DHCP and DNS
-
Johnpoz;
Thank you for your response. I forgot to mention my hidden agenda, learn more about pf.
I ordered an SG-1000 to check out.
Vince
-
Well without any sort of wan or even multiple lan segments there is not much for it to do ;) So its going to be a very limited "learning" experience ;)
But enjoy! and if you have any questions - come on back, here to help!
-
Johnpoz;
Got DHCP and DNS configured over the weekend. Now I can do things like http://printer.mydomain and administer my printer without first figuring out its IP address. Nice! Straightforward and fairly easy to set up.
NTP is giving me a headache though. I'd like it to serve NTP but I haven't been able to get it to synchronize with the external clocks.
-
How is it going to sync to external ntp if it has no internet?
-
It has internet access via the LAN (LAN port -> Internet Gateway). Pings to internet hosts return, so the connection is working. In addition DNS is working and it requires a connection to upstream name servers.
-
"It has internet access via the LAN (LAN port -> Internet Gateway)"
That is not LAN then ;) that would be your wan for pfsense..
You had stated before
"At present I don't need a box that connects to WAN and LAN, just LAN."If you only create 1 interface on pfsense, and you put a GATEWAY on it - its WAN..
Sounds like you have a cluster of a setup to start with.. Your trying to just make it a server and not a firewall - so it has 1 wan interface. What ntp server are you trying to get it to sync with? what does the output of ntpq pe command look like on pfsense?
example
2.4.0-BETA][root@pfsense.local.lan]/root: ntpq ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== *pi3-ntp.local.l .PPS. 1 u 214 512 377 0.754 -0.240 0.354 +esxi.local.lan 192.168.3.32 2 u 21 512 377 0.775 1.692 0.566Or the ntp status page should give you the same info.
Do you allow ntp outbound at your internet gateway.. You sure your ISP doesn't block it - been a few posts around here where ISP block all ntp traffic. What server(s) are you trying to sync to?
-
**Thanks for asking these questions. In no particular order here are the answers.
I can reach the NTP servers, so they are allowed. Here is NTP information from the host I am typing this on (on the same network as the SG-1000):**
ntpq> pe
remote refid st t when poll reach delay offset jitteruslax1-ntp-001. .GPSs. 1 u 67 64 3 24.769 -4.687 691.478
ntpq> host 10.0.1.9
current host set to 10.0.1.9
ntpq> pe
remote refid st t when poll reach delay offset jitterpaladin.latt.ne .INIT. 16 - - 512 0 0.000 0.000 0.000
minime.fdf.net .INIT. 16 - - 512 0 0.000 0.000 0.000
uslax1-ntp-001. .INIT. 16 - - 512 0 0.000 0.000 0.000
ntpq>This is consistent with the Status page:
Network Time Protocol Status
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending 204.2.134.162 .INIT. 16 u - 512 0 0.000 0.000 0.000
Unreach/Pending 198.206.133.14 .INIT. 16 u - 512 0 0.000 0.000 0.000
Pool Placeholder pool.ntp.org .POOL. 16 p - 64 0 0.000 0.000 0.004
Pool Placeholder 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 0.000 0.004
Unreach/Pending 17.253.26.125 .INIT. 16 u - 512 0 0.000 0.000 0.000Note that 10.0.1.9 is the SG-1000 LAN port.
The last few lines of the log (note the date):
Jun 1 20:18:23 ntpd 1455 Soliciting pool server 138.236.128.112
Jun 1 20:19:24 ntpd 1455 Soliciting pool server 69.89.207.199
Jun 1 20:19:30 ntpd 1455 Soliciting pool server 23.239.26.89
Jun 1 20:20:31 ntpd 1455 Soliciting pool server 171.66.97.126
Jun 1 20:20:36 ntpd 1455 Soliciting pool server 66.79.136.235
Jun 1 20:21:35 ntpd 1455 Soliciting pool server 45.33.84.208
Jun 1 20:21:40 ntpd 1455 Soliciting pool server 69.89.207.199 -
"I can reach the NTP servers"
Clearly not since all of them reach are ZERO (0) so you not reaching any of them.
From your pfsense can you ping any of those, can you do a traceroute to any of them?
Your going to want to set the same ntp server your other host is using since that one can atleast reach it, but its only 3 so hasn't been running very long or your having all kinds of problems talking to it. Reach should be 377.. Which means its gotten answers to its last 8 queries.. Anything under 377 means your either just starting up or your having connectivity issues to that NS.
Would really like to see a drawing of this network.. And again if you have a gateway setup on 1 interface of pfsense then this interface is pfsense WAN, not its lan.. Once you setup a gateway on an interface in pfsense it becomes a wan connection. Lan interfaces do not have gateways set.
-
The host I used to poll NTP and show that the network can reach NTP was asleep a few minutes earlier. From a host that has been awake for some time:
ntpq> pe
remote refid st t when poll reach delay offset jitter-2605:3800::218: 25.151.162.158 3 u 790 1024 377 187.611 -59.892 84.784
+biisoni.miuku.n 207.224.49.219 2 u 888 1024 377 24.765 -0.668 5.374
*uslax1-ntp-002. .GPSs. 1 u 943 1024 377 30.350 2.582 13.966
-ntp1a.versadns. .PPS. 1 u 743 1024 177 121.866 -9.296 57.133
+awesome.bytesta 216.218.254.202 2 u 872 1024 377 55.325 0.097 6.539
ntpq>A traceroute from SG-1000 (traceroute 198.206.133.14):
1 10.0.1.1 3.447 ms 8.987 ms 9.197 ms
2 96.120.89.193 19.851 ms 18.005 ms 20.216 ms
3 68.86.143.249 21.147 ms 17.854 ms 19.396 ms
4 69.139.199.205 30.665 ms 18.553 ms 21.315 ms
5 4.68.72.105 27.733 ms 19.553 ms 21.583 ms
6 * * *
7 4.14.170.82 65.572 ms 77.635 ms 79.513 ms
8 66.185.29.193 79.579 ms 79.576 ms 79.515 ms
9 198.206.133.14 65.967 ms 72.986 ms 65.036 msAnother (trace route pool.ntp.org):
1 10.0.1.1 3.399 ms 4.340 ms 9.430 ms
2 96.120.89.193 18.717 ms 19.578 ms 29.694 ms
3 68.86.143.249 20.680 ms 14.953 ms 13.706 ms
4 69.139.199.205 17.577 ms 19.717 ms 18.539 ms
5 68.86.90.93 23.956 ms 25.727 ms 21.902 ms
6 68.86.87.158 27.282 ms 25.335 ms 31.404 ms
7 68.86.85.242 19.457 ms 23.709 ms 27.587 ms
8 75.149.228.214 26.651 ms 19.491 ms 29.494 ms
9 173.192.18.146 51.027 ms 38.246 ms 39.245 ms
10 173.192.18.143 43.475 ms 39.477 ms 49.831 ms
11 67.228.118.225 37.914 ms 36.902 ms 40.443 ms
12 50.22.155.163 36.608 ms 38.794 ms 49.245 ms**My network is trivial: [Comcast Router]–[Switch]–[Host1, Host2, SG-1000, etc]
Comcast router has LAN IP of 10.0.1.1.
SG-1000 has IP of 10.0.1.9 and has a gateway assigned of 10.0.1.1.It looks to me like at least one of these NTP servers is working, yet NTP on SG-1000 is not.**
A bonus, the SG-1000 can resolve the pool.ntp.org IP address.
Vinces-Mac-Pro:Volumes vince$ dig @10.0.1.9 pool.ntp.org; <<>> DiG 9.8.3-P1 <<>> @10.0.1.9 pool.ntp.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32260
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pool.ntp.org. IN A;; ANSWER SECTION:
pool.ntp.org. 112 IN A 24.124.0.251
pool.ntp.org. 112 IN A 74.82.59.150
pool.ntp.org. 112 IN A 96.244.96.19
pool.ntp.org. 112 IN A 97.127.86.33;; Query time: 28 msec
;; SERVER: 10.0.1.9#53(10.0.1.9)
;; WHEN: Wed Jun 21 18:03:07 2017
;; MSG SIZE rcvd: 94Vinces-Mac-Pro:Volumes vince$
-
Whoops, forgot the ping. Good thing I remembered because the ping fails on SG-1000.
PING pool.ntp.org (129.6.15.29) from 10.0.1.9: 56 data bytes–- pool.ntp.org ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossA ping on a computer host succeeds:
Vinces-Mac-Pro:Volumes vince$ ping pool.ntp.org
PING pool.ntp.org (64.113.44.55): 56 data bytes
64 bytes from 64.113.44.55: icmp_seq=0 ttl=52 time=71.228 ms
64 bytes from 64.113.44.55: icmp_seq=1 ttl=52 time=87.369 ms
64 bytes from 64.113.44.55: icmp_seq=2 ttl=52 time=78.280 ms
64 bytes from 64.113.44.55: icmp_seq=3 ttl=52 time=74.830 ms
^C -
Hmmmm…. If I ping the IP instead of the hostname on the SG-1000, it succeeds.
PING 64.113.44.55 (64.113.44.55) from 10.0.1.9: 56 data bytes
64 bytes from 64.113.44.55: icmp_seq=0 ttl=52 time=75.250 ms
64 bytes from 64.113.44.55: icmp_seq=1 ttl=52 time=72.775 ms
64 bytes from 64.113.44.55: icmp_seq=2 ttl=52 time=81.572 ms–- 64.113.44.55 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 72.775/76.532/81.572/3.704 ms -
Your pinging 2 different IPs there
pool.ntp.org (129.6.15.29)
PING 64.113.44.55 (64.113.44.55)When you use pool.ntp you could get anything back - I run my server in the pool, so lots of people sync time off my stratum 1.
But clearly your pinging out, and traceroutes look fine.
Seems really odd, I agree! Pfsense is just a host on your network and other hosts are working. I would assume on your comcast gateway your not blocking anything…Hmmm.. I have had too much recreation beverages and other substances (hehe) to think clearly at the moment ;) Will get back to this in the morning ;) hehehe
-
I hope the morning after cost is not severe.
-
heheh no fine.. I really don't see anything wrong here.
Your traceroute from your sg1000 shows it going to your isp router 10.0.1.1
The response times seem a bit high for a lan
1 10.0.1.1 3.447 ms 8.987 ms 9.197 mshere
tracert -d 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.9.253
2 11 ms 11 ms 9 ms 96.120.24.113See the 1st hop, my pfsense box..
This is from a VM, so it bit more sluggish
user@ubuntu:~$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.9.253 1.090 ms 1.297 ms 1.286 ms
2 96.120.24.113 11.292 ms 18.049 ms 16.522 ms
3 162.151.90.117 17.445 ms 17.726 ms 18.584 msstill right around the 1ms range.
Pinging ntp or anything for that matter on the internet might or might not return an answer.. Many will not answer ping.. So that is nothing odd in itself.. Since you were pinging 2 different IPs there doesn't tell you anything. If you pinged the same and from your host it responded, but sg1000 did not get a response then something to look into.
All you can validate from the sg1000 side via a sniff is its actually sending the ntp query to your gateway.. If so and you don't get an answer then its something else upstream from the sg1000.
