pfBlockerNG DNSBL: NTP Service uses Virtual IP Address

Marco 42

I use pfSense 22.01 with pfBlockerNG 3.1.0_2. The issue is that my NTP service stops synchronizing to the external NTP server if I enable the DNSBL in pfBlockerNG.
I have disabled all rules/lists in DNSBL and enabled DNSBL. If I then restart the NTP service or reboot pfSense, I get in the NTP status only the pool but no NTP server.

In the NTP log I only get:
Soliciting pool server 82.197.188.130

Interesting is packet capture on the WAN interface. If I restart the NTP service, I capture this:
IP 10.255.254.1.123 > 82.197.188.130.123: UDP, length 48

A NTP request on the WAN with the source address 10.255.254.1! This obviously is not my WAN IP and will not work. 10.255.254.1 is the IP I entered in pfBlockerNG as Virtual IP Address for DNSBL. So, it looks like NTP is using the Virtual IP to reach out to the NTP Server? For me this makes no sense.

After disabling DNSBL, NTP starts to work again correctly and also uses my correct WAN IP.

Does anybody know why I get this behavior? Thanks for the help!

In the NTP Log I also see that the NTP server start to listen on the Virtual IP:

Listen normally on 10 lo0 10.255.254.1:123
Listen normally on 11 lo0 [::10.255.254.1]:123

If I disable DNSBL it detects this:

Deleting interface #10 lo0, 10.255.254.1#123, interface stats: received=0, sent=4, dropped=0, active_time=229 secs
Deleting interface #11 lo0, ::10.255.254.1#123, interface stats: received=0, sent=0, dropped=0, active_time=229 secs

Marco 42

I just tried it with pfSense 23.01 and pfBlockerNG 3.2.0_1. Same issue is still there.

keyser

@marco-42 In the SERVICES -> NTP settings you can select on which interfaces the NTPD daemon operates. I don’t know if it impacts the NTP Client, but it’s worth a try.

dennypage

@marco-42 Go into Services / NTP / Settings and explicitly set the interface list that you want to use for NTP services. Do not select Localhost as part of the list.

BBcan177

Set the DNSBL Listening interface to Localhost

dennypage

@bbcan177 said in pfBlockerNG DNSBL: NTP Service uses Virtual IP Address:

Set the DNSBL Listening interface to Localhost

Looking at the OP, it seemed to me that the VIP is on already localhost (lo0). This is one reason why I suggested that NTP should be disabled for that interface. As well as the fact that NTP on a localhost interface makes little sense.

I'm also wondering if the VIP is inside the local address space for NAT...

Marco 42

I already had excluded the WAN interface from the NTP interface list, but I still had the Localhost active. Removing the Localhost interface from the NTP interface list fixed the issue.
Thanks @keyser and @dennypage!

dennypage

@marco-42 Welcome