NTP not able to use ipv6 peer

[gunnarf]

Hi!

I've very well working ipv6, and one of the peers provided by pool.ntp.org happens to be a ipv6 server. But it never reaches Active or Candidate peer.

Status from the firewall in attached file

It is not of very big importance to have ipv6 peers, just a bit fun if it works

[sorano]

I use Chrony with NTS and that works against both Cloudflare and Netnod over IPv6 so I guess you can try switching to that

It's a safer protocol anyway so no downside afaik.

[Patrick M. Hausen]

Do you have IPv6 connectivity? I can assure you that IPv6 NTP servers generally do work ;)

[gunnarf]

Did you have to set any rules in the firewall? I did a outbound allow NTP from WAN to any

I have very well functioning native IPv6.

[Patrick M. Hausen]

No - there is an automatic floating rule named "let out anything from firewall host itself". That takes care of that. Generally you practically never need outbound rules on an interface.

Do you see any blocked NTP packets in the firewall live view?

[gunnarf]

No - there is an automatic floating rule named "let out anything from firewall host itself". That takes care of that. Generally you practically never need outbound rules on an interface.

Do you see any blocked NTP packets in the firewall live view?

I didn't find any filtering options in live view, so I could filter for port 123
Didn't see anything floating by.

For example DNS requests flows nicely through fw:

   wan      2023-07-18T15:03:21   [2001:9b0:40::xxxx:xxxx]:29118   [2001:4860:4860::8888]:53   udp   let out anything from firewall host itself (force gw)

[Patrick M. Hausen]

What do you have set in Services > Network Time > General > Interfaces?

[gunnarf]

What do you have set in Services > Network Time > General > Interfaces?

LAN, WAN for some reason. Don't remind me changing that, so maybe default
Switched to WAN only

Ran ntpq -p on the firewall:

*gbg2.ntp.netnod .PPS.            1 u    8   64   17   10.053   -5.162   0.231
+mmo1.ntp.netnod .PPS.            1 u    9   64   17   11.270   -5.156   0.446
any.time.nl     .INIT.          16 u    -   64    0    0.000   +0.000   0.000
lul2.ntp.netnod .PPS.            1 u    7   64   17   13.938   -5.031   0.324

and then a ping6 on the IPv6 site:

root@OPNsense:~ # ping6 any.time.nl
PING6(56=40+8+8 bytes) 2001:9b0:40::967c:56c9 --> 2001:678:8::123
16 bytes from 2001:678:8::123, icmp_seq=0 hlim=48 time=283.389 ms
16 bytes from 2001:678:8::123, icmp_seq=1 hlim=48 time=283.196 ms

[Patrick M. Hausen]

Leave it at All (recommended) and try again, please.

[gunnarf]

Leave it at All (recommended) and try again, please.

OK I reverted to LAN, WAN and added some ipv6 NTP servers. Only result is:

root@OPNsense:~ # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
trf.clearnet.pw 65.21.63.130     3 u    9   64    7   42.221   -4.482   0.318
ntp5.flashdance 194.58.202.20    2 u    5   64    7    3.206   -2.867   0.272
ntp-b.0x5e.se   .INIT.          16 u    -   64    0    0.000   +0.000   0.000
2a01:4f8:c17:ef .INIT.          16 u    -   64    0    0.000   +0.000   0.000
ntp2.time.nl    .INIT.          16 u    -   64    0    0.000   +0.000   0.000

[sorano]

What happens if you try to open a connection to the IPv6 server on port 123 with UDP with netcat or similar?

[gunnarf]

What happens if you try to open a connection to the IPv6 server on port 123 with UDP with netcat or similar?

trying. It just stands there. I'm not good at using nc I tried: nc -6uD ntp-b.0x5e.se 123

[Patrick M. Hausen]

Please use "All (recommended)" and do not select any individual interfaces.

[gunnarf]

Please use "All (recommended)" and do not select any individual interfaces.

I do and the result is consistent No ipv6 peers

[Patrick M. Hausen]

OK, do you see any requests going out on port 123 with tcpdump when you restart ntpd?