Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NTP redirection not working?

    General pfSense Questions
    2
    6
    40
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfguy2018 last edited by

      Following the instructions at https://linuxincluded.com/ntp-server-ip-blacklisted-nat-redirection-ftw/ , I set up NTP redirection for one of my vlans. The pfSense NTP server is set up on that interface, and I even specified the address under the NTP section of the DHCP settings for that vlan.

      However, when I complete a packet capture for port 123, I see almost constant attempts by several devices to synchronize their times, and if I am reading these captures correctly, it appears that they are unsuccessful? Can anyone have a look and confirm whether time synchronization is actually occurring? If not, how to troubleshoot?

      14:13:21.486101 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54396, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331201.086684245 (2020/08/13 14:13:21)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331201.086684245 (2020/08/13 14:13:21)
      14:13:21.486131 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24332, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331201.086955260 (2020/08/13 14:13:21)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331201.086955260 (2020/08/13 14:13:21)
      14:13:21.486135 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54397, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331201.086823245 (2020/08/13 14:13:21)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331201.086823245 (2020/08/13 14:13:21)
      14:13:21.486150 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54398, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331201.086877029 (2020/08/13 14:13:21)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331201.086877029 (2020/08/13 14:13:21)
      14:13:23.487740 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24522, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331203.086794607 (2020/08/13 14:13:23)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331203.086794607 (2020/08/13 14:13:23)
      14:13:23.487766 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3843, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331203.087066087 (2020/08/13 14:13:23)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331203.087066087 (2020/08/13 14:13:23)
      14:13:23.487779 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24523, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331203.086931977 (2020/08/13 14:13:23)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331203.086931977 (2020/08/13 14:13:23)
      14:13:23.487791 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24524, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331203.086986692 (2020/08/13 14:13:23)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331203.086986692 (2020/08/13 14:13:23)
      14:13:25.486486 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3946, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331205.086670974 (2020/08/13 14:13:25)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331205.086670974 (2020/08/13 14:13:25)
      14:13:25.486506 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 35614, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.33436 > 208.81.1.244.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331205.086941523 (2020/08/13 14:13:25)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331205.086941523 (2020/08/13 14:13:25)
      14:13:25.486515 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3947, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331205.086807180 (2020/08/13 14:13:25)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331205.086807180 (2020/08/13 14:13:25)
      14:13:25.486530 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3948, offset 0, flags [DF], proto UDP (17), length 76)
          192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
      	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 0.000000000
      	  Receive Timestamp:    0.000000000
      	  Transmit Timestamp:   3806331205.086861662 (2020/08/13 14:13:25)
      	    Originator - Receive Timestamp:  0.000000000
      	    Originator - Transmit Timestamp: 3806331205.086861662 (2020/08/13 14:13:25)
      14:13:25.486595 00:08:a2:0d:43:32 > 44:73:d6:21:ec:94, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 35906, offset 0, flags [none], proto UDP (17), length 76)
          206.108.0.131.123 > 192.168.112.139.59964: [bad udp cksum 0x006d -> 0x5c21!] NTPv4, length 48
      	Server, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
      	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      	  Reference Timestamp:  0.000000000
      	  Originator Timestamp: 3806331205.086670974 (2020/08/13 14:13:25)
      	  Receive Timestamp:    3806331205.086670974 (2020/08/13 14:13:25)
      	  Transmit Timestamp:   3806331205.086670974 (2020/08/13 14:13:25)
      	    Originator - Receive Timestamp:  -0.000000000
      	    Originator - Transmit Timestamp: -0.000000000
      
      
      JKnott 1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott @pfguy2018 last edited by

        @pfguy2018

        There's an easier way. Instead of using NAT, etc. find out what the host name is for the IP address they're trying to reach and add them to your DNS as host overrides. This will sent those NTP requests to the server of your choice. I did that with my tablet, to force it to use my NTP server.

        1 Reply Last reply Reply Quote 0
        • P
          pfguy2018 last edited by

          That is smart. I will have to consider that instead. Are you able to tell from the packet capture I posted whether the NTP server is actually responding to the NAT-ed requests though?

          JKnott 1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott @pfguy2018 last edited by JKnott

            @pfguy2018

            Just use the host command in pfSense and Linux or nslookup in Windows. Here's an example using an address you provided.

            /root: host 198.27.76.102
            102.76.27.198.in-addr.arpa domain name pointer ip102.ip-198-27-76.net. You create a host override for that name.

            Note, in those addresses you provided, the port number was included and you'll have to omit that.

            Also, I didn't see any response. However, if the request is blocked, it's safe to assume you won't get a response.

            P 1 Reply Last reply Reply Quote 0
            • P
              pfguy2018 @JKnott last edited by

              @JKnott

              Thanks.

              For the very last snippet of my trace (see below), would this have been a response?

              14:13:25.486595 00:08:a2:0d:43:32 > 44:73:d6:21:ec:94, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 35906, offset 0, flags [none], proto UDP (17), length 76)
                  206.108.0.131.123 > 192.168.112.139.59964: [bad udp cksum 0x006d -> 0x5c21!] NTPv4, length 48
              	Server, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
              	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
              	  Reference Timestamp:  0.000000000
              	  Originator Timestamp: 3806331205.086670974 (2020/08/13 14:13:25)
              	  Receive Timestamp:    3806331205.086670974 (2020/08/13 14:13:25)
              	  Transmit Timestamp:   3806331205.086670974 (2020/08/13 14:13:25)
              	    Originator - Receive Timestamp:  -0.000000000
              	    Originator - Transmit Timestamp: -0.000000000
              
              JKnott 1 Reply Last reply Reply Quote 0
              • JKnott
                JKnott @pfguy2018 last edited by

                @pfguy2018

                Yes, that appears to come from the first server tried. However, it also seems to have a bad checksum, so it would be discarded.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy