NTP server pools can't be resolved [Solved, 2 problems in 1 post]

Gertjan

@techtester-m said in NTP server pools can't be resolved:

What now?

At least you know - we actually knew already - that DNS is working.

You browser said that it couldn't connect to duckduck - which implies it has the correct IP (a domain name doesn't mean anything to a browser) but the traffic send from the device on which your browser runs to "40.114.177.156" isn't possible.
I suspect some/most/all your VPN settings. See my comments above.

techtester-m

@Gertjan I think you're wrong here.
I disabled the policy routing rule with the VPN and sent all LAN traffic through the default gateway which is the WAN.
Disabled the NO_WAN_EGRESS rule in under floating. Changed to 8.8.8.8 under general settings and still...nothing.

Also, why would the VPN or any other setting in pfsense care who I'm forwarding the DNS requests? WTH would it work perfectly with Cloudflare but not with others?

Btw, NTP issue still exists even when using "pure resolver" mode without forwarding. I won't reach them and will have just this address 162.159.200.123 as the only Active Peer. Never had such a weird issue before....please help lol

Gertjan

As you might know, we do not have the helpdesk tools to guide you from a known, working situation, to drill down to the source of an issue, or even a collection of issues.

What work fast - and would work for you now, is creating a known point of start.

Save your config.
Reset the entire pfSense : option 4 in the console menu.
From this point : you do 5 things :
Assign a WAN interface - by suing DHCP
Assign a LAN interface - and do leave everything to default.
Assign a password to pfSense (and yes, assign logic things like the correct time zone).
Hook up a PC to the LAN. You should have a normal Internet access. Everything should be fine.
// END //
Check this setup as long as possible because any issue on this point is pretty sure located "upstream".
Try everything that didn't work before.
Because: You an I use the same code. And you did not - or very minimalistic, change the default settings. The very same settings "that work for everybody".

While doing so, assign a NTP pool - or use the default pool. "Time" should work. Again, if not, issues are upstream.

During the test : do not add/change firewall rules, VPN's, other interfaces or whatever. No DNS changes : nothing.
No 8.8.8.8 or anybody else.
Just the default stuff.

You can always go back to the situation you have now, by importing your saved backup, and reboot.
So my test has no risks.

techtester-m

@Gertjan I'll try and report back after the weekend :) thanks

johnpoz

@techtester-m said in NTP server pools can't be resolved:

perhaps my ISP blocking them (on port 53)?

Why not just do a query yourself and check? nslookup, dig, host - your fav dns tool and query whatever NS you want and see if you get an answer..

This is way to "test" if your isp is blocking 53..

example.

C:\>dig @8.8.8.8 www.netgate.com

; <<>> DiG 9.16.4 <<>> @8.8.8.8 www.netgate.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7806
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.netgate.com.               IN      A

;; ANSWER SECTION:
www.netgate.com.        3195    IN      A       208.123.73.73

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 26 16:16:35 Central Daylight Time 2020
;; MSG SIZE  rcvd: 60

If your wanting to check if your being redirected.. This would be a good simple test.. If directly query any of these they should return your public IP.. If its not your IP, then your dns is being redirected most likely

nslookup whoami.akamai.net. ns1-1.akamaitech.net.
nslookup -q=TXT o-o.myaddr.l.google.com. ns2.google.com.
nslookup myip.opendns.com. resolver1.opendns.com.

Example

$ nslookup whoami.akamai.net. ns1-1.akamaitech.net
Server:  UnKnown
Address:  193.108.88.1

Name:    whoami.akamai.net
Address:  64.53.x.x

That IP is my actual WAN IP.. where I did the query from - if you get something else back.. Most likely your dns is being redirected.

techtester-m

@johnpoz I had the same result as yours. It showed my WAN IP. Still...same problem. But I think I found out what caused it.

Gertjan

@techtester-m said in NTP server pools can't be resolved:

It showed my WAN IP. Still...same problem

Very good news.
No ISP issues. Your issues are 'local'.

techtester-m

@Gertjan I factory reset the settings. Defined everything from scratch one by one and I think I found out the problem which I find weird as well. Perhaps a bug with pfSense, by design or simply something with how DNS servers work.

So...it goes like this: The problem seem to originate from the monitoring IPs set for the gateways. When I use DNS servers as the monitoring IPs of my gateways (especially the WAN I think) I can't use them under General Settings or else it will cause some weird problems that don't make much sense (at least to me). Please check the screenshot below:

Gertjan

Monitoring a gateway by using 1.1.1.1 or 8.8.8.8 is a bad idea.

As any server, these (8.8.8.8 - 1.1.1.1 etc) have to protect themselves. There are many Internet users out there with completely hosed (router) network setups, and the firewall of 8.8.8.8 is very capable of blocking IP's that over rate DNS requests, ICMP requests etc. And they probably slam down a /24 so you and your /24 WAN fellows will get blocked - only ICMP or even everything : DNS. These people will notice this, contact their ISP, who contacts 8.8.8.8 who will say : disconnect the ab-user, and we will remove the restrictions. So the ISP will do some network sniffing, find their abusing client and ask him friendly to stop what he is doing ....

This is just an example - and not a invented story : these things happen.

=> and if 8.8.8.8 doesn't reply to ping - because there is no law that says it has to - your WAN will be taken down to be reset. That's problematic. So : stop biothering 8.8.8.8 - it isn't a world wide gateway tester after all.

You be better of using a 'gateway' test IP, more close, one of your ISP.

techtester-m

@Gertjan said in NTP server pools can't be resolved:

As any server, these (8.8.8.8 - 1.1.1.1 etc) have to protect themselves...

Goddamn I had a feeling it was something with the DNS servers limiting me. But on the other hand, I only went this path because when I didn't use any IP to monitor the default was the ip of the interface itself which caused some problems in the occasions where VPN gateways were assigned with the same ip.

So you're saying the best approach would be to monitor an IP on the "outside world" but not a DNS one and preferably one within the boundaries of my WAN/ISP? Did I understand you correctly?

Edit: What IPs or servers won't protect themselves or restrict in the same way? Because you would imagine that DNS servers can "take everything you through on them"...kind of lol

johnpoz

@techtester-m said in NTP server pools can't be resolved:

best approach would be to monitor an IP on the "outside world"

Who said that? I personally think that is a bad idea.. Unless you have specific reason that, like your ISP gateway doesn't answer or pfsense is actually behind a nat or something..

Best approach is to leave it at default which is to monitor your actual gateway, unless you have specific need/reason to change it.

Why do you have so many freaking vpn connections btw? What I would suggest you get stuff working like dns fowarding and ntp before you start sending all your traffic to some vpn service(s)...

Gertjan

@techtester-m said in NTP server pools can't be resolved:

So you're saying the best approach would be to monitor an IP on the "outside world" but not a DNS one and preferably one within the boundaries of my WAN/ISP? Did I understand you correctly?

@techtester-m said in NTP server pools can't be resolved:

What IPs or servers won't protect themselves or restrict in the same way? Because you would imagine that DNS servers can "take everything you through on them"...kind of lol

You got it.
If "people" would know the consequence of their choices, they wouldn't throw in these '8.8.8.8' everywhere.
Better : pfSense monitors the (a) WAN interface. But you don't have to leave it "on" or accept the IP it uses for the test. Although : pfSense never puts in 8.8.8.8 by default : they (Netgate) would receive a phone call from Google to make that stop.
The default DHCP on WAN just pings the upstream gateway, often your your upstream (ISP) router.

Myself : I use one of my own dedicated servers on the Internet Its me bothering myself with my own pings. Main advantage : I can trust my own server ^^

techtester-m

@johnpoz said in NTP server pools can't be resolved:

Who said that? I personally think that is a bad idea..

Ok...you and @Gertjan seem to disagree on this matter.

@johnpoz said in NTP server pools can't be resolved:

Why do you have so many freaking vpn connections btw?

We've discussed this few months - a year ago. Multiple reasons, which I don't expect everybody to agree on obviously, like: "Stick it to the man", load balancing, failover, OCD etc... :)

@johnpoz said in NTP server pools can't be resolved:

Best approach is to leave it at default which is to monitor your actual gateway

Yeah, I understand that about the WAN gateway. It should ping the upstream gateway because if that won't answer back then there's no point to even try to get to anything beyond that. That being said, when it comes to a 'local' gateway with a virtual ip/one that was set by a VPN server, pinging itself doesn't make sense to me because it's not even the upstream gateway/server ip. It's actually literally pinging itself regardless of internet connection status.
If I'm missing the way gateway monitoring behaves, please bear with me and elaborate more. Thank you.

@johnpoz said in NTP server pools can't be resolved:

What I would suggest you get stuff working like dns fowarding and ntp before you start sending all your traffic to some vpn service(s)...

That's exactly what I did after I did reset to factory defaults. DNS forwarding is fine when I'm not monitoring gateways using DNS servers as I explained above (found the issue of DNS already). About NTP - even with the default settings of pfsense, it still shows 0 under the 'Reach' column of the NTP pools and chooses the same address as before to be the Active Peer. Unless this is the expected behavior, then it's an ISP behavior.

@Gertjan said in NTP server pools can't be resolved:

Myself : I use one of my own dedicated servers on the Internet

Haha good idea. But... (1) What would you do in case of multiple gateways? pfsense forces you to choose a different monitoring IP for each gateway. (2) Untill I'll setup my own cloud server or something like that, should I just leave it as default and let the VPN gateways to monitor their own internal/virtual interface IPs?

Thank you guys for all the input and knowledge. A little bit more and we'll have an agreeable working solution and I'll have my peace of mind. Please bear with me a little more.

Gertjan

This :

@techtester-m said in NTP server pools can't be resolved:

Ok...you and @Gertjan seem to disagree on this matter.

@techtester-m said in NTP server pools can't be resolved:

So you're saying the best approach would be to monitor an IP on the "outside world" but not a DNS one and preferably one within the boundaries of my WAN/ISP? Did I understand you correctly?

Let's chop it into pieces :

boundaries of my WAN/ISP?

The closer the better, so why not. Your upstream home ISP router is choses by default if you use DHCP.

but not a DNS one

a DNS servers exists to reply on DNS requests - who knows what it can do with ICMP requests if it gets overloaded ? (or see above for other events)

"outside world"

because the "inside world" = an IP on LAN wouldn't make any sense ;))

So yes, nothing wrong with your phrase.
@johnpoz read / understood something else ?
Or understood what I missed ...

johnpoz

@techtester-m said in NTP server pools can't be resolved:

it still shows 0 under the 'Reach' column of the NTP pools and chooses

You mean this 0

That is expected for the "pool placeholder"

As to which active peer gets picked, that would the peer that ntp determines is the best one..

Only thing you should be concerned with is that there is an active peer, and that the ntp servers your trying to talk to show reaches as 377, this means that that server has answered the last 8 times in a row talking to it.

If you want have pfsense only talk to or pick from the ntp servers you want, then pool is not for you.. specifically list only the ntp servers you want ntp to use.. Any pool is going to be a randomly changing list of servers that are in the "pool"..

techtester-m

@johnpoz said in NTP server pools can't be resolved:

That is expected for the "pool placeholder"

Thank you, that's what I wanted to know. So in that regard everything is working perfectly.

@johnpoz said in NTP server pools can't be resolved:

that the ntp servers your trying to talk to show reaches as 377

That's ok too. I see this exact number in the Active Peer row (Reach column).

@johnpoz said in NTP server pools can't be resolved:

If you want have pfsense only talk to or pick from the ntp servers you want, then pool is not for you

I do want a pool but it seems it picks the wrong server (or maybe not...). Let me explain the issue: I use a Ubiquiti EdgeSwitch and I've noticed a wrong date (Jan xx, 2020) when I downloaded the config file and opened it. So I set my pfsense address as the SNTP server (EdgeSwitch settings) for that switch. Downloaded the config file again and noticed an almost correct date (Jun xx, 2020) but with the UTC (+8) of somewhere in the east cost of the US or Canada I think. Checked the address of the Active Peer (always the same one) in pfsense and searched it with iplocation.net. I received multiple results (screenshot below):

techtester-m

@Gertjan said in NTP server pools can't be resolved:

The closer the better, so why not. Your upstream home ISP router is choses by default if you use DHCP.

I understand, thank you. What about a VPN gateway with the address of 10.x.x.x assigned by the VPN server? pfSense will monitor this exact IP. Seems a bit different to me from monitoring the WAN IP idk why...feels wrong, unless I misunderstood something and it only looks like a local/virtual address but because I'm connected to the VPN server I'm on a sort of a different LAN with that server and therefore that IP would be considered as 'upstream'. Can you explain that a little bit more, please?

@johnpoz Johnny boy you can elaborate on the matter as well lol :) Feel free...

Edit: I visualized and wrote my thesis on the matter (see screenshot below). Can you please tell me if my understanding of how things work is correct?

Gertjan

When you use the VPN client on pfSense to connect to a VPN server, it will receive a tunnel IP "on the pfSense side" and there will be an IP on the other side - the VPN server. This one should be able to reply on "ping" and is thus perfect to do the "dpinger ping tunnel "WAN" test".
When the tunnel goes down, dpinger - the task that actually monitors the WAN = VPN interface, will kick around the VPN client by restarting it.

All you need is a IP "on the other side".
Even 8.8.8.8 could work for years without issues - for others : it doesn't.
Just use an IP that you can trust a,d/or check because, remember, if that IP can't be reached any more, dpinger will do 'bad' things with that WAN connection. Something that can be disabled if you trust your WAN/VPN/etc connection enough.

Btw : I've a VPN connection "to play with" - to see what it is. I'm not actually using it, because I still do not understand why I should need one.
Just one - the setup - messes up my pfSense connection enough - things become over complicated / not transparent at all. When things go bad it's not simple any more to do the basic "debug" steps.
And you use 3 of them ??

techtester-m

@Gertjan For the actual WAN I'll use the upstream ISP gateway.

@Gertjan said in NTP server pools can't be resolved:

All you need is a IP "on the other side"

But which is what? Is the 10.x.x.x the tunnel IP (local) and the IP "on the other side" is simply the VPN server address...OR is the 10.x.x.x address is the one "on the other side" but only looks local (but is virtual)? Seems simple but the semantics can be confusing sometimes.

Gertjan

@techtester-m said in NTP server pools can't be resolved:

But which is what?

Actually : any IP on the Internet will do.
With the restrictions stated above.