NTP redirection not working?
-
Following the instructions at https://linuxincluded.com/ntp-server-ip-blacklisted-nat-redirection-ftw/ , I set up NTP redirection for one of my vlans. The pfSense NTP server is set up on that interface, and I even specified the address under the NTP section of the DHCP settings for that vlan.
However, when I complete a packet capture for port 123, I see almost constant attempts by several devices to synchronize their times, and if I am reading these captures correctly, it appears that they are unsuccessful? Can anyone have a look and confirm whether time synchronization is actually occurring? If not, how to troubleshoot?
14:13:21.486101 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54396, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331201.086684245 (2020/08/13 14:13:21) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331201.086684245 (2020/08/13 14:13:21) 14:13:21.486131 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24332, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331201.086955260 (2020/08/13 14:13:21) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331201.086955260 (2020/08/13 14:13:21) 14:13:21.486135 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54397, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331201.086823245 (2020/08/13 14:13:21) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331201.086823245 (2020/08/13 14:13:21) 14:13:21.486150 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54398, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331201.086877029 (2020/08/13 14:13:21) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331201.086877029 (2020/08/13 14:13:21) 14:13:23.487740 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24522, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331203.086794607 (2020/08/13 14:13:23) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331203.086794607 (2020/08/13 14:13:23) 14:13:23.487766 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3843, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331203.087066087 (2020/08/13 14:13:23) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331203.087066087 (2020/08/13 14:13:23) 14:13:23.487779 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24523, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331203.086931977 (2020/08/13 14:13:23) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331203.086931977 (2020/08/13 14:13:23) 14:13:23.487791 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24524, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331203.086986692 (2020/08/13 14:13:23) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331203.086986692 (2020/08/13 14:13:23) 14:13:25.486486 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3946, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) 14:13:25.486506 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 35614, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.33436 > 208.81.1.244.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331205.086941523 (2020/08/13 14:13:25) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331205.086941523 (2020/08/13 14:13:25) 14:13:25.486515 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3947, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331205.086807180 (2020/08/13 14:13:25) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331205.086807180 (2020/08/13 14:13:25) 14:13:25.486530 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3948, offset 0, flags [DF], proto UDP (17), length 76) 192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3806331205.086861662 (2020/08/13 14:13:25) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3806331205.086861662 (2020/08/13 14:13:25) 14:13:25.486595 00:08:a2:0d:43:32 > 44:73:d6:21:ec:94, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 35906, offset 0, flags [none], proto UDP (17), length 76) 206.108.0.131.123 > 192.168.112.139.59964: [bad udp cksum 0x006d -> 0x5c21!] NTPv4, length 48 Server, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Receive Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Transmit Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Originator - Receive Timestamp: -0.000000000 Originator - Transmit Timestamp: -0.000000000
-
There's an easier way. Instead of using NAT, etc. find out what the host name is for the IP address they're trying to reach and add them to your DNS as host overrides. This will sent those NTP requests to the server of your choice. I did that with my tablet, to force it to use my NTP server.
-
That is smart. I will have to consider that instead. Are you able to tell from the packet capture I posted whether the NTP server is actually responding to the NAT-ed requests though?
-
Just use the host command in pfSense and Linux or nslookup in Windows. Here's an example using an address you provided.
/root: host 198.27.76.102
102.76.27.198.in-addr.arpa domain name pointer ip102.ip-198-27-76.net. You create a host override for that name.Note, in those addresses you provided, the port number was included and you'll have to omit that.
Also, I didn't see any response. However, if the request is blocked, it's safe to assume you won't get a response.
-
Thanks.
For the very last snippet of my trace (see below), would this have been a response?
14:13:25.486595 00:08:a2:0d:43:32 > 44:73:d6:21:ec:94, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 35906, offset 0, flags [none], proto UDP (17), length 76) 206.108.0.131.123 > 192.168.112.139.59964: [bad udp cksum 0x006d -> 0x5c21!] NTPv4, length 48 Server, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0 Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Receive Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Transmit Timestamp: 3806331205.086670974 (2020/08/13 14:13:25) Originator - Receive Timestamp: -0.000000000 Originator - Transmit Timestamp: -0.000000000
-
Yes, that appears to come from the first server tried. However, it also seems to have a bad checksum, so it would be discarded.