Bug #15482
closedNTP logic
0%
Description
it seems to be the case that NTP back end interface querying is hierarchical and if the first rule it encounters fails, then none of the others will work. i discovered this inadvertently when i made some vlan modifications and it can be repeated.
to better help demonstrate it, i will mention my setup is that almost no WAN out rules exist that are not over VPN interfaces. The few that do exist are very curated using aliases and specific ports.
One of those that is allowed out is specific NTP hosts using port 123 on 192.168.1.1.
Now I have guest network located at 192.168.20.1 vlan 20 and the LAN network at 192.168.1.0 and I advertise as an NTP server on both for DHCP. The rules I set up were working and I was able to send and receive NTP queries, but I made some modifications to the vlans which resulted in this
http://i.popz.top/u/5cfYzf07pCOz.png
what i suggest should be happening: all the interfaces listed in services > ntp > settings should be making some simultaneous outbound requests for NTP or they should be round robin each other across the bound interfaces
what currently happens: it will attempt to outbound the hierarchically highest interface and then when it fails (because no wan nat outbound rules exist) it will just keep repeating - which never allows the LAN 192.168.1.1 NTP outbound to succeed (even though the rules exist and are highest amongst their respective areas)
i'm not sure if i have done a good job explaining it or how to reproduce it but this image shows what would cause 0 NTP queries to work.
http://i.popz.top/u/f9N4dsA3J2GY.png
This fixes it and causes all queries to work.
http://i.popz.top/u/qjyrs29NhWhY.png
packet capture allowed me to figure out what was going on.
Updated by Jim Pingle 8 months ago
- Status changed from New to Rejected
What you're describing would need to be a change made in the NTP daemon behavior, which is out of our control. Probably also could be worked around in rules/settings but such discussions belong on the forum.