. See fixed IPs for SSL VPN...

  • That assumes you are using an external NTP service, if you are trying to use an internal server then that does not work, neither does the hairpin NAT.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • I don't understand what you want to say to me. I (and everyone else here) want to use the XG as a NTP service internally. But the XG doesn't have this feature. So the idea is to forward NTP requests which are sent to the XG address to an external service which works like described here. The internal devices don't know that they are forwarded...

  • Hi,

    what I was pointing out is that I have tried all those ideas and a hairpin NAT and not all devices were happy with the result, hence I built my own internal NTP server.

    Ia

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Which device didn't work for you? I had several devices yesterday which I tested and everyone worked:

    - Windows Server

    - Unify X8

    - QNAPs

    - Printers

    What error do you get while using it on the faulty device?

  • One of my IoT devices kept trying to connect to a Chinese university helpdesk, the manufacturer could not help and did not understand. I have set up the NTP access rules again and this time the FQDN group is working and limiting access to NTP servers only.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • So you had traffic on udp/tcp 123 for other reasons than NTP as far as I understood? Good point, didn't think about that to restrict it further.

Reply Children
No Data