UDP for NTP redirecting by policy?

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

UDP for NTP redirecting by policy?

Postby ChadRA » Jul 09 19 8:39 am

Hi,
I've been struggling with this for a bit now and haven't found a nice way to do this, where I have some IP cameras on my network which do not have any option to change the NTP server used for automatically requesting time updates. The cameras use a time server based in Japan which no longer seems to respond to them, and they are VERY persistent when requesting updates.
I currently have a policy in place attached to the "Wingate NAT: Client Connect" event which does some group checking and for these devices ONLY allows activity for port 123 (yes, I've always had a "tin-foil" hat, but was glad I did back when all those "IoT exploits" started).
There seem to be some types of policies which allow the result to be redirected, but for this "Wingate NAT: Client Connect" the only options seem to be "Allow" or disconnect. What I would like to be able to do is redirect these requests to a different NTP server, but so far the only way I have been successful in doing this was to redirect ALL UDP port 123 access using the Extended Networking "Port Security" redirect, which redirects ALL traffic.

Is there a way to do this redirect based on additional criteria, in this case the group?

I have also tried setting up a "UDP Mapping Service" for NTP, but it looks like these devices do requests using alternate ports which bypass the service??
Capture.JPG
Capture.JPG (20.58 KiB) Viewed 655 times


Thanks,
Chad.
ChadRA
 
Posts: 34
Joined: Oct 07 03 1:53 pm

Re: UDP for NTP redirecting by policy?

Postby adrien » Aug 01 19 3:20 pm

Hi chad

you can't redirect based on client in NAT - the policy is just hit after the connection is set up, so you can close it but that's about it.

However if you create a UDP mapping service you should be able to get it to intercept traffic on port 123. Then you can forward it based on mappings / policy wherever you like.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5288
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: UDP for NTP redirecting by policy?

Postby ChadRA » Aug 01 19 3:50 pm

Hi Adrien,

As mentioned, I did create a UDP mapping service and have it doing debug level logging.
Very few of the NTP requests seem to flowing through this service, and these specific IP cameras never show up in the log as using the service (and I may have incorrectly assumed it was because they use alternate ports as shown).
For now I am using the Extended Networking "Port Security" redirect method, absolutely not ideal but is OK for a temporary workaround.

From what you mentioned, it sounds like my current UDP mapping service for port 123 should be handling the connections including those shown in the screenshot? If so, I may need to go back and look at this again.

Thanks,
Chad.
ChadRA
 
Posts: 34
Joined: Oct 07 03 1:53 pm

Re: UDP for NTP redirecting by policy?

Postby adrien » Aug 01 19 4:07 pm

Hi Chad

yes, you'll need to manually intercept the connections (divert to internal IP address) in the Extended Networking settings. UDP mapping services don't support interception natively (unlike DNS service).

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5288
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: UDP for NTP redirecting by policy?

Postby ChadRA » Aug 01 19 4:34 pm

AH-HA!! That's what I was missing, I saw that there was a "Hole for NTP UDP Mapping (auto)" already for the service but didn't realize that the manual intercept would also be needed.
Once again, THANK YOU Adrien... not only for the help, but for always being willing to help AND for providing such a great piece of software.
I've added the intercept, logs already look much better with actual activity.

Thanks,
Chad.
ChadRA
 
Posts: 34
Joined: Oct 07 03 1:53 pm

Re: UDP for NTP redirecting by policy?

Postby adrien » Aug 01 19 4:57 pm

You're welcome!

Now I just need to figure out why we decided to not allow UDP mapping proxies to intercept natively.
adrien
Qbik Staff
 
Posts: 5288
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: UDP for NTP redirecting by policy?

Postby ChadRA » Aug 01 19 5:47 pm

This setup seems to be working perfectly... *almost* ;-)
Now the machine where Wingate is running always gets an error when trying to synchronize with a time server, could this be from the Windows time sync client trying to use UDP port 123 but it's already in use by the Wingate service?
ChadRA
 
Posts: 34
Joined: Oct 07 03 1:53 pm

Re: UDP for NTP redirecting by policy?

Postby adrien » Aug 01 19 6:09 pm

possibly.,

You could try running the UDP mapping on a different port, and mapping to that new port in the Extended networking redirect.
adrien
Qbik Staff
 
Posts: 5288
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: UDP for NTP redirecting by policy?

Postby ChadRA » Aug 02 19 6:34 am

Using an alternate port for the service seems to work now, strange thing is at first it didn't seem to make a difference and the NTP sync was still failing.
Just to make sure everything was "fresh" again I did a reboot, and after that the NTP sync worked so I'm not sure if that port had really been released when I switched it in the service and restarted the service, or was still being "held" but not used, or yet *another* Windows "feature" that makes everyone say ???.
Thanks again for helping in this little adventure, between this and creating a policy based smtp blocking scheme for all those "baddies" out there I'm starting to think one could do almost anything, just so many paths are possible it's sometimes difficult to choose a good one. :-)
ChadRA
 
Posts: 34
Joined: Oct 07 03 1:53 pm


Return to WinGate

Who is online

Users browsing this forum: No registered users and 3 guests