Specifying "self" in NTP configuration?

jhg

I notice that if I don't specifically configure an NTP server in the DHCPv6 server, then no NTP server is provided even if the pfSense box is running an NTP server, and NTP is requested by a LAN client (monitored with Wireshark).

Is there a standard way to configure "LAN self" as an address in places such as the NTP server provided by DHCP? I see that the LAN interface gets address fe80::1:1 which would be reachable by all LAN hosts... is that the correct address to use?

Gertjan

@jhg said in Specifying "self" in NTP configuration?:

I notice that if I don't specifically configure an NTP server in the DHCPv6 server, then no NTP server is provided even if the pfSense box is running an NTP server, and NTP is requested by a LAN client (monitored with Wireshark).

pfSense has a working NTP client, and server, when initially installed.
The server will listen on all interfaces (check) for IPv4 and IPv6:

[24.11-RELEASE][root@pfSense.bhf.tld]/root: sockstat -l | grep ':123'
root     ntpd       38522 20  udp6   *:123                 *:*
root     ntpd       38522 21  udp4   *:123                 *:*
.....

This can be an issue :

After all, your LAN type interface IPv4 is static (RFC1918) but IPv6, the GUA, is rarely static, probably assigned with tracking, so your ISP can decide "tomorrow" that your prefix changes ...

So yeah, I do understand your "LAN Self" question. If that was possible, it would need a DHCP server restart (I guess).

Btw : A LAN client asking for a NTP IP ? My Microsoft devices don't ask for a NTP 'server' address, neither IPv4 neither IPv6. It's actually the one and only thing I set up on every device : I have it point to 'pfSense' (If I don't forget to do that). No a big deal, as a Microsoft PC will point by default to pool.microsoft.com (something like that). Time syncing isn't done very often.

Also, to make the issue worse : you can't enter a time server host name or pool name.
After all : when DHCP starts, DNS isn't up yet (neither on client, neither on the router (pfSense) side.
For pfSense, when the NTP client starts, as early as possible, to get a accurate clock as fast as possible, unbound isn't running yet. This is the one and only exception where pfSense uses a hard coded ( !!) "8.8.8.8" to get the pool details, and sync time.
Time is very important for the resolver (unbound) as it can use DNSSEC, which is based on certificates. And without a correct time, DNS can't work. And without DNS, NTP (client) can't resolve the pool host name. That's a dead lock.
And explains why most LAN devices don't ask for a NTP IP, but go out there for themselves to do the time shopping.

More info : read first KEA DHCP NTP server option behavior and do the suggested packet capture :

08:31:12.823850 a4:bb:6d:ba:16:a1 > 90:ec:77:29:39:2c, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 128, id 20894, offset 0, flags [none], proto UDP (17), length 328)
    192.168.1.6.68 > 192.168.1.1.67: [udp sum ok] BOOTP/DHCP, Request from a4:bb:6d:ba:16:a1, length 300, xid 0x6c5e5cdd, Flags [none] (0x0000)
	  Client-IP 192.168.1.6
	  Client-Ethernet-Address a4:bb:6d:ba:16:a1
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Request
	    Client-ID (61), length 7: ether a4:bb:6d:ba:16:a1
	    Hostname (12), length 7: "Gauche2"
	    FQDN (81), length 10: "Gauche2"
	    Vendor-Class (60), length 8: "MSFT 5.0"
	    Parameter-Request (55), length 14: 
	      Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Domain-Name (15)
	      Router-Discovery (31), Static-Route (33), Vendor-Option (43), Netbios-Name-Server (44)
	      Netbios-Node (46), Netbios-Scope (47), Unknown (119), Classless-Static-Route (121)
	      Classless-Static-Route-Microsoft (249), Unknown (252)
08:31:12.830335 90:ec:77:29:39:2c > a4:bb:6d:ba:16:a1, ethertype IPv4 (0x0800), length 359: (tos 0x10, ttl 128, id 0, offset 0, flags [DF], proto UDP (17), length 345)
    192.168.1.1.67 > 192.168.1.6.68: [udp sum ok] BOOTP/DHCP, Reply, length 317, xid 0x6c5e5cdd, Flags [none] (0x0000)
	  Client-IP 192.168.1.6
	  Your-IP 192.168.1.6
	  Client-Ethernet-Address a4:bb:6d:ba:16:a1
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: ACK
	    Subnet-Mask (1), length 4: 255.255.255.0
	    Default-Gateway (3), length 4: 192.168.1.1
	    Domain-Name-Server (6), length 4: 192.168.1.1
	    Domain-Name (15), length 20: "bhf.tld"
	    Vendor-Option (43), length 6: 1.4.192.168.1.6
	    Lease-Time (51), length 4: 21600
	    Server-ID (54), length 4: 192.168.1.1
	    FQDN (81), length 11: [N] "gauche2."

So Windows, by default, doesn't ask for a IPv4 NTP IP when requesting a lease.
And it must be an IP of course, not a host name.
Same thing when using DHCP6.

Uglybrian

Could you use ::1 for the IPv6 server 1 network?

Or what about setting up a ULA fc::/7 for ntp for networks that have dynamic IPv6 and use track interface. Would this work?