Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incoming NTP packets not reaching destination

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 5 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      I'm not sure that linked thread still applies. It was written at the time of 2.0.2 so many fixes have gone in since then.
      What happens if you unselect all three interfaces so that it's listening on all three?
      I assume you haven't opened port 123 on WAN by the way which would then expose your NTP server to the world, which would be bad!

      Your UDP rule on LAN will not do anything unless your LAN servers are trying to connect to external NTP servers directly.

      Steve

      1 Reply Last reply Reply Quote 0
      • M
        mdrago
        last edited by

        @sthepen If I select no interface on the NTP service all goes "unreach/pending"
        If I select the 3, all also goes "unreach/pending"

        There's no NAT rule UDP Port 123. It's closed

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Are those NTP servers you have set all public or are some of them at your ISP?

          You could try setting a static route to one of them via the Liberty gateway.

          I meant a firewall rule not a NAT rule. There would be no need for NAT as the NTP service is running on the WAN interfaces themselves.

          Steve

          1 Reply Last reply Reply Quote 0
          • M
            mdrago
            last edited by

            @johnpoz Sorry I didnt explain the situation in great detail, your suggested rule to allow UDP in the LAN wont do nothing.

            The Window servers I want to sync and the pfSense are in the same "physical" ESX… meaning, it's a virtual network and pfSense has no control over it.
            There reason there's a LAN interface on the pfSense is because ESX1 is connected to ESX2... that is the "LAN" pfSense controls.

            All the servers and inconming ISP connections are physically on the ESX1, so there should be no need at all to touch any LAN rule. The reason I created the rule in the first place was to make sure all NTP traffic to public servers was going trough LIBERTY and not WORLDNET.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              Your UDP rule on LAN will not do anything unless your LAN servers are trying to connect to external NTP servers directly.

              and actually that rule will push all requests out the Liberty gateway. Even a LAN client trying to get NTP from pfSense LAN address will have the request pushed out Liberty gateway, which won't be able to route it anywhere useful.
              Put destination !LANaddress in that rule.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • M
                mdrago
                last edited by

                @sthepen here's the NTP list I'm using:
                0.pfsense.pool.ntp.org
                1.pfsense.pool.ntp.org
                2.pfsense.pool.ntp.org
                time-a.nist.gov
                time-b.nist.gov
                0.north-america.pool.ntp.org
                1.north-america.pool.ntp.org
                2.north-america.pool.ntp.org

                A static route is a great suggestion. I set 1 up to time-a.nist.gov (129.6.15.28):

                And now the NTP service, withc is only configured on LAN and would normally give all "unreach/pending" is showing:

                However, the static route seems to be working only by IP… is there a way to configure with FQDN?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  and actually that rule will push all requests out the Liberty gateway

                  Agreed and not only ntp but ANY udp traffic – like DNS for example..  That is really bad rule to put in place to be honest and not required.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    No, I don't think so but you could just add more routes and use fixed NTP servers. You probably don't need 8 anyway.

                    Take note of Phils excellent point above. That rule might be bypassing the pfSense NTP server altogether, though I believe the negate rules should allow access to it if you haven't disabled that.

                    I'm confused about your ESX setup. You surely need a LAN interface for your servers behind pfSense which are on the same VM host?  :-\

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • M
                      mdrago
                      last edited by

                      @johnpoz @shepen Yes I deleted the rule right away after reading John comment, thanks :)

                      So I ended up using a fixed IP list on NTP server (utcnist2.colorado.edu time-a.nist.gov time-b.nist.gov time-c.nist.gov nist1.symmetricom.com)

                      Thank you very much guys for you time and patience :)

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Is it still necessary to have the NTP server listen on your WAN interfaces? I would certainly have it configured to only listen on LAN if not.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • M
                          mdrago
                          last edited by

                          @stephen Is only configured on the LAN port, thanks for asking!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.