NTP refuses to work
-
Hello! It seems my pfSense firewall wants to annoy me lately, first fighting me with my doorbell and now with NTP lol. I noticed my PC clock was off. It's a member of an Active Directory domain, so I logged into the domain controller to configure NTP. I set it so it would sync with pool.ntp.org but it refused to work. Tried a whole bunch of NTP servers, but never worked. In pf's NAT setup I have WAN address UDP 123 redirected to the DC's IP. I also tried TCP/UDP just for the heck of it, but to no end. I plugged my DC directly into my cable modem and setup one of my cable static IPs on it. I ran the time sync and it worked perfectly. As soon as I try to connect to the net through pfSense though, I can't use NTP. My sister also said she had the same problem using Ubuntu from within my network, so I figured it's likely not just a Windows issue.
I figured then OK, I see pfSense has an NTP server of its own. PF is connected to the internet via one of my static IPs, so it should be able to get NTP sync fine then I assume its NTP service means it can offer NTP to clients on my LAN. So I set that up following instructions I saw when Googling. I have no clue what the logs mean, lol, I can't tell if it is working or not. However when I try to sync to it from a workstation on the network (tried a system not on the domain to rule that variable out, poked a hole in the workstation firewall for 123 and set my NTP to the pfSense LAN IP but still no love).
https://imgur.com/a/PfFWHtO = configuration, status and logs
Any suggestions? I'm so frustrated I'm ready to just suck it up and buy pfSense paid support to get this resolved but I'm not made of money so I'd rather avoid that if I can, heh.
-
I'd suggest you remove the NAT on UDP 123.
NTP should synchronize with the basic outbound nat , configured by ptSense.If you want your DC to sync to "external" ntp servers , you would need (on the DC Lan) to open up for (firewall rule) , UDP 123 to "any".
If sync comes from pfSense , you'd need to (on the DC Lan) to open up for (firewall rule) , UDP 123 to "pfSense DC Lan ip".
/Bingo
-
@strahan said in NTP refuses to work:
In pf's NAT setup I have WAN address UDP 123 redirected to the DC's IP.
That rule must exclude your internal ntp server otherwise your internal time server will never be able to sync it's time to an external source.
-
Thanks. I've removed the NTP NAT entry, but alas it still doesn't sync.
O. M. G. I feel like such a !@%$#@ idiot. I was collecting screen shots of NAT and firewall status for the thread, and when I went to LAN rules there was a block for NTP on *. It was part of a bunch of rules I had setup to block Alexa at one point when I had Googled what ports it uses, as my friend kept annoying me asking the Echo to play stupid crap. I totally forgot I had done that.
Removed the rule and wouldn't you know it, time sync'd :) God I feel stupid lol. Thanks!