NTPd: External peers stopped working



  • Hello,

    NTPd does not seem to use external peers any more. A secondary time server from our internal network is working and I set it up as peer in pfSense. I checked with ntpdate, there seems no connection issue to this peer.

    
    [2.3.4-RELEASE]/root: ntpdate -q ptbtime1.ptb.de
    server 192.53.103.108, stratum 1, offset 0.006594, delay 0.05330
    21 Jul 13:28:45 ntpdate[18903]: adjust time server 192.53.103.108 offset 0.006594 sec
    [2.3.4-RELEASE]/root: ntpq -p
         remote           refid      st t when poll reach   delay   offset  jitter
    ==============================================================================
     ptbtime1.ptb.de .INIT.          16 u    -   64    0    0.000    0.000   0.000
     news01.nierle.c .INIT.          16 u    -   64    0    0.000    0.000   0.000
    *presstore.int.m 192.53.103.108   2 u   45   64   17    0.148   -0.103   4.186
    
    

    pfSense version:

    2.3.4-RELEASE (amd64) 
    built on Wed May 03 15:13:29 CDT 2017 
    FreeBSD 10.3-RELEASE-p19 
    

    my NTPd config:

    
            <ntpd><interface>lan</interface>
                    <logpeer>yes</logpeer>
                    <logsys>yes</logsys>
                    <statsgraph>yes</statsgraph>
                    <gps><type>Default</type></gps> 
                    <peerstats>yes</peerstats>
                    <restrictions><row><acl_network>10.11.0.0</acl_network>
                                    <mask>16</mask>
                                    <nomodify>yes</nomodify>
                                    <nopeer>yes</nopeer>
                                    <notrap>yes</notrap></row></restrictions> 
                    <clockstats>yes</clockstats>
                    <loopstats>yes</loopstats>
                    <prefer>ptbtime1.ptb.de pool.ntp.org</prefer></ntpd> 
    
    

    Any ideas? Thanks!



  • Not realy an 'idea', but using "pool.ntp.org" never troubled me.

    [2.3.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ntpdate -q pool.ntp.org
    server 193.140.100.40, stratum 2, offset -0.000248, delay 0.11893
    server 216.182.1.2, stratum 2, offset -0.002764, delay 0.14154
    server 185.53.93.157, stratum 2, offset -0.008575, delay 0.07903
    server 85.10.240.253, stratum 2, offset -0.000071, delay 0.06528
    21 Jul 19:22:49 ntpdate[38234]: adjust time server 85.10.240.253 offset -0.000071 sec
    
    

    It was a "set it and forget it" thing (a decade ago ?!).



  • I have not had a good experience with pool.ntp.org. While it is reliable, for me, it's typically more off than my $10 wall clock that I set the time twice a year for day lights savings. I'll regularly see my active server be nearly 10sec off if I use pool.ntp.org.

    Because of this horribleness, I just googled for public NTP servers from around the world that have been around for a long time and now I'm less than 1ms off. I've even added a Stratum 1 a few times to see how far off, and I'm usually less than 0.1ms off, rarely break past 1ms, and my worst is still single digit milliseconds.

    0.1ms may be overkill, but 10,000 is horrible.


  • Rebel Alliance Global Moderator

    I run a server in the pool.. Its a stratum 1 server - its sure and the F is not 10sec off ;)

    All pool servers are monitored - if they are too far off they are dropped from the pool, if they do not answer so many queries they are dropped from the pool.  Ie if their score drops below 10 with 20 being the max score.  So miss a few queries from the monitor, have your offset from the monitor too much and your score drops below 10 and your dropped from the pool.

    You really should use the pool.ntp.org for your region..

    See all zones in All Pool Servers.

    Africa — africa.pool.ntp.org (35)
    Antarctica — antarctica.pool.ntp.org (0)
    Asia — asia.pool.ntp.org (268)
    Europe — europe.pool.ntp.org (2766)
    North America — north-america.pool.ntp.org (930)
    Oceania — oceania.pool.ntp.org (100)
    South America — south-america.pool.ntp.org (39)

    If your in Europe for example you can get more local to your area

    
    Andorra — ad.pool.ntp.org (0)
    Albania — al.pool.ntp.org (0)
    Austria — at.pool.ntp.org (60)
    Aland Islands — ax.pool.ntp.org (0)
    Bosnia and Herzegovina — ba.pool.ntp.org (2)
    Belgium — be.pool.ntp.org (17)
    Bulgaria — bg.pool.ntp.org (47)
    Belarus — by.pool.ntp.org (7)
    Switzerland — ch.pool.ntp.org (130)
    Czech Republic — cz.pool.ntp.org (41)
    Germany — de.pool.ntp.org (761)
    Denmark — dk.pool.ntp.org (44)
    Estonia — ee.pool.ntp.org (11)
    Spain — es.pool.ntp.org (7)
    Finland — fi.pool.ntp.org (35)
    Faroe Islands — fo.pool.ntp.org (0)
    France — fr.pool.ntp.org (439)
    Guernsey — gg.pool.ntp.org (0)
    Gibraltar — gi.pool.ntp.org (0)
    Greece — gr.pool.ntp.org (13)
    Croatia — hr.pool.ntp.org (8)
    Hungary — hu.pool.ntp.org (64)
    Ireland — ie.pool.ntp.org (19)
    Isle of Man — im.pool.ntp.org (1)
    Iceland — is.pool.ntp.org (7)
    Italy — it.pool.ntp.org (21)
    Jersey — je.pool.ntp.org (0)
    Liechtenstein — li.pool.ntp.org (6)
    Lithuania — lt.pool.ntp.org (11)
    Luxembourg — lu.pool.ntp.org (16)
    Latvia — lv.pool.ntp.org (8)
    Monaco — mc.pool.ntp.org (0)
    Moldova — md.pool.ntp.org (14)
    Republic of Montenegro — me.pool.ntp.org (0)
    Macedonia — mk.pool.ntp.org (5)
    Malta — mt.pool.ntp.org (0)
    Netherlands — nl.pool.ntp.org (251)
    Norway — no.pool.ntp.org (33)
    Poland — pl.pool.ntp.org (68)
    Portugal — pt.pool.ntp.org (12)
    Romania — ro.pool.ntp.org (37)
    Republic of Serbia — rs.pool.ntp.org (14)
    Russian Federation — ru.pool.ntp.org (152)
    Sweden — se.pool.ntp.org (29)
    Slovenia — si.pool.ntp.org (18)
    Svalbard and Jan Mayen — sj.pool.ntp.org (0)
    Slovakia — sk.pool.ntp.org (18)
    San Marino — sm.pool.ntp.org (0)
    Turkey — tr.pool.ntp.org (22)
    Ukraine — ua.pool.ntp.org (73)
    United Kingdom — uk.pool.ntp.org (278)
    Holy See (Vatican City State) — va.pool.ntp.org (0)
    Yugoslavia — yu.pool.ntp.org (0)
    
    

    That being said pool servers can drop off at any time, many of them are run by people as hobby - me for example ;)  It goes offline now and then..

    But sure if your having bad luck with pool servers, then go to the public ntp list.
    http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers
    http://support.ntp.org/bin/view/Servers/StratumOneTimeServers

    Look for ones in your region, and look at their rules of engagement - many are open to the public, but some have certain restrictions that if you should pay attention too to be a good netizen ;)  And they may block you if you do not pay attention to the rules they post, etc.

    If you want good time and don't want to do it over the internet - for a few bucks you can run your own stratum 1 on a pi for gosh sake ;)

    Did you mark in the ntp settings that its a pool?  If your going to point at a pool fqdn then you should mark it as pool in the ntp configuration page in pfsense.



  • Hello,

    thanks for the suggestions! But I now rather think this is a bug in pfsene; when I select multiple listen interfaces, it works again. I remembered changing this to only one interface and never thought any of it.

    ptbtime1.ptb.org
    

    I have this server as prefer, as it is the 'official' german time (yes, in Germany there is actually a law for that and they ran dcf 77 in the past)

    I also use the pools all the time, mostly de.pool.ntp.org. My past experience is also rather of the one time setup sort.

    @johnpoz:

    Did you mark in the ntp settings that its a pool?  If your going to point at a pool fqdn then you should mark it as pool in the ntp configuration page in pfsense.

    I think there is no such setting? At least in my GUI, i only have 'prefer' and 'noselect' as options.

    And your're right - running my own timeserver would be preferable:

    for a few bucks you can run your own stratum 1 on a pi for gosh sake ;)

    Do you have a suggestion, something wich works well with pfsense?

    Thanks!


  • Rebel Alliance Global Moderator

    The pool option was added in the 2.4 betas.

    If your syncing with non pool, it is more likely that the pool you were syncing too just went offline and you have not picked a different one.  If you look to see what IP your checking you can just look that ip up on the pool site.  They list all servers that are members of the pool.

    The could be blocking you - you would want to sniff the traffic and find the point when was working and then it stops working..  Just look to see if pfsense is actually sending the query - and you don't just get an answer?

    You can check this site for getting a ntp server up and running on a pi
    http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

    It will for sure get you started..  There is also other threads here about supply a pps signal to pfsense..