Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLVED] NTP problem

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomasz.night
      last edited by

      Hello
      I have a strange problem when trying to pass NTP traffic.

      My rule:
      Interface: LAN
      Protocol: TCP/UDP
      Source: Type: LAN subnet
      Destination: Type: Any
      Destination port range: 123 - 123

      Pfsense machine is the only host with access to NTP, but by target is passing NTP traffic to all computers in my network.
      In logs I see the following information about blocked connection:
      The rule that triggered this action is:

      @1 scrub in on em0 all fragment reassemble
      @1 block drop in log all label "Default deny rule"

      Please help

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Have you removed the default lan allow rule that should allow all traffic out of your lan by default?

        You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.

        Is NTP running on your pfsense?  What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.

        BTW, ntp does not use TCP - its a udp protocol.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tomasz.night
          last edited by

          Have you removed the default lan allow rule that should allow all traffic out of your lan by default?

          I disabled it.

          You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.

          I think in the same way, but in the firewall log there is an information about blocking the conenction:

          Jun 21 22:41:23 LAN WindowsHost:123 pfSenseBox:123 UDP

          and:

          Jun 21 22:47:33 LAN LinuxHost:37064 pfSenseBox:123 UDP

          Here is the output from one of the client trying to sync time from pfsense:

          ntpdate -d (any_address)
          21 Jun 22:39:38 ntpdate[18233]: ntpdate 4.2.2p1@1.1570-o Fri Nov 18 13:21:21 UTC 2011 (1)
          Looking for host (any_address) and service ntp
          host found : (any_address)
          transmit(any_address)
          transmit(any_address)
          transmit(any_address)
          transmit(any_address)
          transmit(any_address)
          (any_address): Server dropped: no data
          server (any_address), port 123
          stratum 0, precision 0, leap 00, trust 000
          refid [(any_address)], delay 0.00000, dispersion 64.00000
          transmitted 4, in filter 4
          reference time:    00000000.00000000  Thu, Feb  7 2036  7:28:16.000
          originate timestamp: 00000000.00000000  Thu, Feb  7 2036  7:28:16.000
          transmit timestamp:  d38e050d.43d199bb  Thu, Jun 21 2012 22:39:41.264
          filter delay:  0.00000  0.00000  0.00000  0.00000
                  0.00000  0.00000  0.00000  0.00000
          filter offset: 0.000000 0.000000 0.000000 0.000000
                  0.000000 0.000000 0.000000 0.000000
          delay 0.00000, dispersion 64.00000
          offset 0.000000

          all outgoing connections from this machine are allowed. Windows client can't sync too.
          It doesn't matter if I try to sync with pfSense or some other external host.

          Is NTP running on your pfsense?  What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.

          Yes, it's running on pfSense too. My version is: 2.0.1-RELEASE (amd64), built on Mon Dec 12 18:43:51 EST 2011, FreeBSD 8.1-RELEASE-p6

          Please help

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            And why did you disable the default lan rule?

            What are your lan rules?  You say your source is lan source, but maybe that is not working if being blocked.  Please post a screen shots of your lan rules.  From your first post your getting blocked by the default deny rule, so that means whatever rules you wrote are not being met for allow.

            do you have multiple lan segments?  If not just have source be ANY.  Why does that that block show your windows machine coming from source of 123?  That is not how ntp works.

            example - this is a query to my pfsense box from my windows box.  Also why are you hiding your IPs?  There is no reason to hide a private address.  Is your lan interfaces in the public space?

            C:\Windows\system32>ntpdate -d 192.168.1.253
            21 Jun 21:56:41 ntpdate[1984]: ntpdate 4.2.6p5-o Dec 24 23:49:25.23 (UTC-00:00) 2011  (1)
            21 Jun 21:56:41 ntpdate[1984]: Raised to realtime priority class
            transmit(192.168.1.253)
            receive(192.168.1.253)
            transmit(192.168.1.253)
            receive(192.168.1.253)
            transmit(192.168.1.253)
            receive(192.168.1.253)
            transmit(192.168.1.253)
            receive(192.168.1.253)
            server 192.168.1.253, port 123
            stratum 3, precision -19, leap 00, trust 000
            refid [192.168.1.253], delay 0.02547, dispersion 0.00018
            transmitted 4, in filter 4
            reference time:    d38e5710.73f8107a  Thu, Jun 21 2012 21:29:36.453
            originate timestamp: d38e5d6f.ddc35896  Thu, Jun 21 2012 21:56:47.866
            transmit timestamp:  d38e5d6f.b8d4fdf3  Thu, Jun 21 2012 21:56:47.722
            filter delay:  0.02647  0.02647  0.02547  0.02547
                    0.00000  0.00000  0.00000  0.00000
            filter offset: 0.143691 0.143660 0.144132 0.144191
                    0.000000 0.000000 0.000000 0.000000
            delay 0.02547, dispersion 0.00018
            offset 0.144132

            So here is wireshark capture of the above query, notice the source port from the client – its NOT 123.. query would be from a random port above 1024, so something is wrong there if query is coming from source port 123 as well.

            Only time 123 would be source is for the server responding to the client to whatever its random port was.  In my case that 61978

            ntptraffic.png
            ntptraffic.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              tomasz.night
              last edited by

              Solution was more simple than I expected.
              A week ago I was testing squid with lightsquid in pfSense.
              I removed squid without removing lightsquid, and that was the reason of my problems - the firewall was still using old rule set (reload fails).

              Case closed ;)
              Thank you very much for your attention.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.