RaspberryNtpServer icon indicating copy to clipboard operation
RaspberryNtpServer copied to clipboard

Published 20 hours ago verified publisher icon domschl

Chrony not responding to requests upon port forwarding

Open michaelschefczyk opened this issue 1 year ago • 1 comments

Thank you very much for providing this setup! I have been running two Raspberry Pi 4 NTP server for a long time. When upgrading to Raspberry Pi 5, I did switch to Chrony. This does provide stratum 1 time in a reliable manner.

The time server works well in my LAN and even across LANs via VPN.

What strikes me very odd is that I cannot get the Raspberry Pi 5 running the native Chrony version included with Debian Bookworm to respond externally, when forwarding port 123/UDP via my pfSense router.

Running ntpdate -q [IP of Raspberry Pi NTP server] does work without any issues in the LAN and via VPN. When forwarding 123/UDP from WAN to the Raspberry Pi NTP server, it does time out ("no server suitable for synchronization found"). When forwarding 123/UDP to the pfSsense router itself (localhost), which does get its time from the Raspberry Pi NTP server, everything is fine - except for stratum being 2 instead of 1. When forwarding the 123/UDP to the most trivial device within the LAN providing NTP (for example a homematic IP CCU3 - which has a Raspberry Pi 3 inside), everything does work (stratum 3). Thus, it does not seem to be a router/pfSense issue.

My chrony.conf does include allow and cmdallow (tried with and without "all").

Do others make the same observation? Are there any recommendations to cure this? Thanks a lot!

michaelschefczyk avatar May 05 '24 16:05 michaelschefczyk

What you've done looks good to me. My best guesses for looking why this doesn't work are:

  • When you try from an external computer via pfsense, are you in a different IP network compared to your other trials? That would hint an allow problem. What did you configure for allow?
  • Any issue with pfsense. Since pfsense (which I haven't used) seem to support it's own NTP-server, are you sure there isn't a conflict somewhere?

Other than that:

Maybe you just give in, and allow pfsense's NTP server to forward the client requests? While that gives you a stratum-2, one could debate, if forwarding via an application firewall actually keeps stratum-level at 1?

domschl avatar May 06 '24 05:05 domschl

Thank you very much, again. I did find out that it is not a pfSenese-issue, but a chrony-issue.

The relevant setup in chrony.conf is: allow cmdallow 192.168/16

I did install good old ntp and then, the external access did work. What did not work then was the PPS-based clock - maybe because I did not adjust the offset in ntp. The strange thing was that after switching back to chrony, everything started working (stratum 1 clock & external access). The only thing I do dislike somewhat is that I did not find out why all of this did happen in the first place. I only know that two Pi5 computers in two different locations (but with the same setup) did perform alike.

michaelschefczyk avatar May 12 '24 10:05 michaelschefczyk