# NTP is not working



## joebobfrank (Aug 24, 2016)

I have configured ntp.conf to have four servers to synchronize with. When I run 


```
# ntpq -pn

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 36.105.58.17    .INIT.          16 u    -   64    0    0.000    0.000   0.000
```

it is only showing one server and it is not even in sync with the one server that is listed.

vi /etc/ntp.conf

```
server time-a.nist.gov iburst
server time-b.nist.gov iburst
server time-c.nist.gov iburst


driftfile /var/db/ntp.drift

restrict default ignore

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
```

I have followed chapter 28 in the FreeBSD handbook precisely.
I am running FreeBSD 10.3.


----------



## Murph (Aug 24, 2016)

The problem with time not syncing is due to `restrict default ignore`, causing all remote packets to be dropped by the daemon (including those replying to configured servers, unless you add additional restricts to allow the configured servers).

I have no idea where 36.105.58.17 is coming from, it's a random address in China which seems entirely unrelated to your config.  Are you actually in China?  If so, it could be that your DNS queries are being attacked by an ISP or the government to give false results.

I recommend the following config (but not for clients in China, as there is a known lack of NTP pool servers there):

```
pool 0.freebsd.pool.ntp.org iburst preempt
pool 1.freebsd.pool.ntp.org iburst preempt
pool 2.freebsd.pool.ntp.org iburst preempt
pool 3.freebsd.pool.ntp.org iburst preempt

restrict default ignore
restrict source nomodify noquery notrap
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
```
The FreeBSD default /etc/ntp.conf uses an obsolete method for configuring pool servers, which can be problematic.  The above is the current best config for it.  `restrict source` is a relatively new feature which matches all configured servers, including dynamic pool servers.  There's no need to specify `driftfile`, as that is managed by /etc/rc.d/ntpd (via ntpd_flags).

The NIST servers can be a bit overloaded at times, so the pool can often produce better results.  They can also be a very poor choice for a client outside the USA due to the large and unstable latency.

You might alternatively want to use your ISP's NTP servers, if they have them, e.g.:

```
server ntp0.example.net iburst
server ntp1.example.net iburst
server ntp2.example.net iburst

restrict default ignore
restrict source nomodify noquery notrap
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
```


----------



## abishai (Aug 24, 2016)

Consider net/openntpd if you need just time sync daemon without additional functionality.


----------



## joebobfrank (Sep 7, 2016)

Murph,

NTP is working now Murph. The line


```
restrict default ignore
```

was causing the problem. You have provided a lot of good information in your post.


----------

