NTP Not Working [SOLVED (totally)]

beremonavabi

ntpdate -q 0.pfsense.pool.ntp.org

Thanks, johnpoz. It looks like our posts crossed in the mist. But, here's the result of the ntpdate command you recommended:

Shell Output - ntpdate -q 0.pfsense.pool.ntp.org
server 171.66.97.126, stratum 1, offset -3.122794, delay 0.04608
server 129.250.35.250, stratum 2, offset -3.123750, delay 0.03802
server 155.94.164.121, stratum 2, offset -3.121402, delay 0.03841
server 107.161.30.25, stratum 2, offset -3.120848, delay 0.08383
 1 Jun 11:46:57 ntpdate[17654]: step time server 171.66.97.126 offset -3.122794 sec

cyberzeus

Is pfSense running on a VM inside of a provider network? If so, did you check with them if they are blocking port 123?

beremonavabi

@cyberzeus No. This is version 2.4.3-Release on my Netgate SG-4860.

EDIT: I've since updated to 2.4.3-RELEASE-p1 (amd64). As expected, it makes no difference.

beremonavabi

@beremonavabi Is there any way to force a time update in pfSense? If I'm reading the result of the ntpdate command correctly, my pfSense box is about 3 seconds off from the NTP server time. Could that be too big and pfSense is just refusing to make the change because of that?

Looking around, I see the following set of commands to do that:

sudo service ntp stop
sudo ntpd -gq
sudo service ntp start

But, I don't know if sudo is needed with pfSense, if it can be done within the GUI, or if it can be done via the console. I don't even know if those are valid things to do in pfSense.

EDIT: Looks like running ntpdate without a parameter does the job. I ran "ntpdate 0.pfsense.pool.ntp.org" from a Command Prompt in the GUI and it updated the time. But, nothing else has changed. The NTP server is still not grabbing the times from those internet NTP pools.

beremonavabi

@beremonavabi I think I found a solution. The following thread:

https://forum.netgate.com/topic/127340/solved-ntpd-on-vlan-sub-interface

talks about the same problem on vlans. He mentioned:

"In case WAN is not among the list of the interfaces to listen on, NTPD picks the source ip for it’s outgoing ntp traffic as follows:

sort the ip addresses where it is configured to listen on (interfaces)
select the first one as source address
This ip should have outgoing nat configured.
As I did not want to have NTPD listen on WAN interface and my vlan sub-interfaces did not have outgoing nat, all ntp traffic leaved the WAN interface with internal ip address as source ip.

Solution1: select WAN interface to listen on (access from outside is blocked by default)
Solution2: make sure you have outgoing nat for the interface with lowest ip address."

I had my WAN un-selected for NTP under Services > NTP. Once I added it, everything started working again. So, something must have changed from when I first configured this (either with the various versions or with my messing around with the settings on my other interfaces).

Anyway, is there any security implication for letting the NTP server use the WAN? Anything I need to firewall?

jahonix

This post is deleted!

johnpoz

You sure do not need to be listening on wan for it to go outbound and talk to the ntp servers.

jahonix

Maybe you need to check one of the entries as "Prefer"?

beremonavabi

@johnpoz said in NTP Not Working [SOLVED]:

You sure do not need to be listening on wan for it to go outbound and talk to the ntp servers.

Well, that's what I thought when I set it up initially (and it worked that way at the time). But, all I can say is that, at this time (with my current configuration on pfSense 2.4.3-Release), without WAN being selected, the NTP service doesn't work. Merely adding the WAN interface under Services > NTP causes it to immediately start working again.

EDIT: Another odd thing is that according to that quote I posted from the other thread, above, the other solution is to have the selected interface with the lowest IP address have outbound NAT configured. Well, for me, that's my LAN interface (192.168.1.0.24). Firewall > NAT > Outbound for that interface looks like:


Interface	Source	Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port	Description	Actions
		WAN	192.168.1.0/24	*	*	*	WAN address	*		LAN to WAN

So, unless I'm mis-reading that, I do have outbound NAT configured for it. Odd.

kpa

It's not as simple as you would think. NTP service uses UDP only and there is only one listening socket for sending out queries and listening for replies on UDP port 123. If you set the service not to listen on your WAN interface that will also cut off the service's ability to send anything out on the WAN interface. Yes I know, DNS (for example) does the right thing and uses a separate socket for sending out the queries with a randomized source port, unfortunately NTP hasn't caught up with the new developments yet.

jahonix

So you're saying all my setups with NTP servicing all internal networks but WAN don't work? I must have missed something then...

kpa

Look at your outbound NAT rules. There should be a rule for outbound NAT'ing anything sourced from 127.0.0.0/8. That is the thing that makes your set up still work if you happen to set the service not to listen on the WAN, the service will instead use the localhost 127.0.0.1 address for the traffic and it will be properly NAT'ed.

Edit: The service might also select your LAN interface in case WAN is not available and if the LAN interface has a routable IP address it works just fine, also if the LAN IP address is an RFC1918 address you're still good because of the standard outbound NAT.

beremonavabi

@kpa said in NTP Not Working [SOLVED]:

Look at your outbound NAT rules. There should be a rule for outbound NAT'ing anything sourced from 127.0.0.0/8. That is the thing that makes your set up still work if you happen to set the service not to listen on the WAN, the service will instead use the localhost 127.0.0.1 address for the traffic and it will be properly NAT'ed.

Interface	Source	Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port	Description	Actions
		WAN	127.0.0.0/8	*	*	*	WAN address	*		Localhost to WAN

I've got that rule, too. But, without WAN being selected for NTP, it still didn't work.

johnpoz

I do not have wan selected, and ntp works just fine to outside ntp servers.

And yeah your loopback should be outbound nat.. Unless the user turned off automatic outbound nat then yeah loopback would work and or any of other lan side interfaces. If they turned off loopback nat, pretty sure that would break a bunch of stuff.

cyberzeus

This post is deleted!

beremonavabi

Just to double-check this (in case my forcing a clock update in my troubleshooting attempts "fixed" this), I unselected WAN from the selection list on Services > NTP and restarted the NTP service. I was right back in the same situation I was when I started this thread:

The NTP Status Dashboard widget has the time, but lists the Sync Source as “No active peers available.”

Under Status > NTP, all the pools show a status of “Pool Placeholder” and non-pools show “Unreach/Pending.” They all have “Stratum” equal to 16 instead of the 1 or 2 they should be, and the “When” fields are all blank (just a dash). All the statistics are 0.
...
Under Status > System Logs > NTP, all the log entries are nothing but “Soliciting pool server…” messages.

Re-selecting the WAN interface on the list and restarting the NTP service starts everything up properly and everything works again.

When it's not working, I don't see anything in any of the logs (except for the constant "Soliciting pool server" messages in the NTP log) related to this. Anyone have any suggestions on log settings to try to track this down? I'd really prefer not having NTP listening to the WAN interface if at all possible.

jahonix

So did you check an entry as "Prefer"???

beremonavabi

@jahonix said in NTP Not Working [SOLVED]:

So did you check an entry as "Prefer"???

Yes. It made no difference.

Gertjan

@beremonavabi said in NTP Not Working [SOLVED]:

Was there a specific article you were trying to point me to?

Wow - I guess I checked in after the storm.
Indeed, I was using Google myself to find some possible related posts : ntp not being able to contact remote time servers (Firewall and gateway issues).
Clear is now : there is a something that is not 'default'.
NTP settings : I haven't checked the WAN interface - only my LAN interfaces (I thought this ensures that ntp is serving my local devices with a time server, my pfSense box). See image below.

My Outbound NAT is pretty big and pretty default :
0_1528090393664_7395ac1f-e0ed-427b-b1cb-a93807886403-image.png

My WAN IP is RFC1918 (192.168.1.10.0/24)
LAN and OPT1 are default.

My NTP settings (tghis time with WAN selected - that works also for me ):

0_1528090777859_2f9b83b6-304e-477f-b01e-e1bffe3b3f37-image.png

Btw : selecting WAN isn't big deal. As long as there is no firewall rule letting in connections, your ok.
You should know that the GUI is also listening on ALL interfaces (WAN included !).

The only thing I changed there was "fr.pool.ntp.org" (I'm living in France) and checked "this is a pool).

Did you change anything on the Services => NTP => ACLs tab ?

beremonavabi

On my WAN interface, I'm allowing IP4 UDP traffic going to port 443 (for OpenVPN clients connecting to my OpenVPN server):
0_1528120985005_20180604 -- Firewall Rules WAN.PNG
My NTP ACL tab is default: Kiss-o'-death, Modifications, Peer Association, and Trap Service are all checked, while Queries and Service are unchecked.

EDIT: And since so few of us are having this problem, there's got to be something non-default somewhere that's causing this (as you said). I just can't find it.