No they are most definitely not from my LAN. For example I got a burst of requests from the 192.168.113.0/24 range but my LAN is only on the range 192.168.0.0/24.
Right at this moment I’m also getting a few from 10.121.57.130 and more than a few from 100.89.0.0/16 which is, at least according to Wikipedia, supposed to be part of a block reserved for carrier-grade NAT.
And again this all logged as inbound requests on my WAN interface.
Regarding the carrier NAT IPs my ISP actually do utilize that but I have bought a proper routable IP since otherwise I wouldn’t be able to host servers at all. I have also never seen packets with these kinds of source IPs before now and all of them are for UDP port 123.
This is what my firewall log looks like right now, filtered to only show blocks for requests to port 123.
I’m wondering more and more if this is somehow caused by my ISP and it using carrier NAT. Is it somehow possible that devices from other customers at this ISP using the NTP pool are being routed to my WAN using their internal carrier NAT’d IP instead of the shared WAN IP? Don’t know if that makes sense, I am by no means a networking expert.