Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default Allow timesync (NTP) in firewall rules?

    I've blocked all outgoing traffic from my IPcams to external/ the internet with a firewall rule.
    Is there a way to allow only the timesync requests? (to pool.ntp.org)?

    BTW: The NTP 'protocol' is not in the protocol criteria and the ip adresses are not fixed.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,520

    Default

    Yes, allow port 123 for the cameras. Of course this rule must be before the block rule.

    camera-allow.jpg
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default

    Quote Originally Posted by jcoffin View Post
    Yes, allow port 123 for the cameras. Of course this rule must be before the block rule.
    Thanks!

    It was an option that crossed my mind as well but I wasn't sure whether port 123 is always and only used for NTP.

    In some of my IPcams I had indeed set it manualy to port 123 but in others there is no option to set the port.
    Would it be safe to assume they all use port 123 and only for timesync?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,520

    Default

    NTP is almost always on port 123. As with any port, someone could always send data out any port.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default

    OK, thanks. I will flag these 'pass' occurences and let it run for a few days and see whether all IP cams indeed sync at the intervals I have setup

  6. #6
    Untangler
    Join Date
    Aug 2018
    Posts
    34

    Default

    I did some analysis on the blocked and allow+flagged events:
    • 3 out of 6 IPcams sync just fine with this 'Allow port 123' rule. Some every half hour, some every 5 mins.
    • But the 3 others do not…

    They keep trying to connect to a dns ( at least I recognize the destination IP as the ISP DNS) on port 53, but are blocked since I block all traffic from the camera-subnet to the WAN.

    And the weirdest thing is that out of two twin cams, one does sync and the other one doesn't

    Any suggestions on cause&solution?

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,520

    Default

    Is the camera IP static or DHCP? If DHCP what is the DHCP server in your network?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    694

    Default

    I always redirect/port forward all outbound DNS that isn't my preferred DNS, back to my local/preferred DNS instead of blocking. It helps prevent hard coded DNS (like some IoT devices have) from breaking.

  9. #9
    Master Untangler
    Join Date
    Jul 2018
    Posts
    104

    Default

    What would be the setup/rule for this?? thx!

  10. #10
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    694

    Default

    Depends on your setup.

    In my case, I want everything using my untangle box as DNS (which is in turn configured to use the specific external DNS service I prefer) - so I just made a port forward rule that any outbound port 53 traffic that originates from anything other than my Untangle IP gets redirected to the Untangle IP (192.168.1.1 in my case).

    Now that I look at it, I could probably simplify the conditions a little, but heck with it - it works as-is.

    Here is my port forward:
    Capture.PNG
    Last edited by JasonJoel; 09-24-2018 at 07:21 AM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2