NTP server issues

4o4rh

@stephenw10 where can i find the ntp configuration files to see what is being written

johnpoz

You only need to listen on your interfaces you want to serve time on... My guess since you mention vpn, is you went to manual and now your not natting loopback, so when an application tries to use that as source to talk pfsense doesn't nat it and you can not talk..

So the only why ntp would be able to talk to ntp servers is if bound to interface, the 0.0.0.0 is bind to all... Post up your outbound nats, Bet you a beer you don't have loopback natting..

stephenw10

/var/etc/ntpd.conf

johnpoz

See I am only listening on a few interfaces...

[2.4.5-RELEASE][admin@sg4860.local.lan]/root: cat /var/etc/ntpd.conf 
# 
# pfSense ntp configuration file 
# 

tinker panic 0 
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 192.168.3.32 iburst maxpoll 9 prefer
pool us.pool.ntp.org iburst maxpoll 9


enable stats
statistics clockstats loopstats peerstats
statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
interface ignore all
interface ignore wildcard
interface listen igb3
interface listen igb0
interface listen igb2
interface listen igb2.4
interface listen igb5
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: 

4o4rh

@johnpoz I want to listen on the lan interfaces for switches/access point devices and vlans for end user equip.

I have the same config for each of the VPNs and they work

johnpoz

Exactly I only listen on a few of my local lan side interfaces... I don't see ::1/128 listed there.. maybe its trying to do ipv6?

I really don't see the point of doing manual outbound nat.. Why would you not just use automatic, and set hybrid for the stuff you want to policy route out your vpn..

Do you not have ntp listening on an interface that you nat?

4o4rh

@johnpoz If i use a single LAN interface, it looks like this

# 
# pfSense ntp configuration file 
# 

tinker panic 0 
# Orphan mode stratum
tos orphan 12


# Upstream Servers
pool nl.pool.ntp.org iburst maxpoll 9
pool de.pool.ntp.org iburst maxpoll 9


enable stats
statistics clockstats loopstats peerstats
statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
interface ignore all
interface ignore wildcard
interface listen igb1

johnpoz

So you have a vip on igb1?

I would sniff on your wan - do you see traffic going out to those servers? With source IP natted to your wan IP?

Is your default route out your wan, or via vpn.. IE you pulled routes?

4o4rh

@johnpoz if you mean the 10.10.10.1 it is coming from pFBlocker - i am disabling that and snort to check the effect

johnpoz

Snort huh... yeah could be problematic..

But its a given if your ntpd can not get into sync by talking to the ntp servers you point it to, either direct or pool then no clients would sync with it. ;) since its not a valid time source until it has gotten into sync with valid time source.

4o4rh

thanks guys for all the help. I found the answer in here.
https://forum.netgate.com/topic/131506/ntp-not-working-solved-totally/27

by jimp Rebel Alliance Developer Netgate Jun 21, 2018, 5:27 PM

Firewall > NAT, Outbound tab. Add rule to top.
Disabled: Unchecked
Do not NAT: Unchecked
Interface: WAN (make one of these rules for each WAN)
Protocol: any
Source: This Firewall (self)
Destination: any
Not: Unchecked
Translation Address: Interface Address
Port or Range: Blank
Description: NAT anything out from the firewall itself

johnpoz

So the problem was I thought you were not natting.. Which prob has something to do with manual nats and all your vpn interfaces...