[ntp:questions] Problem syncing NTP behind NAT

Ken Link klink at numberzero.org
Sat Apr 7 16:53:04 UTC 2012

I did some more testing with a total of four different machines behind
the NAT. Two of them synced in a few seconds, the other two were stuck
in INIT. For the machines that didn't sync, the external server did
not respond at all.

Here are the detailed packet captures of each session, as seen from
the external server. The same tcpdump filter string was used for each
capture, and NTP was running on only one NAT'd machine at a time. The
source IP is the same for each machine behind the NAT, while the
source ports are all different. Sorry for the image links, but this
would have been a LOT of text to paste.

Machine A (works): http://i.imgur.com/a5qL5.png
Machine B (doesn't work): http://i.imgur.com/F8ndL.png
Machine C (doesn't work): http://i.imgur.com/OxIpE.png
Machine D (works): http://i.imgur.com/Bcpfd.png

The restrict config on the external machine is this:

restrict -4 default limited kod notrap nomodify nopeer
restrict -6 default limited kod notrap nomodify nopeer
restrict ::1

The external machine has a pretty basic conf. A drift file, enabling
stats, a couple server/peer/pool machines defined, then those restrict
lines from above. That's it.

Maybe you can see a difference that I can't.


On Thu, Apr 5, 2012 at 10:37 PM, E-Mail Sent to this address will be
added to the BlackLists <Null at blacklist.anitech-systems.invalid>
> On 4/5/2012 7:38 PM, Ken Link wrote:
>> Machine A sees the server response and thanks to iburst quickly
>> syncs to the machine, all good.
>> Now I stop NTP on machine A and start NTP on machine B.
>>  The client request goes out the NAT, and I see the request
>>   coming into the external server with tcpdump.
>>  But, NTP on the external server doesn't respond.
> No message at all, not RATE or KOD?
>  If the external has restrict limited / kod,
>  it may not respond, if KOD is enabled, and limited is not,
>  or it it the rate limit for KODs.
> Is Auth required by the external ntp?
>>  In fact, the debug from NTP doesn't even have a "receive"
>>   line for the request.
> Does the external server still respond to A, if you restart A?
>> The order I start/stop NTP doesn't make a difference. With both
>> machines running NTP it doesn't make a difference. The external server
>> will always respond to machine A, and never respond to machine B.
> What client source ports through the NAT are seen by the external?
>  IIRC restrict ntpport at the external,
>  will make it only answer clients,
>  that it sees messages coming from port 123;
>   and if the NAT sends from port 123 for machine A,
>   and another port from machine B, ...
>  {You should be able to see this at the external's wireshark.}
> --
> E-Mail Sent to this address <BlackList at Anitech-Systems.com>
>  will be added to the BlackLists.
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions

More information about the questions mailing list