On IPFire Network > DHCP Server
Set IPFire Green (and Blue if used) Primary NTP server to be your IPFire Green, Blue addresses.
Or if using a different DHCP server, put in there.
There are some badly behaved devices/services that willfully ignore the provided NTP configuration and will try to use whatever NTP they servers they want! A similar problem exists for DNS servers. I suspect this is some form of limited ‘call home’ capability.
I’ve resorted to configuring a redirect for ANY:123 to 127.0.0.1:123 which forces NTP to IPFire and appears to work for most problematic devices.
Yes and one of the “badly behaved devices” is IPfire itself. The internal client that “looks” at the upstream NTP servers is NOT a proper NTP client but rather a basic SNTP client. Therefore the time that IPfire serves to your downstream devices exhibits a sawtooth result.
Under the DHCP configuration screen, tell your devices to get time from elsewhere.
Basically, it involves creating a firewall rule with the source and destination information @philthehill mentioned. To my knowledge, the firewall GUI provides that functionality and no iptables commands are required.
As Alexander Marx described in the bugzilla post, the settings in the WUI manipulate iptables chains which are considered too late. There are ACCEPT rules just before.
He suggests to use rules in the PREROUTING chain, which is considered in the community thread about DNS redirecting also. Just look at the solution over there and adapt it for NTP ( port 123 ).