# NTP Broadcast not beeing accepted in FreeBSD 12.1



## Rabbeleet (Aug 17, 2020)

Hi

At work we send NTP from one network to another network through a one-way-filter.
Due to safety, the networks must be separated.
In order to get the NTP through the one-way-filter, we have been sending broadcast messages. which has been working super while using FreeBSD 9.1 on both ends.

We had to replace the computers and have now installed FreeBSD 12.1 on the new once.
The FreeBSD 12.1 receives the NTP-packages, but does not accept them and I can't figure out why it won't. (used wireshark to see that the package actually came through)

On a fresh start of the ntpd service, i see that the client tries to send a message back to the broadcast-sender.
I think he does not accept the broadcast-NTP because he does not get a replay.

It works without the one-way-filter.
I use the same config as I did in FreeBSD 9.1.

The client only contains this in the ntp.conf:
broadcastclient
disable auth

Is there a way to force NTP-client to accept the broadcast messages without question?
I do not understand why this does not work when it did on FreeBSD 9.1.

Something in NTP changed?
security features i can turn off?

I also tried to install FreeBSD 9.1 on the new computers, but the network interface was not supported. I found a driver on Intels homepage, followed the installation guide, but no luck.

(One-way-filter: Media converters connected together. Normally there is one fiber for TX and one for RX. We have removed the RX so the data can only flow one way.)

Thanks
Rabbeleet


----------



## SirDice (Aug 17, 2020)

Did you enable this?

```
-b, --bcastsync
             Allow us to sync to broadcast servers.
```
See ntpd(8)

Also read:

```
broadcastclient
             This command enables reception of broadcast server messages to
             any local interface (type b) address.  Upon receiving a message
             for the first time, the broadcast client measures the nominal
             server propagation delay using a brief client/server exchange
             with the server, then enters the broadcast client mode, in which
             it synchronizes to succeeding broadcast messages.  Note that, in
             order to avoid accidental or malicious disruption in this mode,
             both the server and client should operate using symmetric-key or
             public-key authentication as described in Authentication Options.
```
From ntp.conf(5).


----------



## Rabbeleet (Aug 17, 2020)

"Ordinarily, *ntpd* reads the    ntp.conf(5) configuration file at startup time
     in    order to determine the synchronization sources and operating modes.
     It    is also    possible to specify a working, although    limited, configuration
     entirely on the command line, obviating the need for a configuration
     file."

I do not think that will make a difference when i have set the broadcastclient in the ntp.conf file.
But I'll give it a try tomorrow.
I do use a type b address.

Without the one-way-filter, the client is accepting the broadcast.

Thanks


----------



## SirDice (Aug 17, 2020)

Rabbeleet said:


> Without the one-way-filter, the client is accepting the broadcast.


As you can read the manual for the `broadcastclient` option, it needs to communicate with the server at least temporarily before it will accept the broadcasts.


----------



## Rabbeleet (Aug 17, 2020)

Yes, but because it worked with FreeBSD 9.1, i though it would allso work with FreeBSD 12.1 since they both have NTP v4.


----------



## SirDice (Aug 18, 2020)

The exact same text is also in the 9.1 version of the man page. So I doubt anything has changed in this respect.


----------

