NTP redirection not working?

pfguy2018

Following the instructions at https://linuxincluded.com/ntp-server-ip-blacklisted-nat-redirection-ftw/ , I set up NTP redirection for one of my vlans. The pfSense NTP server is set up on that interface, and I even specified the address under the NTP section of the DHCP settings for that vlan.

However, when I complete a packet capture for port 123, I see almost constant attempts by several devices to synchronize their times, and if I am reading these captures correctly, it appears that they are unsuccessful? Can anyone have a look and confirm whether time synchronization is actually occurring? If not, how to troubleshoot?

14:13:21.486101 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54396, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331201.086684245 (2020/08/13 14:13:21)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331201.086684245 (2020/08/13 14:13:21)
14:13:21.486131 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24332, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331201.086955260 (2020/08/13 14:13:21)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331201.086955260 (2020/08/13 14:13:21)
14:13:21.486135 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54397, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331201.086823245 (2020/08/13 14:13:21)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331201.086823245 (2020/08/13 14:13:21)
14:13:21.486150 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 54398, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.40623 > 158.69.248.26.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331201.086877029 (2020/08/13 14:13:21)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331201.086877029 (2020/08/13 14:13:21)
14:13:23.487740 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24522, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331203.086794607 (2020/08/13 14:13:23)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331203.086794607 (2020/08/13 14:13:23)
14:13:23.487766 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3843, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331203.087066087 (2020/08/13 14:13:23)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331203.087066087 (2020/08/13 14:13:23)
14:13:23.487779 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24523, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331203.086931977 (2020/08/13 14:13:23)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331203.086931977 (2020/08/13 14:13:23)
14:13:23.487791 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 24524, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.52984 > 198.27.76.102.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331203.086986692 (2020/08/13 14:13:23)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331203.086986692 (2020/08/13 14:13:23)
14:13:25.486486 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3946, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331205.086670974 (2020/08/13 14:13:25)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331205.086670974 (2020/08/13 14:13:25)
14:13:25.486506 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 35614, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.33436 > 208.81.1.244.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331205.086941523 (2020/08/13 14:13:25)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331205.086941523 (2020/08/13 14:13:25)
14:13:25.486515 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3947, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331205.086807180 (2020/08/13 14:13:25)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331205.086807180 (2020/08/13 14:13:25)
14:13:25.486530 44:73:d6:21:ec:94 > 00:08:a2:0d:43:32, ethertype IPv4 (0x0800), length 90: (tos 0x10, ttl 64, id 3948, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.112.139.59964 > 206.108.0.131.123: [udp sum ok] NTPv4, length 48
	Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3806331205.086861662 (2020/08/13 14:13:25)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3806331205.086861662 (2020/08/13 14:13:25)
14:13:25.486595 00:08:a2:0d:43:32 > 44:73:d6:21:ec:94, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 35906, offset 0, flags [none], proto UDP (17), length 76)
    206.108.0.131.123 > 192.168.112.139.59964: [bad udp cksum 0x006d -> 0x5c21!] NTPv4, length 48
	Server, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 3806331205.086670974 (2020/08/13 14:13:25)
	  Receive Timestamp:    3806331205.086670974 (2020/08/13 14:13:25)
	  Transmit Timestamp:   3806331205.086670974 (2020/08/13 14:13:25)
	    Originator - Receive Timestamp:  -0.000000000
	    Originator - Transmit Timestamp: -0.000000000

JKnott

@pfguy2018

There's an easier way. Instead of using NAT, etc. find out what the host name is for the IP address they're trying to reach and add them to your DNS as host overrides. This will sent those NTP requests to the server of your choice. I did that with my tablet, to force it to use my NTP server.

pfguy2018

That is smart. I will have to consider that instead. Are you able to tell from the packet capture I posted whether the NTP server is actually responding to the NAT-ed requests though?

JKnott

@pfguy2018

Just use the host command in pfSense and Linux or nslookup in Windows. Here's an example using an address you provided.

/root: host 198.27.76.102
102.76.27.198.in-addr.arpa domain name pointer ip102.ip-198-27-76.net. You create a host override for that name.

Note, in those addresses you provided, the port number was included and you'll have to omit that.

Also, I didn't see any response. However, if the request is blocked, it's safe to assume you won't get a response.

pfguy2018

@JKnott

Thanks.

For the very last snippet of my trace (see below), would this have been a response?

14:13:25.486595 00:08:a2:0d:43:32 > 44:73:d6:21:ec:94, ethertype IPv4 (0x0800), length 90: (tos 0xb8, ttl 64, id 35906, offset 0, flags [none], proto UDP (17), length 76)
    206.108.0.131.123 > 192.168.112.139.59964: [bad udp cksum 0x006d -> 0x5c21!] NTPv4, length 48
	Server, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 10 (1024s), precision 0
	Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
	  Reference Timestamp:  0.000000000
	  Originator Timestamp: 3806331205.086670974 (2020/08/13 14:13:25)
	  Receive Timestamp:    3806331205.086670974 (2020/08/13 14:13:25)
	  Transmit Timestamp:   3806331205.086670974 (2020/08/13 14:13:25)
	    Originator - Receive Timestamp:  -0.000000000
	    Originator - Transmit Timestamp: -0.000000000

JKnott

@pfguy2018

Yes, that appears to come from the first server tried. However, it also seems to have a bad checksum, so it would be discarded.