Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NTP, CARP, Multi-wan, and multiple internal subnets - source IP address issue

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    1 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ssheikh
      last edited by

      I am running 2.1-RC1 (amd64) Aug 1 19:39:40 EDT snapshot.

      Two firewalls in a CARP cluster.

      Two WAN connections in a failover configuration. One link is tier 1 and other is tier 2.

      Three internal subnets. NTP is set to listen on the CARP address of two of those internal subnets. Those CARP VIPs are acting as the default gateways for the machines on the LANs.

      The first firewall in the cluster starts up NTP fine and syncs with the time servers. The second firewall sits at "Unreach/Pending" status.

      The NTP server these firewalls are set to sync with is seeing the request from the CARP VIP configured for outbound NAT on the WAN interface.

      To fix the issue I have to make sure that each firewall sends NTP traffic from its unique WAN interface IP instead of the CARP VIP. To be able to do that I have to create a custom outbound NAT rule to cover NTP traffic.

      Where it gets interesting is that the custom NTP outbound NAT rule must have as its source the IP (or CARP VIP) of the last interface in the list of interfaces that NTP is selected to listen on. In my case that turns out to be the CARP VIP on the OPT2 interface because in the selection list in NTP service configuration, that is the last selected interface.

      My question is, can NTP be configured to use the loopback interface as the source IP? NAT is going to rewrite the source IP anyway.

      Thanks,

      Shahid

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.