16
23.1 Legacy Series / Re: NTP not able to use ipv6 peer
« on: July 19, 2023, 11:24:22 am »
After reboot the only difference is that in the status window for NTP it says .STEP. instead of .INIT. But still no contact
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
So ntpdate works but ntpd doesn't? WTF?
Ah ... one moment.
Are you running ntpdate -q as root? Can you verify with tcpdump that it is also using port 123 as the source port? If it doesn't, then that might hint at your ISP or somebody else blocking port 123 for IPv6.
Also, did you try disabling hardware offloading?
The "bad checksum" can be an artifact of tcpdump itself. But it might be worth a try to disable hardware offloading for that interface.
Also what does ntpdate -q for these servers result in? Also no answer at all?
And last - is this OPNsense a hosted service or is "Bahnhof" the company responsible for the OPNsense? If hosted, is it remotely possibly they are blocking NTP? It could be abused for amplification attacks and many providers used to do this.
Could you do that with -n and show an ifconfig output of your WAN interface and the netstat -rn output?
Could you do that with -n and show an ifconfig output of your WAN interface and the netstat -rn output?
OK, do you see any requests going out on port 123 with tcpdump when you restart ntpd?
Please use "All (recommended)" and do not select any individual interfaces.
What happens if you try to open a connection to the IPv6 server on port 123 with UDP with netcat or similar?
Leave it at All (recommended) and try again, please.
What do you have set in Services > Network Time > General > Interfaces?
No - there is an automatic floating rule named "let out anything from firewall host itself". That takes care of that. Generally you practically never need outbound rules on an interface.
Do you see any blocked NTP packets in the firewall live view?