Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 8619 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem to connect from internal network to external ntp server

Renede Bie

Hi,

I got a subnet 10.10.11.x on LANPORTD its marked as LAN lanportD is 10.10.11.254/24

My external ntp server is nl.ntp.pool.org

When I connect to it (bypass) Sophos XG it works

When I make a rule LAN > ANY > WAN > ANY > NTP and nl.ntp.pool.org & second rule WAN > ANY > LAN > ANY > NTP

It does not work. Any help would be great.



This thread was automatically locked due to age.
Parents
  • 0

    First off, you don't need the second rule as XG is a stateful firewall. Meaning, if you allow a traffic one way, it will keep the state of this traffic and returning traffic will be allowed as well until the connection is terminated.

    Regarding your issue, make sure that the NTP service definition you created is set to sourceport = 1:65535. This is often overlooked.

  • 0 in reply to Jevin Lizardo

    Source port 1:65535 that are all internal ports? ntp is port 123 udp, so why do you need to open all ports?

  • 0 in reply to Renede Bie

    The reason is that when your client initiates a connect to the NTP server, the XG will assign a random port from 1024-65535 (AFAIK) so that return traffic will know how to get back to the client who initiated the request. This is the standard Port Address Translation spec because without this, you will not be able to share one public IP to access the internet. This is what the XG or any other router/firewall uses to be able to use one public IP for all internal clients when going to the internet.

Reply
  • 0 in reply to Renede Bie

    The reason is that when your client initiates a connect to the NTP server, the XG will assign a random port from 1024-65535 (AFAIK) so that return traffic will know how to get back to the client who initiated the request. This is the standard Port Address Translation spec because without this, you will not be able to share one public IP to access the internet. This is what the XG or any other router/firewall uses to be able to use one public IP for all internal clients when going to the internet.

Children