From owner-freebsd-stable@FreeBSD.ORG Mon Jul 23 12:50:10 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC48516A418 for ; Mon, 23 Jul 2007 12:50:10 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from mail.ticketswitch.com (mail.ticketswitch.com [194.200.93.188]) by mx1.freebsd.org (Postfix) with ESMTP id B128213C49D for ; Mon, 23 Jul 2007 12:50:10 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from dilbert.rattatosk ([10.50.50.6] helo=dilbert.ticketswitch.com) by mail.ticketswitch.com with esmtp (Exim 4.67 (FreeBSD)) (envelope-from ) id 1ICxMX-000LhT-K2 for freebsd-stable@freebsd.org; Mon, 23 Jul 2007 13:50:09 +0100 Received: from petefrench by dilbert.ticketswitch.com with local (Exim 4.67 (FreeBSD)) (envelope-from ) id 1ICxMX-000Mg2-J1 for freebsd-stable@freebsd.org; Mon, 23 Jul 2007 13:50:09 +0100 To: freebsd-stable@freebsd.org Message-Id: From: Pete French Date: Mon, 23 Jul 2007 13:50:09 +0100 Subject: ntpd on a NAT gateway seems to do nothing X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2007 12:50:11 -0000 Just following the similarly names thread with a bit of interest and I decided to check my own ntp setup and, to my surprise, discovered I also have a machine which does nothing. What is more surprising to me is that it has the same config as a number of other machines, all of which work. We have a segment of network which is behind a NAT, and there is a BSD box running 'pf' actiing as the NAT gateway. Running ntpd on the actual NAT box does not work, but running it on the clients the far side of the NAT does, or on clients the live side of the NAT. I should probably exolain that the NAT goes onto another network which is also natted, though that NAT is out of my control. The ntp.conf file looks like this on all machines: disable auth enable ntp driftfile /etc/ntp.drift server 10.17.19.0 server 195.40.0.250 server 158.43.128.33 server 158.43.128.66 server 158.43.192.66 The time servers there are for easynet, pipex and an internal machine at a remote location. ntpdate on the machine can query all the hosts fine, but ntpdc -p gives: remote local st poll reach delay offset disp ======================================================================= =valliere.ns.eas 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 =turpentine.ratt 172.16.1.8 3 128 7 0.01451 -0.007633 1.93823 =ntp2.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 =ntp0.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 =ntp1.pipex.net 172.16.1.8 16 64 0 0.00000 0.000000 0.00000 As you can see, it can only reach the internal machine. On other machines behind the NAT it looks like this: remote local st poll reach delay offset disp ======================================================================= =valliere.ns.eas 10.50.50.2 2 256 377 0.00577 -0.004396 0.01192 =turpentine.ratt 10.50.50.2 3 256 377 0.01534 -0.004566 0.00482 *ntp2.pipex.net 10.50.50.2 2 256 377 0.00635 -0.004052 0.00899 =ntp0.pipex.net 10.50.50.2 2 256 377 0.00729 -0.002443 0.01395 =ntp1.pipex.net 10.50.50.2 2 256 377 0.00768 -0.002426 0.00951 But those connections are flowing through the NAT box oon which ntpd is not connecting! Any suggestions ? I assume it has something to do with the NAT, but I am not sure what. All other TCP connections out from that machine to external systems work fine, so it is not as if outbound connections from there are not working at all. -pcf.