Bug #5548
closed
NTP "Unreach/Pending" on backup carp firewall with 2 LAN interfaces selected
0%
Description
At our two sites running firewall carp pairs - on the second (backup) firewall ntp doesn't peer to any outside servers.
One of our sites is running multi-wan, the other site running single wan - so don't believe wan setup is relevant to the problem.
NOTE: if I add the WAN interface to the NTP config on the second firewall, then NTP peers OK. But I don't want to run
with WAN interface bound because security wise I understand it's a bad idea for NTP to answer to queries from WAN.
I found the closed bug https://redmine.pfsense.org/issues/3317 which sounds maybe related but doesn't mention CARP.
NTP Service Config ( /services_ntpd.php )------------------------------------------
Interfaces selected:
- LAN
- 10.1.1.70 (LAN CARP IP)
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
NTP Status ( /status_ntpd.php )
-------------------------------
[[ FIREWALL 1 (MASTER) ]]
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Outlier 104.131.53.252 209.51.161.238 2 u 15 64 377 77.164 -4.674 0.352
Candidate 74.117.238.11 4.108.167.254 4 u 13 64 377 55.299 1.778 0.397
Active Peer 66.96.99.10 204.9.54.119 2 u 16 64 377 64.408 -1.284 1.680
Candidate 108.61.73.243 200.98.196.212 2 u 18 64 377 72.394 2.821 4.107
[[ FIREWALL 2 (BACKUP) ]]
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending 199.15.252.34 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 96.126.105.86 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 173.255.246.13 .INIT. 16 u - 64 0 0.000 0.000 0.000
Unreach/Pending 173.230.144.109 .INIT. 16 u - 64 0 0.000 0.000 0.000
Files
| NAT Rules to Enable NTP with CARP.png (202 KB) NAT Rules to Enable NTP with CARP.png | Added rules to NAT the NTP traffic to the interface IP's |
Updated by 
Updated by 