NTP server issues

stephenw10 · Apr 12, 2020, 4:14 PM

/var/etc/ntpd.conf

johnpoz · Apr 12, 2020, 4:15 PM

See I am only listening on a few interfaces...

[2.4.5-RELEASE][admin@sg4860.local.lan]/root: cat /var/etc/ntpd.conf 
# 
# pfSense ntp configuration file 
# 

tinker panic 0 
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 192.168.3.32 iburst maxpoll 9 prefer
pool us.pool.ntp.org iburst maxpoll 9


enable stats
statistics clockstats loopstats peerstats
statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
interface ignore all
interface ignore wildcard
interface listen igb3
interface listen igb0
interface listen igb2
interface listen igb2.4
interface listen igb5
[2.4.5-RELEASE][admin@sg4860.local.lan]/root:

4o4rh · Apr 12, 2020, 4:22 PM

@johnpoz I want to listen on the lan interfaces for switches/access point devices and vlans for end user equip.

I have the same config for each of the VPNs and they work

login-to-view
login-to-view

johnpoz · Apr 12, 2020, 4:28 PM

Exactly I only listen on a few of my local lan side interfaces... I don't see ::1/128 listed there.. maybe its trying to do ipv6?

I really don't see the point of doing manual outbound nat.. Why would you not just use automatic, and set hybrid for the stuff you want to policy route out your vpn..

Do you not have ntp listening on an interface that you nat?

4o4rh · Apr 12, 2020, 4:30 PM

@johnpoz If i use a single LAN interface, it looks like this

# 
# pfSense ntp configuration file 
# 

tinker panic 0 
# Orphan mode stratum
tos orphan 12


# Upstream Servers
pool nl.pool.ntp.org iburst maxpoll 9
pool de.pool.ntp.org iburst maxpoll 9


enable stats
statistics clockstats loopstats peerstats
statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
interface ignore all
interface ignore wildcard
interface listen igb1

login-to-view

johnpoz · Apr 12, 2020, 4:35 PM

So you have a vip on igb1?

I would sniff on your wan - do you see traffic going out to those servers? With source IP natted to your wan IP?

Is your default route out your wan, or via vpn.. IE you pulled routes?

4o4rh · Apr 12, 2020, 4:35 PM

@johnpoz if you mean the 10.10.10.1 it is coming from pFBlocker - i am disabling that and snort to check the effect

johnpoz · Apr 12, 2020, 4:37 PM

Snort huh... yeah could be problematic..

But its a given if your ntpd can not get into sync by talking to the ntp servers you point it to, either direct or pool then no clients would sync with it. ;) since its not a valid time source until it has gotten into sync with valid time source.

4o4rh · Apr 12, 2020, 6:13 PM

thanks guys for all the help. I found the answer in here.
https://forum.netgate.com/topic/131506/ntp-not-working-solved-totally/27

by jimp Rebel Alliance Developer Netgate Jun 21, 2018, 5:27 PM

Firewall > NAT, Outbound tab. Add rule to top.
Disabled: Unchecked
Do not NAT: Unchecked
Interface: WAN (make one of these rules for each WAN)
Protocol: any
Source: This Firewall (self)
Destination: any
Not: Unchecked
Translation Address: Interface Address
Port or Range: Blank
Description: NAT anything out from the firewall itself

johnpoz · Apr 12, 2020, 6:33 PM

So the problem was I thought you were not natting.. Which prob has something to do with manual nats and all your vpn interfaces...