Project

General

Profile

Actions
Copy link

Bug #5548

closed

NTP "Unreach/Pending" on backup carp firewall with 2 LAN interfaces selected

Added by Eduard Rozenberg over 8 years ago. Updated about 8 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
11/27/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

At our two sites running firewall carp pairs - on the second (backup) firewall ntp doesn't peer to any outside servers.
One of our sites is running multi-wan, the other site running single wan - so don't believe wan setup is relevant to the problem.

NOTE: if I add the WAN interface to the NTP config on the second firewall, then NTP peers OK. But I don't want to run
with WAN interface bound because security wise I understand it's a bad idea for NTP to answer to queries from WAN.

I found the closed bug https://redmine.pfsense.org/issues/3317 which sounds maybe related but doesn't mention CARP.

NTP Service Config ( /services_ntpd.php )
------------------------------------------
Interfaces selected:
  • LAN
  • 10.1.1.70 (LAN CARP IP)
Time servers:
  • 0.pool.ntp.org
  • 1.pool.ntp.org
  • 2.pool.ntp.org
  • 3.pool.ntp.org

NTP Status ( /status_ntpd.php )
-------------------------------

[[ FIREWALL 1 (MASTER) ]]
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Outlier 104.131.53.252 209.51.161.238 2 u 15 64 377 77.164 -4.674 0.352
Candidate 74.117.238.11 4.108.167.254 4 u 13 64 377 55.299 1.778 0.397
Active Peer 66.96.99.10 204.9.54.119 2 u 16 64 377 64.408 -1.284 1.680
Candidate 108.61.73.243 200.98.196.212 2 u 18 64 377 72.394 2.821 4.107

[[ FIREWALL 2 (BACKUP) ]]
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending 199.15.252.34 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 96.126.105.86 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 173.255.246.13 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 173.230.144.109 .INIT. 16 u - 64 0 0.000 0.000 0.000

Files

NAT Rules to Enable NTP with CARP.png (202 KB) NAT Rules to Enable NTP with CARP.png Added rules to NAT the NTP traffic to the interface IP's Eduard Rozenberg, 02/06/2016 03:30 PM
Actions
Copy link
 #1

Updated by Chris Buechler about 8 years ago

  • Status changed from New to Not a Bug
  • Affected Version deleted (2.2.5)

You're breaking NTP connectivity on the backup by sending the traffic using a CARP IP. It won't, and can't, receive those replies - they go to the primary. When WAN isn't bound, it's probably hitting NAT to a CARP IP because it has a private source IP. NAT it to the WAN IP in that case.

Actions
Copy link
 #2

Updated by Eduard Rozenberg about 8 years ago

Confirmed not a bug, thanks for the explanation and solution suggestion! Works fine now.

Added the following NAT rules at the top of the Outbound manual rules list:

Interfc Source Src Pt Dest Dest Pt NAT Addr NAT Pt Static Description
WAN1 This Fw udp/* * udp/123 WAN1 addr * NO NTP to WAN1 INTFC IP
WAN2 This Fw udp/* * udp/123 WAN2 addr * NO NTP to WAN2 INTFC IP
WAN3 This Fw udp/* * udp/123 WAN3 addr * NO NTP to WAN3 INTFC IP

Interestingly the Outbound rules do not appear to allow aliases - I wanted to use an alias for the NTP destination hosts but settled for using * Destination for now.

Actions
Copy link

Also available in: Atom PDF