Hi,
This is a VMware workstation setup.
I have Port 1 - WAN
Port 2 - Firewall Management - 192.168.31.146
Port 3 - Server Gateway - 192.168.31.174 (Server - 192.168.31.162)
I have setup NTP and selected all the interfaces for the firewall to listen but the Server does not sync at all from its Gateway.
I use the following powershell command
w32tm /config /syncfromflags:manual /manualpeerlist:192.168.31.174,0x8 /reliable:yes /update
w32tm /config /update
w32tm /resync
But it doesn't sync time at all, however, if I change the peerlist syncing IP from server gateway to firewall management IP in the command
w32tm /config /syncfromflags:manual /manualpeerlist:192.168.31.146,0x8 /reliable:yes /update
w32tm /config /update
w32tm /resync
the server syncs perfectly, anyone knows why this is happening, ro am i misunderstanding something.
I cannot understand your network scheme; the names you provided, Port 2 - Firewall Management, Port 3 - Server Gateway - I do not see them in the screenshot you have provided?
You have two interfaces which has an unique IP adresse on the same subnet?
Quote from: koushun on January 27, 2021, 01:38:03 AM
I cannot understand your network scheme; the names you provided, Port 2 - Firewall Management, Port 3 - Server Gateway - I do not see them in the screenshot you have provided?
You have two interfaces which has an unique IP adresse on the same subnet?
Thanks for replying back, the names provided are just for reference and not names set in the firewall.
That would be:
vFirewallP - 192.168.31.146 (in the vFirewallP_Network)
vServerP - 192.168.31.162 (in the vServerP_Network)
vServerP Gateway - 192.168.31.174
I might have misunderstood something here.
But, do you have three interfaces- all within the same net?
Or; what is the subnets of these interfaces? Can you post the CIDR notation of each?
And what is the IP/Subnet of the client (Server?) from where you execute your PowerShell command? .. Is the server on the same subnet as the Gateway?
What does Command prompt: w32tm /query /peers give you?
You can ping all OPNsense interface addresses from your "Server"?
Quote from: koushun on January 27, 2021, 02:02:53 PM
I might have misunderstood something here.
But, do you have three interfaces- all within the same net?
Yes
Or; what is the subnets of these interfaces? Can you post the CIDR notation of each?
vFirewall_Network - 192.168.31.128 /27 | 255.255.255.224 | 192.168.31.129 - 192.168.31.158
vFirewallP - 192.168.31.146 /27
vServer_Network - 192.168.31.160 /27 | 255.255.255.224 | 192.168.31.161 - 192.168.31.190
And what is the IP/Subnet of the client (Server?) from where you execute your PowerShell command? .. Is the server on the same subnet as the Gateway?
vServerP - 192.168.31.162 /27
Yes the server is on the same subnet as the gateway and within the assignable IP range.
What does Command prompt: w32tm /query /peers give you?
There is no result as such of success or failure, if successful within some seconds the time syncs, if it fails the time remains the same. So when the peers address is of the vFirewallP interface (192.168.31.146) the time syncs, when the peers address is of vServer Gateway (192.168.31.174) the time does not sync at all and remains the same
You can ping all OPNsense interface addresses from your "Server"?
Yes
Please find the answers
bolded in your quote reply, thanks..
Strange, I thought it would be the other way around- that you could reach the vServer Gateway at .174, but not the 146. address as it is not in the same subnet.
Your Server (client) has IP 192.168.31.162/27 (vServerP)
Your Firewall has two interfaces.
vFirewallP : 192.168.31.146/27 and vServer Gateway (192.168.31.174/27).
The time does only sync when you try .146.
It does not sync when you try .174.
But you can reach all interfaces with ICMP.
I have no idea, actually. I am not that adversed in subnetting, or in VMware.
But.
The guest OPNsense has 2 interfaces, 1 is in bridge-mode (WAN)- the other, as an internal network (LAN)?
And the Server, the other guest, has just 1 interface, which is in the same internal network as the LAN interface on the OPNsense guest.
Ugh, why do you do subnetting. What about just doing VLANs ;) Then just set the appropriate VLAN tag on your Server guest network interface :)
Next step would be to paste your actual ntpd.conf configuration file, i guess.
Sorry, I do not know what could be wrong. It seems that the screenshot provided shows the correct settings?
I too did not understand why it does that.
The server at .162 can access the firewall interface at .146 is because I had allowed access to it for management purpose.
Anyway I'll see if I can make it work the VLAN way.
Thanks..
Well, you shouldn't have to, I guess.
Install nmap / zenmap on the Server and check wether or not port 123 on the IPs are filtered, or open?
And / or check the actual ntpd.conf file for anything mysterious.
Just a suggestion.
Good luck!
Thanks koushun for the tips..