[Solved] NTPD on VLAN sub-interface

ZsZs · Feb 23, 2018, 4:30 PM

Hi,

I'm on 2.4.2-RELEASE with several VLAN sub-interfaces.
I am unable to get NTPD working when VLAN sub-interface(s) is/are slected in Services / NTP / Settings -> Interfaces.
NTPD starts, but in the log I see only

Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 5.x.146.13
Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 148.y.154.36
Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 213.z.53.187
Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 176.w.144.121

ntpq -p shows:

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
 1.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
 2.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
 3.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001

interface definitions in my ntp.conf

grep interface /var/etc/ntpd.conf 
interface ignore all
interface ignore wildcard
interface listen vmx4.13
interface listen vmx3
interface listen vmx2

Once I unselect all VLAN sub-interfaces and restart NTPD, it works well.

Am I missing something or is this a bug?

Zsolt

johnpoz · Feb 22, 2018, 2:23 PM

I have ntpd on multiple vlans without any issues.

[2.4.2-RELEASE][root@sg4860.local.lan]/root: grep interface /var/etc/ntpd.conf
interface ignore all
interface ignore wildcard
interface listen igb0
interface listen igb2
interface listen igb2.200
interface listen igb2.100
interface listen igb2.300
interface listen igb2.500
interface listen igb3

You need to figure out why ntpd can not get to ntp servers your using..

ZsZs · Feb 23, 2018, 10:06 AM

Thanks for your reply.
Do you also serve ntp to your native vlan of your switch or what is the reason of having the igb2 and igb2.* sub-interfaces as well in your ntp.conf?

Anyway, I've assigned an ip address to my vmx4 interface and added as NTP interface, but did not help.
My complete non-working ntpd.conf is following:

# 
# pfSense ntp configuration file 
# 

tinker panic 0 
# Orphan mode stratum
tos orphan 12

# Upstream Servers
pool 0.de.pool.ntp.org iburst maxpoll 9
pool 1.de.pool.ntp.org iburst maxpoll 9
pool 2.de.pool.ntp.org iburst maxpoll 9
pool 3.de.pool.ntp.org iburst maxpoll 9

statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
interface ignore all
interface ignore wildcard
interface listen vmx4.13
interface listen vmx3
interface listen vmx2
interface listen vmx4

however ntpstat -q works ok:

ntpdate -q a.fraho.eu
server 88.198.12.78, stratum 2, offset -0.000490, delay 0.03764
23 Feb 10:58:28 ntpdate[23354]: adjust time server 88.198.12.78 offset -0.000490 sec

Once I remove the vmx4.13 from ntp interfaces NTP starts communicating with configured servers.

It it a vlan 13 and Friday issue? ;D

Any idea what to check?

ZsZs · Feb 23, 2018, 4:30 PM

I think that I've figured it out.

Long story short:
In case WAN is not among the list of the interfaces to listen on, NTPD picks the source ip for it's outgoing ntp traffic as follows:

sort the ip addresses where it is configured to listen on (interfaces)
select the first one as source address

This ip should have outgoing nat configured.
As I did not want to have NTPD listen on WAN interface and my vlan sub-interfaces did not have outgoing nat, all ntp traffic leaved the WAN interface with internal ip address as source ip.

Solution1: select WAN interface to listen on (access from outside is blocked by default)
Solution2: make sure you have outgoing nat for the interface with lowest ip address.

HTH,
Zsolt

edit: some typos

johnpoz · Feb 23, 2018, 4:44 PM

"Do you also serve ntp to your native vlan of your switch or what is the reason of having the igb2 and igb2.* sub-interfaces as well in your ntp.conf?"

Yes ;) I have some native vlans as well as some tagged vlans.

Nice info how ntpd picks its source IP for talking to ntp.. Well have to test that out.. My ntpd doesn't listen on wan or talk outside for ntp.. It points to my ntp servers on my local network that are stratum 1.. No reason to use anything else, these servers also serve ntp to pool on both ipv4 and ipv6.. If you were not using de pool at some point your pfsense might get ntp from my ntp server ;)

Glad you got it sorted.

MeCJay12 · Dec 4, 2019, 4:44 AM

Just wanted to note that I was having this issue tonight in 2.4.4 p3 and the solution was to add WAN to the NTP interfaces. Thanks to those that figured it out. @johnpoz There is definitely something so this.

johnpoz · Dec 4, 2019, 11:59 AM

Did you not have outbound nat configure correctly?

MeCJay12 · Dec 4, 2019, 3:55 PM

I followed the HA guide and so far it's working.
login-to-view