I did some more testing with a total of four different machines behind the NAT. Two of them synced in a few seconds, the other two were stuck in INIT. For the machines that didn't sync, the external server did not respond at all.
Here are the detailed packet captures of each session, as seen from the external server. The same tcpdump filter string was used for each capture, and NTP was running on only one NAT'd machine at a time. The source IP is the same for each machine behind the NAT, while the source ports are all different. Sorry for the image links, but this would have been a LOT of text to paste. Machine A (works): http://i.imgur.com/a5qL5.png Machine B (doesn't work): http://i.imgur.com/F8ndL.png Machine C (doesn't work): http://i.imgur.com/OxIpE.png Machine D (works): http://i.imgur.com/Bcpfd.png The restrict config on the external machine is this: restrict -4 default limited kod notrap nomodify nopeer restrict -6 default limited kod notrap nomodify nopeer restrict 127.0.0.1 restrict ::1 The external machine has a pretty basic conf. A drift file, enabling stats, a couple server/peer/pool machines defined, then those restrict lines from above. That's it. Maybe you can see a difference that I can't. Ken On Thu, Apr 5, 2012 at 10:37 PM, E-Mail Sent to this address will be added to the BlackLists <[email protected]> wrote: > On 4/5/2012 7:38 PM, Ken Link wrote: >> Machine A sees the server response and thanks to iburst quickly >> syncs to the machine, all good. >> >> Now I stop NTP on machine A and start NTP on machine B. >> The client request goes out the NAT, and I see the request >> coming into the external server with tcpdump. >> But, NTP on the external server doesn't respond. > > No message at all, not RATE or KOD? > > If the external has restrict limited / kod, > it may not respond, if KOD is enabled, and limited is not, > or it it the rate limit for KODs. > > > Is Auth required by the external ntp? > > >> In fact, the debug from NTP doesn't even have a "receive" >> line for the request. > > Does the external server still respond to A, if you restart A? > > >> The order I start/stop NTP doesn't make a difference. With both >> machines running NTP it doesn't make a difference. The external server >> will always respond to machine A, and never respond to machine B. > > What client source ports through the NAT are seen by the external? > > IIRC restrict ntpport at the external, > will make it only answer clients, > that it sees messages coming from port 123; > and if the NAT sends from port 123 for machine A, > and another port from machine B, ... > {You should be able to see this at the external's wireshark.} > > -- > E-Mail Sent to this address <[email protected]> > will be added to the BlackLists. > > _______________________________________________ > questions mailing list > [email protected] > http://lists.ntp.org/listinfo/questions _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
