Help with NTP



  • Hi, I am currently running Pfsense 2.1 x64. I have had NTP working since 2.1 came out with no issues whatsoever until today. It just simply stopped working.

    No updates, packages, or changes of any sort took place on the box before this happened. It was working fine the last 3 days, and before that, today poof NTP is dead.

    All my NTP Servers under System–---NTP now say Unreachable/Pending with a Strata of 16 (Means its not synchronized)

    Attempts to force it to synchorize via SSH Command line with ntpdate -d pool.ntp.org or ntpdate -u time.nist.gov have failed. It fails with the message the "no server suitable for synchronization found"

    Here is an output from ntpupdate -d 0.us.pool.ntp.org

    5 Feb 05:19:20 ntpdate[27612]: ntpdate 4.2.4p5-a (1)
    transmit(67.215.65.132)
    transmit(67.215.65.132)
    transmit(67.215.65.132)
    transmit(67.215.65.132)
    transmit(67.215.65.132)
    67.215.65.132: Server dropped: no data
    server 67.215.65.132, port 123
    stratum 0, precision 0, leap 00, trust 000
    refid [67.215.65.132], delay 0.00000, dispersion 64.00000
    transmitted 4, in filter 4
    reference time:    00000000.00000000  Thu, Feb  7 2036  1:28:16.000
    originate timestamp: 00000000.00000000  Thu, Feb  7 2036  1:28:16.000
    transmit timestamp:  d69c8eac.45bbcc5a  Wed, Feb  5 2014  5:19:24.272
    filter delay:  0.00000  0.00000  0.00000  0.00000
            0.00000  0.00000  0.00000  0.00000
    filter offset: 0.000000 0.000000 0.000000 0.000000
            0.000000 0.000000 0.000000 0.000000
    delay 0.00000, dispersion 64.00000
    offset 0.000000

    5 Feb 05:19:25 ntpdate[27612]: no server suitable for synchronization found

    Here is a copy of the current Pfsense 2.1 x64 ntpd.conf

    pfSense ntp configuration file

    tinker panic 0

    Upstream Servers

    server 0.us.pool.ntp.org iburst maxpoll 9
    server 1.us.pool.ntp.org iburst maxpoll 9
    server 2.us.pool.ntp.org iburst maxpoll 9
    server 3.us.pool.ntp.org iburst maxpoll 9
    server time.nist.gov iburst maxpoll 9
    enable monitor
    enable stats
    statistics clockstats
    statsdir /var/log/ntp
    logconfig =syncall +clockall
    driftfile /var/db/ntpd.drift
    restrict default kod nomodify notrap nopeer
    restrict -6 default kod nomodify notrap nopeer
    interface ignore all
    interface listen em1

    Here is a traffic capture from Pfsense showing "What seems"to be the WAN/Pfsense is indeed contacting the said NTP Time Servers:

    Obscured the last octets of the source IP

    66.213.xxx.xx is my WAN IP Address

    06:19:25.192961 IP 66.213.xxx.xx.25004 > 69.167.160.102.123: UDP, length 48
    06:19:25.593927 IP 66.213.xxx.xx.25004 > 108.61.56.35.123: UDP, length 48
    06:19:25.793918 IP 66.213.xxx.xx.25004 > 198.199.100.18.123: UDP, length 48
    06:19:26.193900 IP 66.213.xxx.xx.25004 > 69.167.160.102.123: UDP, length 48

    So it seems like the traffic is getting out, I am at a loss right now after a long day of looking at this. the Default Pass Rule on the LAN is still there.

    Is it possible that NTP on Pfsense is rejecting or ignoring the packets? What exactly could the problem be?

    Anyone who can help with this problem i'll appreciate it. Big time! :)



  • I tried the 0.us.pool.ntp.org address and also one of four servers replied with "no data". It could be a server problem. Test some others servers.



  • I tried testing some other servers with the same results.

    removing the pfblocker package solved the issue for me, and NTP is now working properly.



  • There is a recently launched NTP attack on a large number of servers, dunno how many are left working properly. Last I heard was a 400gbps ddos.

    The reason removing pfblocker allowed it to work was that the attack was a coverup for an infiltration of some servers, who were subsequently identified as compromised and added to pfblocker's lists.

    MNSHO