[RESOLVED] NTP problem



  • Hello
    I have a strange problem when trying to pass NTP traffic.

    My rule:
    Interface: LAN
    Protocol: TCP/UDP
    Source: Type: LAN subnet
    Destination: Type: Any
    Destination port range: 123 - 123

    Pfsense machine is the only host with access to NTP, but by target is passing NTP traffic to all computers in my network.
    In logs I see the following information about blocked connection:
    The rule that triggered this action is:

    @1 scrub in on em0 all fragment reassemble
    @1 block drop in log all label "Default deny rule"

    Please help


  • LAYER 8 Global Moderator

    Have you removed the default lan allow rule that should allow all traffic out of your lan by default?

    You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.

    Is NTP running on your pfsense?  What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.

    BTW, ntp does not use TCP - its a udp protocol.



  • Have you removed the default lan allow rule that should allow all traffic out of your lan by default?

    I disabled it.

    You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.

    I think in the same way, but in the firewall log there is an information about blocking the conenction:

    Jun 21 22:41:23 LAN WindowsHost:123 pfSenseBox:123 UDP

    and:

    Jun 21 22:47:33 LAN LinuxHost:37064 pfSenseBox:123 UDP

    Here is the output from one of the client trying to sync time from pfsense:

    ntpdate -d (any_address)
    21 Jun 22:39:38 ntpdate[18233]: ntpdate 4.2.2p1@1.1570-o Fri Nov 18 13:21:21 UTC 2011 (1)
    Looking for host (any_address) and service ntp
    host found : (any_address)
    transmit(any_address)
    transmit(any_address)
    transmit(any_address)
    transmit(any_address)
    transmit(any_address)
    (any_address): Server dropped: no data
    server (any_address), port 123
    stratum 0, precision 0, leap 00, trust 000
    refid [(any_address)], delay 0.00000, dispersion 64.00000
    transmitted 4, in filter 4
    reference time:    00000000.00000000  Thu, Feb  7 2036  7:28:16.000
    originate timestamp: 00000000.00000000  Thu, Feb  7 2036  7:28:16.000
    transmit timestamp:  d38e050d.43d199bb  Thu, Jun 21 2012 22:39:41.264
    filter delay:  0.00000  0.00000  0.00000  0.00000
            0.00000  0.00000  0.00000  0.00000
    filter offset: 0.000000 0.000000 0.000000 0.000000
            0.000000 0.000000 0.000000 0.000000
    delay 0.00000, dispersion 64.00000
    offset 0.000000

    all outgoing connections from this machine are allowed. Windows client can't sync too.
    It doesn't matter if I try to sync with pfSense or some other external host.

    Is NTP running on your pfsense?  What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.

    Yes, it's running on pfSense too. My version is: 2.0.1-RELEASE (amd64), built on Mon Dec 12 18:43:51 EST 2011, FreeBSD 8.1-RELEASE-p6

    Please help


  • LAYER 8 Global Moderator

    And why did you disable the default lan rule?

    What are your lan rules?  You say your source is lan source, but maybe that is not working if being blocked.  Please post a screen shots of your lan rules.  From your first post your getting blocked by the default deny rule, so that means whatever rules you wrote are not being met for allow.

    do you have multiple lan segments?  If not just have source be ANY.  Why does that that block show your windows machine coming from source of 123?  That is not how ntp works.

    example - this is a query to my pfsense box from my windows box.  Also why are you hiding your IPs?  There is no reason to hide a private address.  Is your lan interfaces in the public space?

    C:\Windows\system32>ntpdate -d 192.168.1.253
    21 Jun 21:56:41 ntpdate[1984]: ntpdate 4.2.6p5-o Dec 24 23:49:25.23 (UTC-00:00) 2011  (1)
    21 Jun 21:56:41 ntpdate[1984]: Raised to realtime priority class
    transmit(192.168.1.253)
    receive(192.168.1.253)
    transmit(192.168.1.253)
    receive(192.168.1.253)
    transmit(192.168.1.253)
    receive(192.168.1.253)
    transmit(192.168.1.253)
    receive(192.168.1.253)
    server 192.168.1.253, port 123
    stratum 3, precision -19, leap 00, trust 000
    refid [192.168.1.253], delay 0.02547, dispersion 0.00018
    transmitted 4, in filter 4
    reference time:    d38e5710.73f8107a  Thu, Jun 21 2012 21:29:36.453
    originate timestamp: d38e5d6f.ddc35896  Thu, Jun 21 2012 21:56:47.866
    transmit timestamp:  d38e5d6f.b8d4fdf3  Thu, Jun 21 2012 21:56:47.722
    filter delay:  0.02647  0.02647  0.02547  0.02547
            0.00000  0.00000  0.00000  0.00000
    filter offset: 0.143691 0.143660 0.144132 0.144191
            0.000000 0.000000 0.000000 0.000000
    delay 0.02547, dispersion 0.00018
    offset 0.144132

    So here is wireshark capture of the above query, notice the source port from the client – its NOT 123.. query would be from a random port above 1024, so something is wrong there if query is coming from source port 123 as well.

    Only time 123 would be source is for the server responding to the client to whatever its random port was.  In my case that 61978




  • Solution was more simple than I expected.
    A week ago I was testing squid with lightsquid in pfSense.
    I removed squid without removing lightsquid, and that was the reason of my problems - the firewall was still using old rule set (reload fails).

    Case closed ;)
    Thank you very much for your attention.


Log in to reply