NTP, CARP, Multi-wan, and multiple internal subnets - source IP address issue
-
I am running 2.1-RC1 (amd64) Aug 1 19:39:40 EDT snapshot.
Two firewalls in a CARP cluster.
Two WAN connections in a failover configuration. One link is tier 1 and other is tier 2.
Three internal subnets. NTP is set to listen on the CARP address of two of those internal subnets. Those CARP VIPs are acting as the default gateways for the machines on the LANs.
The first firewall in the cluster starts up NTP fine and syncs with the time servers. The second firewall sits at "Unreach/Pending" status.
The NTP server these firewalls are set to sync with is seeing the request from the CARP VIP configured for outbound NAT on the WAN interface.
To fix the issue I have to make sure that each firewall sends NTP traffic from its unique WAN interface IP instead of the CARP VIP. To be able to do that I have to create a custom outbound NAT rule to cover NTP traffic.
Where it gets interesting is that the custom NTP outbound NAT rule must have as its source the IP (or CARP VIP) of the last interface in the list of interfaces that NTP is selected to listen on. In my case that turns out to be the CARP VIP on the OPT2 interface because in the selection list in NTP service configuration, that is the last selected interface.
My question is, can NTP be configured to use the loopback interface as the source IP? NAT is going to rewrite the source IP anyway.
Thanks,
Shahid