SNTP Problem getting connection!

pfsense_user12123 · Oct 5, 2017, 6:04 PM

Hi there,

i´m using an all of my clients ntp. and this works fine.
only one client which is a switch can´t connect using sntp.this switch can´t connect to ntp only sntp.
All other clients on this switch get ntp working fine.
i know that these two are different protocols (ntp / sntp) . but both use port 123

i can´t figure out why this is not working :-(

i´m using pfblocker, suricata.
i disabled ntp on the interface my switch is connected to.
i disabled both suricata and pfblocker and made a nat rule from my wan interface to pass all to the ip of the switch.
i put the rule on top of all rules -> nothing -> no sntp pakets came to my switch.

on my old asus router this works without any problems. any help or ideas ?

thx very much !

pfsense_user12123 · Oct 7, 2017, 7:06 AM

I found the problem.

In DNS resolver I selected all interfaces.
Solved the problem by deselecting the wan interface.

Everything works now.

Why? I use my own dns servers not these from my isp. Could that be why this solution works?

johnpoz · Oct 7, 2017, 8:26 AM

huh?? That would have nothing to do with anything..

So you you deselected wan from the ports it listens on the what it can use to resolve? So you have the resolver in forwarding mode? Out of the box unbound is resolver, it wouldn't be using your own dns or your isp dns.. It resolves it does not forward unless you checked that box and pointed it to somewhere. None of which would have anything to do with your sntp device not working..

Where does your device point to for sntp? Is it using a fqdn that is not resolving?

pfsense_user12123 · Oct 7, 2017, 3:00 PM

You are right. i selected "WAN" interface again for the DNS and SNTP still works.
Don´t know what the problem was. I can not explain it to myself.

the reason why i changed this was an article i found here
-> https://b3n.org/hijacked-slow-dns-unbound-pfsense/

Would you recommend such a setting?

What would be the disadvantage of this settings?

thx for your support!

johnpoz · Oct 7, 2017, 2:58 PM

Huh? Yes I highly recommend using unbound as resolver - you do understand that is the default out of the box config right? For it to not be like that you have to dick with it ;)

Some idiot writes a blog post that is how pfsense is right out of the gate clicking setup and following the bouncing ball.. And it was the default before he wrote that article back in feb.. Pfsense has been using unbound in resolver mode out of the box since 2.2.. https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes

Which came out in Jan of 2015.. That guys article is telling you how its setup out of box 2 years after the fact.. And suggesting its some great idea of his? WTF!

"i can´t ping the clients just with for example: ping pc1"

No - why should you be able too? DNS needs to be FQDN.. So use fqdn in your query or setting up what ntp to use, or make sure you setup domain suffix and or search suffixes so when you put in pc1 the client auto adds the domains you want it to, ie yourdomain.tld that your using locally, etc.

pfsense_user12123 · Oct 7, 2017, 3:00 PM

ok, thx for your statement.

i posted on the cisco forum because i thought, this must be a switch problem. But i noticed it had to do with dns or fqdn!
i can ping any client with the host and the "domain" name like -> for example : ping pc1.domain -> no problem
i can´t ping the clients just with for example: ping pc1
also nslookup works the same way. for example -> nslookup pc1.home -> no problem
or nslookup pc1 -> non existent domain.

johnpoz · Oct 7, 2017, 3:02 PM

still not sure what you thought disabling dns from working - how would it work if you could not query out your wan would have anything to do with ntp not working?

johnpoz · Oct 7, 2017, 3:27 PM

So your also running IPS ;) who says that wasn't your problem? Do you only have it in monitor mode?

Why would you care about inbound traffic into your wan from the public internet for your IPS?

pfsense_user12123 · Oct 8, 2017, 2:28 PM

i reinstalled suricata . i did these a serveral times before i solved my problem with sntp.
at the moment everything works without any problem. still don´t know exactly what solved the sntp problem.

by the way…

i use suricata now in monitor mode because i want to change it to "block on drop" but i do not quite understand it.

see my post. perhaps you could help me with my questions?

-> https://forum.pfsense.org/index.php?topic=137669.msg752860#msg752860