Hi,
I have gone through this link and wanted to clarify if my understansing below of ntp listen-address and ntp allow-client address correct.
The listen-address is the interface listening for client’s ntp request
The allow-client is the allowed addresses that can send ntp request to the listen-address interface
Is my understanding above correct ?
Thank You
Welcome!
Your understanding is correct. Request from allow-clients are not ignored/blocked.
To add…
The NTP config have two parts.
As NTP-client regarding which NTP-servers to sync the local clock against.
As NTP-server regarding which clients can query your VyOS box to be used as a NTP-server so they can sync their clock against the VyOS box clock.
The listen-address and allow-client is regarding the NTP-server config.
@vyozzy when you say
Request from allow-clients are not ignored/blocked.
I’m understanding if clients are not explicitly allowed they are ignored/blocked, is that the case ?
Yes.
However if you dont set any allow-clients at all then all will be allowed (as I recall it).
So:
No allow-clients set: All clients are allowed.
allow-clients set: Only clients defined by allow-clients will be able to query the local NTP-server (in VyOS). Source IP-address not part of allow-clients will be dropped.
Some more clarification.
The link shared above says :
NTP process will only listen on the specified IP address. You must specify the address and optionally the permitted clients.
Is this the correct way to implement ?
set service ntp listen-address 192.168.9.25
set service ntp allow-client address 10.11.30.0/24
set service ntp allow-client address 10.11.35.0/24
Yeah,
You would also need to define which upstream NTP-server(s) you wish to sync your local VyOS clock against.
But the example you gave you tell the NTP service that it will only listen at 192.168.9.25 (which is one of your configured interfaces) and only reply to queries from NTP-clients with srcip 10.11.30.0/24 or 10.11.35.0/24.
Thanks @Apachez
Understood on the upstream NTP Server, will be adding that.
And yes I have set it that way, only listen on 192.168.9.25 and only respond to 10.11.30.0/24 and 10.11.35.0/24.
Hi,
Anyway to check activity on NTP interfaces because I have a Windows AD DC which uses VyOS’s interface as its time source, but am seeing the below error in dcdiag
Event String: Time Provider NtpClient: No valid response has been received from manually configured peer 192.168.30.11,0x8 after 8 attempts to contact it.
Configured NTP as below
set service ntp server 0.ie.pool.ntp.org
set service ntp server 1.ie.pool.ntp.org
set service ntp listen-address 192.168.9.15 <--- Is a vif
set service ntp allow-client address 192.168.9.0/24
set service ntp allow-client address 192.168.30.0/24
The AD DC server IP is 192.168.30.15
I can see the below for NTP in VyOS.
vyos@dc-gcc-edg-rtr1:~$ show ntp activity
200 OK <---
5 sources online
0 sources offline
0 sources doing burst (return to online)
0 sources doing burst (return to offline)
0 sources with unknown address
vyos@dc-gcc-edg-rtr1:~$ sudo netstat -tulpn | grep 123
udp 0 0 192.168.9.15:123 0.0.0.0:* 4211/chronyd
udp6 0 0 :::123 :::* 4211/chronyd
vyos@dc-gcc-edg-rtr1:~$ show ntp
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
time.cloudflare.com 27 18 53m -0.029 0.350 +1116us 432us
brenbox.westnet.ie 26 18 49m +0.096 0.455 -443us 525us
ec2-34-206-168-146.compu> 24 13 49m +0.705 0.681 +4132us 708us
ec2-18-193-41-138.eu-cen> 23 15 52m +0.085 0.868 -1844us 1026us
ec2-122-248-201-177.ap-s> 25 16 52m -3.082 6.440 -47ms 7391us
vyos@dc-gcc-edg-rtr1:~$ monitor log ntp
Oct 20 04:52:53 systemd[1]: Started chrony.service - chrony, an NTP client/server.
Oct 20 04:52:58 chronyd[4211]: Selected source 162.159.200.1 (0.ie.pool.ntp.org)
Oct 20 04:52:58 chronyd[4211]: System clock wrong by -3352.769636 seconds
Oct 20 03:57:06 chronyd[4211]: System clock was stepped by -3352.769636 seconds
Oct 20 03:57:06 chronyd[4211]: System clock TAI offset set to 37 seconds
Oct 20 03:58:12 chronyd[4211]: Selected source 88.81.100.130 (1.ie.pool.ntp.org)
Oct 20 04:03:39 chronyd[4211]: Received KoD RATE from 34.206.168.146
Oct 20 04:10:01 chronyd[4211]: Received KoD RATE from 18.193.41.138
Oct 20 04:18:37 chronyd[4211]: Received KoD RATE from 18.193.41.138
Oct 20 04:58:30 chronyd[4211]: Received KoD RATE from 18.193.41.138
Ran the below to monitor the interface for AD DC, and its showin ntp is unreachable not sure why ?
vyos@dc-gcc-edg-rtr1:~$ monitor traffic interface eth2
05:33:02.299840 IP 192.168.30.15.ntp > 192.168.30.11.ntp: NTPv3, Client, length 48
05:33:02.299875 IP 192.168.30.11 > 192.168.30.15: ICMP 192.168.30.11 udp port ntp unreachable, length 84
05:33:02.314907 IP 192.168.30.15.ntp > 51.145.123.29.ntp: NTPv3, Client, length 48
05:33:02.338587 IP 51.145.123.29.ntp > 192.168.30.15.ntp: NTPv3, Server, length 48
Anything else I can check ?
Your windows box tries to connect to 192.168.30.11 for NTP.
Your NTP-server at VyOS listens at 192.168.9.15.
You do the math…
Thanks again @Apachez
I seem to have confused myself with the below
VyOS listens at 192.168.9.15 then distributes NTP to interfaces of client addresses
Thanks again, its now working as expected…
15:21:03.599724 IP 192.168.30.15.ntp > 192.168.9.15.ntp: NTPv3, Client, length 48
15:21:03.599830 IP 192.168.9.15.ntp > 192.168.30.15.ntp: NTPv3, Server, length 48
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.