NTP Not Working [SOLVED (totally)]

stephenw10 · Jun 11, 2018, 12:00 AM

Can we see your full outbound NAT page?

Steve

beremonavabi · Jun 11, 2018, 12:46 AM

@stephenw10

stephenw10 · Jun 11, 2018, 1:01 PM

Hmm, looks OK. And you're using manual mode there or hybrid?

The the WAN the default gateway on your system?

Is default gateway switching enabled?

I could imagine NTP trying to use the VPN gateway and sourcing from something not NAT'd there. It should always use the default gateway though.

Steve

beremonavabi · Jun 11, 2018, 2:42 PM

@stephenw10 said in NTP Not Working [SOLVED (mostly)]:

Hmm, looks OK. And you're using manual mode there or hybrid?

The the WAN the default gateway on your system?

Is default gateway switching enabled?

I could imagine NTP trying to use the VPN gateway and sourcing from something not NAT'd there. It should always use the default gateway though.

Steve

Manual mode and, yes, the WAN is the default gateway. Default gateway switching is OFF under System > Advanced > Miscellaneous.

In normal operation, everything is on the VPN_LAN interface (192.168.20.0/24). My firewall rules for that are:

The first two rules are special cases that are hardly ever used. The third rule sends local device traffic to other local devices out the default. And the last rule sends traffic to the outside world out via the VPN's Gateway Group. So, in general, everything to the outside world goes out over the VPN via that Gateway Group. But, I've got "redirect-gateway def1;" in my VPN client Custom Options to make sure the firewall, itself, can still get out the default gateway. I assume NTP falls under that and should get out via the WAN.

That special Outbound NAT rule with "This Firewall", above, was just a desperate stab at trying to make sure that NTP traffic could get out the WAN and not get stuck by the VPN. But, it didn't work. Assuming I wrote that rule correctly, it doesn't look like that's the issue.

I wonder if it could be a DNS issue (not being able to resolve the NTP pool names to addresses -- though why adding the WAN to the NTP listening interfaces would "fix" that, I don't know). I'm using DNS Resolver in NON-Forwarding mode. It's active for all my local LAN-type interfaces (not WAN) and sends everything out via the VPNx_WAN interfaces (again, not WAN). I wonder if I should add the WAN to the Outgoing Network Interfaces:

beremonavabi · Jun 11, 2018, 8:18 PM

@beremonavabi
It doesn't look like it's a DNS issue, either. I stuck the actual IP address for a public DNS server

http://support.ntp.org/bin/view/Servers/PublicTimeServer000011

in and removed the WAN interface. Same problem: NTP doesn't start. Put the WAN back in the list and all was well.

beremonavabi · Jun 20, 2018, 9:12 PM

Still not working without WAN selected in Settings > NTP. For posterity, here's some information on my gateways:

RW_VPN is my VPN server, VPNx_WAN are my two VPN clients, IPv6 is off so all the IPV6 gateways are disabled, and I've scribbled over my WAN_DHCP addresses for privacy purposes.

I've also got a Gateway Group:

johnpoz · Jun 21, 2018, 10:12 AM

See that other thread on how dicked up the other guys setup was to why it wasn't working.. A clue to why yours isn't working is prob in there as well.

johnpoz · Jun 21, 2018, 10:17 AM

@beremonavabi said in NTP Not Working [SOLVED (mostly)]:

RW_VPN is my VPN server

Huh? Why would you vpn server your running on pfsense be setup as a gateway?

Looks like he is shooting himself in the foot same way other guy was... Manual mode outbound nat and not natting what the ntp is trying to use as the source IP, etc.

And for what reason are you using manual for your outbound nat?

Gertjan · Jun 21, 2018, 2:12 PM

Just thinking and typing out loud :

Is this not just another case of trying to pass everything through the VPN tunnel ?

Knowing that the ntp deamon probably starts before the VPN server, it will work for a while : the WAN connections works, (NAT) rules are fine.
Then the VPN server starts, the gateways are shot in the back and reconstructed, so that all traffic goes out of the VPN, the new "WAN".
Our ntp isn't informed, and is locked out.

Something like that ?

jimp · Jun 21, 2018, 3:27 PM

Firewall > NAT, Outbound tab. Add rule to top.

Disabled: Unchecked
Do not NAT: Unchecked
Interface: WAN (make one of these rules for each WAN)
Protocol: any
Source: This Firewall (self)
Destination: any
Not: Unchecked
Translation Address: Interface Address
Port or Range: Blank
Description: NAT anything out from the firewall itself

beremonavabi · Jun 21, 2018, 4:06 PM

@jimp said in NTP Not Working [SOLVED (mostly)]:

Firewall > NAT, Outbound tab. Add rule to top.

Disabled: Unchecked
Do not NAT: Unchecked
Interface: WAN (make one of these rules for each WAN)
Protocol: any
Source: This Firewall (self)
Destination: any
Not: Unchecked
Translation Address: Interface Address
Port or Range: Blank
Description: NAT anything out from the firewall itself

Yay! Thanks, jimp. That got it. I had to reboot the pfSense box before it would work, though. I'd tried something similar a couple of weeks ago, but it was limited to UDP on port 123, was at the end of my list of outbound NAT rules, and, probably most importantly, I didn't reboot the box.

jimp · Jun 21, 2018, 4:11 PM

You probably didn't need to reboot, just clear the states table (Diagnostics > States, Reset States tab)

PTZ-M · Mar 1, 2019, 1:02 PM

@jimp This rule does not work for me. Rather, it works, but before the first reboot of PfSense.

jimp · Mar 1, 2019, 1:09 PM

Then you have a different issue than the OP of this thread. Start a new thread with details about your own setup.