From owner-freebsd-stable@FreeBSD.ORG Mon Jul 23 16:13:20 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72B0116A418 for ; Mon, 23 Jul 2007 16:13:20 +0000 (UTC) (envelope-from ianjhart@ntlworld.com) Received: from queueout04-winn.ispmail.ntl.com (queueout04-winn.ispmail.ntl.com [81.103.221.58]) by mx1.freebsd.org (Postfix) with ESMTP id 04EDB13C467 for ; Mon, 23 Jul 2007 16:13:19 +0000 (UTC) (envelope-from ianjhart@ntlworld.com) Received: from aamtaout04-winn.ispmail.ntl.com ([81.103.221.35]) by mtaout01-winn.ispmail.ntl.com with ESMTP id <20070723160226.WJTK12936.mtaout01-winn.ispmail.ntl.com@aamtaout04-winn.ispmail.ntl.com> for ; Mon, 23 Jul 2007 17:02:26 +0100 Received: from cpc1-cove3-0-0-cust839.sol2.cable.ntl.com ([86.20.31.72]) by aamtaout04-winn.ispmail.ntl.com with ESMTP id <20070723160225.ZWQR29112.aamtaout04-winn.ispmail.ntl.com@cpc1-cove3-0-0-cust839.sol2.cable.ntl.com> for ; Mon, 23 Jul 2007 17:02:25 +0100 Received: from gamma.private.lan (gamma.private.lan [192.168.0.12]) by cpc1-cove3-0-0-cust839.sol2.cable.ntl.com (8.13.8/8.13.8) with ESMTP id l6NG2LsA029023; Mon, 23 Jul 2007 17:02:21 +0100 (BST) (envelope-from ianjhart@ntlworld.com) From: ian j hart To: freebsd-stable@freebsd.org Date: Mon, 23 Jul 2007 17:02:21 +0100 User-Agent: KMail/1.9.7 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200707231702.21413.ianjhart@ntlworld.com> X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on cpc1-cove3-0-0-cust839.sol2.cable.ntl.com Cc: Pete French Subject: Re: ntpd on a NAT gateway seems to do nothing X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2007 16:13:20 -0000 On Monday 23 July 2007 13:50:09 Pete French wrote: > Just following the similarly names thread with a bit of interest and I > decided to check my own ntp setup and, to my surprise, discovered I also > have a machine which does nothing. What is more surprising to me is that it > has the same config as a number of other machines, all of which work. > > We have a segment of network which is behind a NAT, and there is a BSD box > running 'pf' actiing as the NAT gateway. Running ntpd on the actual > NAT box does not work, but running it on the clients the far side of > the NAT does, or on clients the live side of the NAT. I should probably > exolain that the NAT goes onto another network which is also natted, though > that NAT is out of my control. > > The ntp.conf file looks like this on all machines: > > disable auth > enable ntp > driftfile /etc/ntp.drift > server 10.17.19.0 > server 195.40.0.250 > server 158.43.128.33 > server 158.43.128.66 > server 158.43.192.66 > > The time servers there are for easynet, pipex and an internal machine at > a remote location. ntpdate on the machine can query all the hosts fine, > but ntpdc -p gives: > > remote local st poll reach delay offset disp > ======================================================================= > =valliere.ns.eas 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 > =turpentine.ratt 172.16.1.8 3 128 7 0.01451 -0.007633 1.93823 > =ntp2.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 > =ntp0.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 > =ntp1.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 > > As you can see, it can only reach the internal machine. On other machines > behind the NAT it looks like this: > > remote local st poll reach delay offset disp > ======================================================================= > =valliere.ns.eas 10.50.50.2 2 256 377 0.00577 -0.004396 0.01192 > =turpentine.ratt 10.50.50.2 3 256 377 0.01534 -0.004566 0.00482 > *ntp2.pipex.net 10.50.50.2 2 256 377 0.00635 -0.004052 0.00899 > =ntp0.pipex.net 10.50.50.2 2 256 377 0.00729 -0.002443 0.01395 > =ntp1.pipex.net 10.50.50.2 2 256 377 0.00768 -0.002426 0.00951 > > But those connections are flowing through the NAT box oon which ntpd > is not connecting! > > Any suggestions ? I assume it has something to do with the NAT, but I am > not sure what. All other TCP connections out from that machine to > external systems work fine, so it is not as if outbound connections from > there are not working at all. > > -pcf. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" It's deja-vu all over again. I found my works NTP service was broken on Friday, just after I started my holiday. Packets were going out but nothing was coming back. I'm using IPFW and ipnat, which I believe is somewhat unusual. Ipnat is there to 'fix' the source IP. Don't ask! Checking the logs it appears that this broke after I updated from 6.2-RELEASE-p1 to 6.2-RELEASE-p5. I found this in messages. May 30 17:25:31 firewall ntpd[825]: ntpd 4.2.0-a Tue May 29 20:59:19 BST 2007 (1) May 30 17:27:31 firewall ntpd[825]: too many recvbufs allocated (40) ntpq -p would report No Association ID's (from memory) Anyway; I just did a cleandir x2, rebuild and update to p6, and it's working again. Might be worth a try. -- ian j hart