pfSense

it seems to be the case that NTP back end interface querying is hierarchical and if the first rule it encounters fails, then none of the others will work. i discovered this inadvertently when i made some vlan modifications and it can be repeated.

to better help demonstrate it, i will mention my setup is that almost no WAN out rules exist that are not over VPN interfaces. The few that do exist are very curated using aliases and specific ports.

One of those that is allowed out is specific NTP hosts using port 123 on 192.168.1.1.

Now I have guest network located at 192.168.20.1 vlan 20 and the LAN network at 192.168.1.0 and I advertise as an NTP server on both for DHCP. The rules I set up were working and I was able to send and receive NTP queries, but I made some modifications to the vlans which resulted in this

http://i.popz.top/u/5cfYzf07pCOz.png

what i suggest should be happening: all the interfaces listed in services > ntp > settings should be making some simultaneous outbound requests for NTP or they should be round robin each other across the bound interfaces

what currently happens: it will attempt to outbound the hierarchically highest interface and then when it fails (because no wan nat outbound rules exist) it will just keep repeating - which never allows the LAN 192.168.1.1 NTP outbound to succeed (even though the rules exist and are highest amongst their respective areas)

i'm not sure if i have done a good job explaining it or how to reproduce it but this image shows what would cause 0 NTP queries to work.
http://i.popz.top/u/f9N4dsA3J2GY.png

This fixes it and causes all queries to work.
http://i.popz.top/u/qjyrs29NhWhY.png

packet capture allowed me to figure out what was going on.