Bug #5548
closedNTP "Unreach/Pending" on backup carp firewall with 2 LAN interfaces selected
0%
Description
At our two sites running firewall carp pairs - on the second (backup) firewall ntp doesn't peer to any outside servers.
One of our sites is running multi-wan, the other site running single wan - so don't believe wan setup is relevant to the problem.
NOTE: if I add the WAN interface to the NTP config on the second firewall, then NTP peers OK. But I don't want to run
with WAN interface bound because security wise I understand it's a bad idea for NTP to answer to queries from WAN.
I found the closed bug https://redmine.pfsense.org/issues/3317 which sounds maybe related but doesn't mention CARP.
NTP Service Config ( /services_ntpd.php )------------------------------------------
Interfaces selected:
- LAN
- 10.1.1.70 (LAN CARP IP)
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
NTP Status ( /status_ntpd.php )
-------------------------------
[[ FIREWALL 1 (MASTER) ]]
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Outlier 104.131.53.252 209.51.161.238 2 u 15 64 377 77.164 -4.674 0.352
Candidate 74.117.238.11 4.108.167.254 4 u 13 64 377 55.299 1.778 0.397
Active Peer 66.96.99.10 204.9.54.119 2 u 16 64 377 64.408 -1.284 1.680
Candidate 108.61.73.243 200.98.196.212 2 u 18 64 377 72.394 2.821 4.107
[[ FIREWALL 2 (BACKUP) ]]
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending 199.15.252.34 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 96.126.105.86 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 173.255.246.13 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 173.230.144.109 .INIT. 16 u - 64 0 0.000 0.000 0.000
Files
Updated by Chris Buechler about 8 years ago
- Status changed from New to Not a Bug
- Affected Version deleted (
2.2.5)
You're breaking NTP connectivity on the backup by sending the traffic using a CARP IP. It won't, and can't, receive those replies - they go to the primary. When WAN isn't bound, it's probably hitting NAT to a CARP IP because it has a private source IP. NAT it to the WAN IP in that case.
Updated by Eduard Rozenberg about 8 years ago
Confirmed not a bug, thanks for the explanation and solution suggestion! Works fine now.
Added the following NAT rules at the top of the Outbound manual rules list:
Interfc Source Src Pt Dest Dest Pt NAT Addr NAT Pt Static Description
WAN1 This Fw udp/* * udp/123 WAN1 addr * NO NTP to WAN1 INTFC IP
WAN2 This Fw udp/* * udp/123 WAN2 addr * NO NTP to WAN2 INTFC IP
WAN3 This Fw udp/* * udp/123 WAN3 addr * NO NTP to WAN3 INTFC IP
Interestingly the Outbound rules do not appear to allow aliases - I wanted to use an alias for the NTP destination hosts but settled for using * Destination for now.