[Solved] NTPD on VLAN sub-interface



  • Hi,

    I'm on 2.4.2-RELEASE with several VLAN sub-interfaces.
    I am unable to get NTPD working when VLAN sub-interface(s) is/are slected in Services / NTP / Settings -> Interfaces.
    NTPD starts, but in the log I see only

    Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 5.x.146.13
    Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 148.y.154.36
    Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 213.z.53.187
    Feb 22 13:16:09 	ntpd 	43676 	Soliciting pool server 176.w.144.121 
    

    ntpq -p shows:

    ntpq -p
         remote           refid      st t when poll reach   delay   offset  jitter
    ==============================================================================
     0.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
     1.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
     2.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
     3.de.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.001
    

    interface definitions in my ntp.conf

    grep interface /var/etc/ntpd.conf 
    interface ignore all
    interface ignore wildcard
    interface listen vmx4.13
    interface listen vmx3
    interface listen vmx2
    
    

    Once I unselect all VLAN sub-interfaces and restart NTPD, it works well.

    Am I missing something or is this a bug?

    Zsolt


  • LAYER 8 Global Moderator

    I have ntpd on multiple vlans without any issues.

    [2.4.2-RELEASE][root@sg4860.local.lan]/root: grep interface /var/etc/ntpd.conf
    interface ignore all
    interface ignore wildcard
    interface listen igb0
    interface listen igb2
    interface listen igb2.200
    interface listen igb2.100
    interface listen igb2.300
    interface listen igb2.500
    interface listen igb3

    You need to figure out why ntpd can not get to ntp servers your using..



  • Thanks for your reply.
    Do you also serve ntp to your native vlan of your switch or what is the reason of having the igb2 and igb2.* sub-interfaces as well in your ntp.conf?

    Anyway, I've assigned an ip address to my vmx4 interface and added as NTP interface, but did not help.
    My complete non-working ntpd.conf is following:

    # 
    # pfSense ntp configuration file 
    # 
    
    tinker panic 0 
    # Orphan mode stratum
    tos orphan 12
    
    # Upstream Servers
    pool 0.de.pool.ntp.org iburst maxpoll 9
    pool 1.de.pool.ntp.org iburst maxpoll 9
    pool 2.de.pool.ntp.org iburst maxpoll 9
    pool 3.de.pool.ntp.org iburst maxpoll 9
    
    statsdir /var/log/ntp
    logconfig =syncall +clockall +peerall +sysall
    driftfile /var/db/ntpd.drift
    restrict default kod limited nomodify nopeer notrap
    restrict -6 default kod limited nomodify nopeer notrap
    restrict source kod limited nomodify notrap
    interface ignore all
    interface ignore wildcard
    interface listen vmx4.13
    interface listen vmx3
    interface listen vmx2
    interface listen vmx4
    
    

    however ntpstat -q works ok:

    ntpdate -q a.fraho.eu
    server 88.198.12.78, stratum 2, offset -0.000490, delay 0.03764
    23 Feb 10:58:28 ntpdate[23354]: adjust time server 88.198.12.78 offset -0.000490 sec
    
    

    Once I remove the vmx4.13 from ntp interfaces NTP starts communicating with configured servers.

    It it a vlan 13 and Friday issue?  ;D

    Any idea what to check?



  • I think that I've figured it out.

    Long story short:
    In case WAN is not among the list of the interfaces to listen on, NTPD picks the source ip for it's outgoing ntp traffic as follows:

    • sort the ip addresses where it is configured to listen on (interfaces)
    • select the first one as source address

    This ip should have outgoing nat configured.
    As I did not want to have NTPD listen on WAN interface and my vlan sub-interfaces did not have outgoing nat, all ntp traffic leaved the WAN interface with internal ip address as source ip.

    Solution1: select WAN interface to listen on (access from outside is blocked by default)
    Solution2: make sure you have outgoing nat for the interface with lowest ip address.

    HTH,
    Zsolt

    edit: some typos


  • LAYER 8 Global Moderator

    "Do you also serve ntp to your native vlan of your switch or what is the reason of having the igb2 and igb2.* sub-interfaces as well in your ntp.conf?"

    Yes ;)  I have some native vlans as well as some tagged vlans.

    Nice info how ntpd picks its source IP for talking to ntp.. Well have to test that out.. My ntpd doesn't listen on wan or talk outside for ntp.. It points to my ntp servers on my local network that are stratum 1.. No reason to use anything else, these servers also serve ntp to pool on both ipv4 and ipv6.. If you were not using de pool at some point your pfsense might get ntp from my ntp server ;)

    Glad you got it sorted.



  • Just wanted to note that I was having this issue tonight in 2.4.4 p3 and the solution was to add WAN to the NTP interfaces. Thanks to those that figured it out. @johnpoz There is definitely something so this.


  • LAYER 8 Global Moderator

    Did you not have outbound nat configure correctly?



  • I followed the HA guide and so far it's working.
    e715e4d9-1b8c-4ace-a960-17a49037e55d-image.png


Log in to reply