Date: Mon, 23 Jul 2007 13:50:09 +0100 From: Pete French <petefrench@ticketswitch.com> To: freebsd-stable@freebsd.org Subject: ntpd on a NAT gateway seems to do nothing Message-ID: <E1ICxMX-000Mg2-J1@dilbert.ticketswitch.com>
next in thread | raw e-mail | index | archive | help
Just following the similarly names thread with a bit of interest and I decided
to check my own ntp setup and, to my surprise, discovered I also have a machine
which does nothing. What is more surprising to me is that it has the same
config as a number of other machines, all of which work.
We have a segment of network which is behind a NAT, and there is a BSD box
running 'pf' actiing as the NAT gateway. Running ntpd on the actual
NAT box does not work, but running it on the clients the far side of
the NAT does, or on clients the live side of the NAT. I should probably
exolain that the NAT goes onto another network which is also natted, though
that NAT is out of my control.
The ntp.conf file looks like this on all machines:
disable auth
enable ntp
driftfile /etc/ntp.drift
server 10.17.19.0
server 195.40.0.250
server 158.43.128.33
server 158.43.128.66
server 158.43.192.66
The time servers there are for easynet, pipex and an internal machine at
a remote location. ntpdate on the machine can query all the hosts fine,
but ntpdc -p gives:
remote local st poll reach delay offset disp
=======================================================================
=valliere.ns.eas 172.16.1.8 16 64 0 0.00000 0.000000 0.00000
=turpentine.ratt 172.16.1.8 3 128 7 0.01451 -0.007633 1.93823
=ntp2.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000
=ntp0.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000
=ntp1.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000
As you can see, it can only reach the internal machine. On other machines
behind the NAT it looks like this:
remote local st poll reach delay offset disp
=======================================================================
=valliere.ns.eas 10.50.50.2 2 256 377 0.00577 -0.004396 0.01192
=turpentine.ratt 10.50.50.2 3 256 377 0.01534 -0.004566 0.00482
*ntp2.pipex.net 10.50.50.2 2 256 377 0.00635 -0.004052 0.00899
=ntp0.pipex.net 10.50.50.2 2 256 377 0.00729 -0.002443 0.01395
=ntp1.pipex.net 10.50.50.2 2 256 377 0.00768 -0.002426 0.00951
But those connections are flowing through the NAT box oon which ntpd
is not connecting!
Any suggestions ? I assume it has something to do with the NAT, but I am
not sure what. All other TCP connections out from that machine to
external systems work fine, so it is not as if outbound connections from
there are not working at all.
-pcf.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1ICxMX-000Mg2-J1>