NTP clock sync

owner524 · Sep 16, 2013, 5:45 AM

what has to be selected for this to work WAN or LAN this thing never wants to start I thought it was because I was using 2.1 beta but today when 2.1 release came out I reinstalled the whole thing fresh install an the darn thing still doesn't want to start up?

kejianshi · Sep 16, 2013, 5:50 AM

You mean services > NTP?

P3R · Sep 16, 2013, 8:50 AM

I have the same experience. Ntp have been unstable for me when running both RC and released 2.1. Sometimes it works but often the ntp service is down.

My theory is that it is related to the number of ntp servers configured (System, General Setup, NTP time server). I initially had six ntp servers there and have now worked my way down to three.

@owner524,

how many ntp servers do you use?

kejianshi · Sep 16, 2013, 10:47 AM

I just run the one and its always been fine… And WAN is highlighted.

P3R · Sep 16, 2013, 9:50 PM

Forget about my theory above. The service is unreliable also with a single ntp server configured for me.

kejianshi · Sep 16, 2013, 9:52 PM

What other packages are you running? I've seen bad setting in other packages kill NTP.

P3R · Sep 16, 2013, 9:59 PM

Only snort.

kejianshi · Sep 16, 2013, 10:00 PM

That might do it.

Turn off snort for a while and see if it becomes stable.

P3R · Sep 16, 2013, 10:12 PM

I'm sorry, I'm new at this…

How can I make snort not start following a reboot without uninstalling the package?

kejianshi · Sep 16, 2013, 10:13 PM

By uninstalling it…

val · Sep 16, 2013, 10:14 PM

I also notice sometime I change theme ntp would go down, and sometime hard to starts like you need to do a few times before ntp will come up.
I would suggest try to use other ntp server, I did that and that did fixed it for me.

P3R · Sep 16, 2013, 10:25 PM

Removing snort didn't help. :'(

Even manually starting the service does not always work but I have found what I think is an always working workaround: press the Save button (nothing needs to be changed) on the System, General Setup page.

kejianshi · Sep 16, 2013, 10:27 PM

Are you blocking port 123? Forwarding port 123? Is your NTP server busted?

P3R · Sep 16, 2013, 11:10 PM

I am actually forwarding ntp on my WAN interface to my internal ntp server. No on the other 2 questions.

I should probably explain a little more about my configuration.

As I am new to pfSense, this is a testing/learning installation in a VirtualBox VM (with all 3 network interfaces bridged).

It is located behind a simple NATing DD-WRT router without any port forwarding, so the ntp service forwarding in pfSense mentioned above is never hit by any traffic.

I have my ntp server running in the VirtualBox host OS (Ubuntu Server 12.04 LTS) and in addition to that I have a couple of public ntp servers configured in pfSense.

Internal ntp (and VirtualBox) host is 192.168.10.10 and pfSense VM is 192.168.10.254.

Most of the times the ntp service does not start following a reboot but occasionally it works.

When the service starts, sometimes it is able to connect with all my configured servers but most often I get "Unreach/Pending" on the public ones.

I presently do not have any interfaces selected on the Services, NTP page but I have noticed no difference in behaviour when selecting LAN and WAN.

kejianshi · Sep 16, 2013, 11:16 PM

Ahhh - I see. So you broke it.

Did you know that pfsense makes an ok NTP server?

Why are you doing it elsewhere?

P3R · Sep 16, 2013, 11:22 PM

@kejianshi:

Ahhh - I see. So you broke it.

I'm sorry for being thick, but in what way?

Did you know that pfsense makes an ok NTP server?

It doesn't appear to be so okay to me… ;D

Why are you doing it elsewhere?

Because that was used long before I even started to consider pfSense. I also like redundancy so I intend to keep it even if I decide on using pfSense for production.

kejianshi · Sep 16, 2013, 11:25 PM

Well - You have pfsense being an NTP server already. Then you have additional NTP Servers. I think all these NTP Servers are on public IP right?

I wonder. What would happen if you stopped forwarding your NTP port? Just removed that rule you added.

P3R · Sep 16, 2013, 11:44 PM

@kejianshi:

Well - You have pfsense being an NTP server already.

Correct but presently being very unreliable (that may however be my fault).

Then you have additional NTP Servers.

Only one, my Ubuntu server (192.168.10.10) on my internal LAN network. The other ntp servers I have configured in pfSense are public ntp servers on the internet.

I wonder. What would happen if you stopped forwarding your NTP port? Just removed that rule you added.

No difference, ntp service in pfSense is still unreliable.

kejianshi · Sep 16, 2013, 11:51 PM

Hmmm… Sorry if you already said, but is this freshly upgraded to 2.1?

If so, maybe a clean install with fix it for you. You can restore your settings after.

P3R · Sep 17, 2013, 12:09 AM

@kejianshi:

Hmmm… Sorry if you already said, but is this freshly upgraded to 2.1?

Yes. 2.0.3 > 2.1 RC > 2.1 released, with the two upgrades happening only the last few days.

If so, maybe a clean install with fix it for you.

Maybe and that is of course not a problem since this is for testing only but when evaluating the system for possible production use, it isn't an confidence building message…