Question

freebsd ntp cant connect to time server

Posted August 3, 2015 6k views
Networking IPv6 FreeBSD

I think the problem is ipv6 related.

Aug 3 23:42:26 theranch ntpd[720]: ntpd 4.2.4p5-a (1)
Aug 3 23:42:26 theranch ntpd[721]: bind() fd 22, family AFINET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can’t assign requested address
Aug 3 23:42:26 theranch ntpd[721]: unable to create socket on vtnet0 (2) for fe80::601:50ff:fe62:dd01#123
Aug 3 23:42:27 theranch kernel: pid 747 (sshguard), uid 0: exited on signal 10 (core dumped)
Aug 3 23:42:27 theranch ntpd[721]: bind() fd 27, family AFINET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can’t assign requested address
Aug 3 23:42:27 theranch ntpd[721]: unable to create socket on vtnet0 (7) for fe80::601:50ff:fe62:dd01#123

Add a comment
gc948486cbc56b8
By:
gc948486cbc56b8
Add a comment
2 comments
  • lordgordon August 4, 2015
    Reply Report

    NTP is working fine on my FreeBSD droplet.

    Could you post your /etc/ntp.conf?
    What is the output of ntpq -p?
    Do you have a firewall running?

  • gc948486cbc56b8 August 4, 2015
    Reply Report

    Well this is weird. My reply didn’t show up. Here we go again.

    It looks like I am connected. The UK server doesn’t make much sense for San Francisco use, but that is something to change later.

    ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

    ==============================================================================
    +ntp1.adacor.com 130.133.1.10 2 u 826 1024 377 168.683 -3.409 6.231
    +log1.nierle.com 235.106.237.243 3 u 558 1024 377 160.756 1.594 1.845
    *ns0.luns.net.uk 33.117.170.50 2 u 556 1024 377 142.496 1.270 0.168

    I added the “-4”, but otherwise stock.

    cat ntp.conf

    $FreeBSD: releng/10.1/etc/ntp.conf 259974 2013-12-27 23:09:40Z delphij $

    Default NTP servers for the FreeBSD operating system.

    Don’t forget to enable ntpd in /etc/rc.conf with:

    ntpd_enable=“YES”

    The driftfile is by default /var/db/ntpd.drift, check

    /etc/defaults/rc.conf on how to change the location.

    The following three servers will give you a random set of three

    NTP servers geographically close to you.

    See http://www.pool.ntp.org/ for details. Note, the pool encourages

    users with a static IP and good upstream NTP servers to add a server

    to the pool. See http://www.pool.ntp.org/join.html if you are interested.

    The option `iburst’ is used for faster initial synchronization.

    server -4 0.freebsd.pool.ntp.org iburst
    server -4 1.freebsd.pool.ntp.org iburst
    server -4 2.freebsd.pool.ntp.org iburst

    server -4 3.freebsd.pool.ntp.org iburst

    If you want to pick yourself which country’s public NTP server

    you want sync against, comment out the above servers, uncomment

    the next ones and replace CC with the country’s abbreviation.

    Make sure that the hostnames resolve to a proper IP address!

    server 0.CC.pool.ntp.org iburst

    server 1.CC.pool.ntp.org iburst

    server 2.CC.pool.ntp.org iburst

    Security:

    By default, only allow time queries and block all other requests

    from unauthenticated clients.

    See http://support.ntp.org/bin/view/Support/AccessRestrictions

    for more information.

    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery

    Alternatively, the following rules would block all unauthorized access.

    restrict default ignore

    restrict -6 default ignore

    In this case, all remote NTP time servers also need to be explicitly

    allowed or they would not be able to exchange time information with

    this server.

    Please note that this example doesn’t work for the servers in

    the pool.ntp.org domain since they return multiple A records.

    restrict 0.pool.ntp.org nomodify nopeer noquery notrap

    restrict 1.pool.ntp.org nomodify nopeer noquery notrap

    restrict 2.pool.ntp.org nomodify nopeer noquery notrap

    The following settings allow unrestricted access from the localhost

    restrict 127.0.0.1
    restrict -6 ::1
    restrict 127.127.1.0

    If a server loses sync with all upstream servers, NTP clients

    no longer follow that server. The local clock can be configured

    to provide a time source when this happens, but it should usually

    be configured on just one server on a network. For more details see

    http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock

    The use of Orphan Mode may be preferable.

    server 127.127.1.0

    fudge 127.127.1.0 stratum 10

    ======================

    FIrewall is ipfw.

    ipfw list

    00100 allow ip from any to any via lo0
    00200 deny ip from any to 127.0.0.0/8
    00300 deny ip from 127.0.0.0/8 to any
    00400 deny ip from any to ::1
    00500 deny ip from ::1 to any
    00600 allow ipv6-icmp from :: to ff02::/16
    00700 allow ipv6-icmp from fe80::/10 to fe80::/10
    00800 allow ipv6-icmp from fe80::/10 to ff02::/16
    00900 allow ipv6-icmp from any to any ip6 icmp6types 1
    01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
    01100 check-state
    01200 allow tcp from me to any established
    01300 allow tcp from me to any setup keep-state
    01400 allow udp from me to any keep-state
    01500 allow icmp from me to any keep-state
    01600 allow ipv6-icmp from me to any keep-state
    01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
    01800 allow udp from any 67 to me dst-port 68 in
    01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
    02000 allow udp from fe80::/10 to me dst-port 546 in
    02100 allow icmp from any to any icmptypes 8
    02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
    02300 allow icmp from any to any icmptypes 3,4,11
    02400 allow ipv6-icmp from any to any ip6 icmp6types 3
    02500 allow tcp from any to me dst-port 22
    02600 allow tcp from any to me dst-port 443
    02700 allow tcp from any to me dst-port 80
    02800 allow tcp from any to me dst-port 500
    02900 allow tcp from any to me dst-port 4500
    65000 count ip from any to any
    65100 allow log udp from any to any dst-port 500 keep-state
    65200 allow log udp from any 500 to any keep-state
    65300 allow log udp from any to any dst-port 4500 keep-state
    65400 allow log udp from any 4500 to any keep-state
    65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
    65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
    65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
    65500 deny ip from any to 255.255.255.255
    65500 deny ip from any to 224.0.0.0/24 in
    65500 deny udp from any to any dst-port 520 in
    65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
    65500 deny log logamount 500 ip from any to any
    65535 deny ip from any to any

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers
gc948486cbc56b8 August 8, 2015

Just bumping my question. The delay due to the spam filter kind of killed the thread. The error messages are still showing up on the “console” and freebsd /var/messages:

Aug 8 22:21:42 theranch ntpd[732]: bind() fd 27, family AF_INET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can’t assign requested address
Aug 8 22:21:42 theranch ntpd[732]: unable to create socket on vtnet0 (597) for fe80::601:50ff:fe62:dd01#123

Reply Report
gc948486cbc56b8 October 9, 2015

I switched to openntpd. I couldn’t shake the ipv6 issues with ntpd. Openntpd works fine out of the box.
openntpd tutorial

Reply Report
gc948486cbc56b8 December 2, 2015

Just a FYI. I went to openntp and that works.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help