Suspicous Traffic?

Why is my USW-16-POE Gen2 trying to connect to 185.215.224.214:123 NTP port UDP? I just noticed far too many of these attempts being blocked by pfblocker here lately all of a sudden.

It resolves to pool.NTP.org, should be OK.

Ok I get it, but doesn’t unifi have it own NTP? and if so, is it normal for Unifi switches or AP’s etc to try to connect with other Non-Unifi NTP? I’m a novice you can tell, but I’m learning.:wink:

A lot of things use NTP.org, not sure about unifi. Freenas, pfsense, etc. default to this.

Ok I gotcha, so pfblocker blocking some of these NTP’s this is a false flag so to speak then? Should I whitelist these blocked NTP attempts in pfblocker? Or just don’t worry about it?

I would probably whitelist it, but that’s up to you. You could track down the machine that’s trying to use it and change to another time provider too.

Ok cool :sunglasses: you are the man! Thanks for your help.

I noticed Amazon Alexa makes a significant number of NTP requests, so I enabled NTP server and added a FW rule to significantly reduce NTP WAN traffic and reduce possible fingerprinting. No need to change each client.

  1. Enable NTP pool server in pfSense us.ntp.pool.org
  2. Add FW rule to re-direct all LAN NTP requests to local 127.0.0.1 NTP server
1 Like

I am confused, wouldn’t create a firewall rule to redirecting all Lan NTP request to local 127.0.0.1 create a loop, and defeat the information you are trying to get from us.ntp.pool.org?

The client attempts to sync to a NTP hostname. The hostname gets resolved to an IP address served by your DNS server configuration. The client then attempts to time sync with the resolved or hardcoded IP address, which the firewall rule simply routes the request to the local NTP server. The client does not know the difference since the response from the local NTP server will appear as if it came from an external IP address.

The only external NTP traffic will be from the local NTP server to the external pool. No client NTP requests will be external. The key is to redirect only LAN NTP requests. Not from the firewall itself.