NTP interface choice might fail on backup in failover/VIP setups [solved]
-
Pfsense allows users to choose the interfaces NTP will listen on and so provide time service, what isn't clear is that ntp uses only those interface addresses as source addresses to query for servers.
In a CARP setup, if you think to restrict NTP service to LAN what happens is on the backup replies to WAN servers origined on the backup usually will get routed to the primary pf box because the query comes out of the lan address, which usually gets natted to the wan carpvip.
The effect is the backup box has no idea what time it is, as all the wan time sources are unreachable. I also noticed the server will fail if bound to a carp vip when the other box is the master.
Solution-ish: Bind ntp only to physical interfaces, be sure to set the change in dhcp servers, include the WAN(s) and just don't open the port on the firewall to block offering service to 'the world' without intending to.
-
Thanks. I've been trying to figure out why NTP was unable to reach our NTP servers, and using ntpq I'd determined that dstadr was set to a guest interface.
Having now selected both interfaces in the NTP config page, my pfsense box can now reach our NTP servers, and clients on the guest interface can reach the pfsense NTP server.