Messages

1

22.7 Legacy Series / Re: Constant queries to NTP server every minute

« on: November 24, 2022, 10:07:39 am »

Here is the complete ntpd config file.

Code: [Select]

#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 0.opnsense.pool.ntp.org maxpoll 9 prefer noselect
server 1.opnsense.pool.ntp.org maxpoll 9 noselect
server 2.opnsense.pool.ntp.org maxpoll 9 noselect
server 3.opnsense.pool.ntp.org maxpoll 9 noselect


disable monitor
statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap


# custom options
server 0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
server 1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12

OPNsense is a fresh install so thats very strange where the other servers originate from. There is no IPv6 configured so there can't be made a connection via IPv6.

2

22.7 Legacy Series / Re: Constant queries to NTP server every minute

« on: November 22, 2022, 05:17:40 pm »

Thanks for shading light into this.

There is no DHCP on WAN connection. IP is configured manually.
Options "Deny state modifications (i.e. run time configuration) by ntpq and ntpdc" and "Deny packets that attempt a peer association" are enabled.

Any other ideas to figure out how these ntp servers got configured?

3

22.7 Legacy Series / Re: Constant queries to NTP server every minute

« on: November 22, 2022, 01:48:54 pm »

Code: [Select]

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 46.165.252.57 ( 254.48.138.1     2 u  286  512  377   10.307   -2.459   0.131
 ntp-master.sasg 40.179.132.91    2 u  183  512  377   16.166   -2.988   0.673
 rondra.lf-net.o 131.188.3.221    2 u  270  512  377   13.263   -2.691   0.119
 vsrv02141.custo 85.220.190.246   3 u  475  512  377   15.217   -2.772   0.183
*ec2-3-64-117-20 131.188.3.221    2 u  38m  68m  377   14.804   -0.597   0.799
+ntp2.m-online.n 212.18.1.106     2 u 1592  68m  377   16.351   -2.385   0.747
+mx.ack512.net   237.17.204.95    2 u  35m  68m  377   14.864   -2.634   1.009
-stratum2-2.NTP. 129.70.137.82    2 u  36m  68m  377   17.166   -4.311   0.403

Using ntpdate -q <FW-IP> on the client now reports a stratum of 3 and adjusts time. Very strange. So it seems it needed some time to "warm up".

But two problems remain.
a) There are less, but still too much requests outgoing from the Firewall to NTP Server. With minpoll 11 it should be maximum one request about every 34 minutes per server. However in less than half an hour there are much more requests

Code: [Select]

13:13:55.513480 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:13:55.523772 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:14:08.506500 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:14:08.519856 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:15:37.544511 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:15:37.560575 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:19:53.544466 IP <FW-IP>.123 > 185.11.138.90.123: NTPv4, Client, length 48
13:19:53.559624 IP 185.11.138.90.123 > <FW-IP>.123: NTPv4, Server, length 48
13:22:36.544503 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:22:36.554784 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:23:06.544517 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:23:06.557841 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:24:37.494450 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:24:37.510702 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:28:44.544531 IP <FW-IP>.123 > 185.11.138.90.123: NTPv4, Client, length 48
13:28:44.559751 IP 185.11.138.90.123 > <FW-IP>.123: NTPv4, Server, length 48
13:31:27.513172 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:31:27.523540 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:31:51.493193 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:31:51.506546 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:33:16.544532 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:33:16.560865 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:37:47.517137 IP <FW-IP>.123 > 185.11.138.90.123: NTPv4, Client, length 48
13:37:47.532543 IP 185.11.138.90.123 > <FW-IP>.123: NTPv4, Server, length 48
13:40:20.534140 IP <FW-IP>.123 > 46.165.252.57.123: NTPv4, Client, length 48
13:40:20.544507 IP 46.165.252.57.123 > <FW-IP>.123: NTPv4, Server, length 48
13:40:30.487396 IP <FW-IP>.123 > 188.68.36.203.123: NTPv4, Client, length 48
13:40:30.501628 IP 188.68.36.203.123 > <FW-IP>.123: NTPv4, Server, length 48
13:41:29.498253 IP <FW-IP>.123 > 3.64.117.201.123: NTPv4, Client, length 48
13:41:29.513046 IP 3.64.117.201.123 > <FW-IP>.123: NTPv4, Server, length 48
13:42:16.505121 IP <FW-IP>.123 > 46.235.112.25.123: NTPv4, Client, length 48
13:42:16.521219 IP 46.235.112.25.123 > <FW-IP>.123: NTPv4, Server, length 48
13:43:55.484145 IP <FW-IP>.123 > 129.70.132.35.123: NTPv4, Client, length 48
13:43:55.504680 IP 129.70.132.35.123 > <FW-IP>.123: NTPv4, Server, length 48
13:45:03.544527 IP <FW-IP>.123 > 136.243.229.3.123: NTPv4, Client, length 48
13:45:03.559226 IP 136.243.229.3.123 > <FW-IP>.123: NTPv4, Server, length 48



b) Advanced section will be removed in a future version, so reducing the requests won't be possible anymore.

4

22.7 Legacy Series / Re: Constant queries to NTP server every minute

« on: November 21, 2022, 01:49:33 pm »

There is no NAT and only 1 LAN client (Linux debian host) for accessing the OPNsense firewall. So traffic must be generated by OPNsense itself. If I use ntpdate -q 0.opnsense.pool.ntp.org on the client I see in TCP dump the IP of the client and not of OPNsense.

Had a configuration error in the config. In the advanced section it must be

Code: [Select]

server 0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
server 1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
server 3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12

But even after correcting this, access remains.

It might be even another problem. If I use

Code: [Select]

ntpdate -q 127.0.0.1
server 127.0.0.1, stratum 16, offset +0.000012, delay 0.02576
21 Nov 13:38:13 ntpdate[94238]: no server suitable for synchronization found
So ntp seems not to get synchronized and that could be the reason it tries every minute to get NTP time. When using the default config it could use 127.0.0.1 as time source.
Orphan mode is set to 12, so stratum should be 12 and not 16 if something goes wrong.

It seems no network problem because directly querying the NTP server works.

Code: [Select]

ntpdate -q 0.opnsense.pool.ntp.org
server 136.243.66.91, stratum 2, offset +0.000677, delay 0.04018
server 136.243.7.20, stratum 3, offset +0.000930, delay 0.04022
server 131.234.220.232, stratum 1, offset +0.002389, delay 0.04488
server 178.215.228.24, stratum 2, offset +0.004708, delay 0.04243
21 Nov 13:38:07 ntpdate[72851]: adjust time server 131.234.220.232 offset +0.002389 sec

I'm not a NTP expert, so whats wrong here?

5

22.7 Legacy Series / Re: Constant queries to NTP server every minute

« on: November 21, 2022, 12:39:51 pm »

Thanks for the ideas. Don't seem to work  :'(

Disabled all default upstream servers and added in advanced configuration section

Code: [Select]

0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12


Code: [Select]

cat /var/etc/ntpd.conf
#
# Autogenerated configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
server 0.opnsense.pool.ntp.org maxpoll 9 prefer noselect
server 1.opnsense.pool.ntp.org maxpoll 9 noselect
server 2.opnsense.pool.ntp.org maxpoll 9 noselect
server 3.opnsense.pool.ntp.org maxpoll 9 noselect


disable monitor
statsdir /var/log/ntp
logconfig =syncall +clockall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap


# custom options
0.opnsense.pool.ntp.org minpoll 11 maxpoll 12 prefer
1.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
2.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
3.opnsense.pool.ntp.org  minpoll 11 maxpoll 12
But still every minute NTP requests orginating from firewall IP.

6

22.7 Legacy Series / Constant queries to NTP server every minute

« on: November 18, 2022, 10:43:08 am »

Doing tcpdump -i igb1 -n where igb1 is WAN interface, as default, I see every minute 4 NTPv4 queries originating the IP of the firewall.
I've already set as adavanced options in services_ntpd.php configuration page
minpoll 11
maxpoll 12

Still after a complete reboot there are the NTP queries every minute.

Whats wrong here?