Ntp not working when using wildcard as interface

I've installed pihole in a linux system with multiple virtual nics for different vlans (192.168.1.2, 192.168.2.2, ... 3rd octet. = vlan id).
When I use "" for ntp.ipv4.address I can see that ntp is listening in all interfaces:

$ lsof -i:123
COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
pihole-FT 44598 pihole   41u  IPv4 582094      0t0  UDP *:ntp

But tests always fail:

$ ntpdig -d 192.168.2.2
ntpdig: querying 192.168.2.2 (192.168.2.2)
ntpdig: no eligible servers

But when I use any specific interface by ip 192.168.2.2 for ntp.ipv4.address it works:

$ ntpdig -d 192.168.2.2
ntpdig: querying 192.168.2.2 (192.168.2.2)
org t1: eb184351.4902f000 rec t2: eb184350.4945b6c3
xmt t3: eb184350.4a2f5989 dst t4: eb184351.4b342000
org t1: 1735247057.285201 rec t2: 1735247056.286220
xmt t3: 1735247056.289785 dst t4: 1735247057.293764
rec-org t21: -0.998981  xmt-dst t34: -1.003979
2024-12-26 22:04:16.289785 (+0100) -1.001480 +/- 0.002500 192.168.2.2 s2 no-leap

What am I doing wrong?

BR Chris

Did you give it some time to settle before performing the ntpdig ... wait a minute or so?
I made same mistake :wink:

Thanks for the tip. But that doesn't seem to be the problem.

I can query the NTP server via the physical NIC (enp0s31f6).
But not via any of the virtual NICs assigned with VLAN (enp0s31f6.1 - enp0s31f6.4).

I have not been able to narrow it down any further.

1 Like

Better upload a debug log so the devs can have a look:

sudo pihole debug

Only post the resulting token URL here thats displayed after the upload was successful!

debug log created and uploaded.
https://tricorder.pi-hole.net/BSmgn4YB/

I'm currently not at home so I haven't had a chance to look at your uploaded debug log, so far, but I was wondering if there might be relevant additional output if you enable NTP logging like

sudo pihole-FTL --config debug.ntp true

And then compare once in the case where it works and once where you don't specify an interface. Let's hope there will be some visible difference, otherwise, we can later extend debug logging to maybe better fit to your specific corner case.

I did just look at your Tricorder log and - in addition to my debug logging question above - I have more questions because I don't understand your network configuration:

You are talking about 192.168.x.0/24 networks and I can see you have rev-server settings for a few such subnets. However, none of your existing interfaces actually has an 192.168.x.0 address - they are all in the 10.y.0.0/16 ranges each (at least on enp0s31f6 and its virtual children, I have not seen any other meaningful NIC on your machine).

This is in agreement with a few errors we are seeing when Pi-hole tries to access such networks:

INFO: Tried to resolve PTR "2.1.168.192.in-addr.arpa" on 127.0.0.1#53 (UDP)
ERROR: Cannot receive UDP DNS reply: Timeout - no response from upstream DNS server

According to your configuration, 192.168.2.0/24 lookups are forwarded to 192.168.2.1 internally and the timeout here means that there was never a reply from said forwarding destination. That's probably because your entire machine also has no defined route to send/receive something to/from this address.

This is also in agreement with your NTP observation: When you specify the "wildcard address", Linux does not listen for "all" addresses but only for "reachable" ones. IN your particular setup, 192.168.x.y is not actually reachable on your machine. If you, however, specify a single address, the kernel knows that this specific address is to be routed to this specific application. However, I'd still have expected an Cannot assign requested address error so something in how you configured your network is still unclear to me.

First of all, thank you for looking at the debug log!

Then - my mistake, sorry!

The network configuration has changed due to our move a few weeks ago. The 192.168.x from the initial post is now 10.x.0.y. I still have the old config in my “fingers” when writing.

My networks are - in accordance with the debug log

  • 10.1.0.0/24: Management for router, switch and access point
  • 10.2.0.0/24: Office network
  • 10.3.0.0/24: IoT
  • 10.4.0.0/24: Guests

192.168.0.0/24 is a family location connected via S2S VPN.
Routing takes place here on the router, not on the pihole

The same applies to 192.168.1.0/24 and 192.168.2.0/24.
The S2S connections are always briefly offline due to the DSL forced disconnection.

The configure nics are:

enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.2.0.199 netmask 255.255.255.0 broadcast 10.2.0.255
        [...]

enp0s31f6.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.1.0.2 netmask 255.255.255.0 broadcast 10.1.0.255
        [...]

enp0s31f6.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.2.0.2 netmask 255.255.255.0 broadcast 10.2.0.255
        [...]

enp0s31f6.3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.3.0.2 netmask 255.255.255.0 broadcast 10.3.0.255
        [...]

enp0s31f6.4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.4.0.2 netmask 255.255.255.0 broadcast 10.4.0.255
        [...]

enp0s31f6 is the default nic and route used. The nic is set to (reserverd) dhcp to be always available during the ip adress changes from the last weeks. When I use ntp with wildcard I get an ntp reply on just this interface but on none other.

Could the vlan tag assignment an issue?

Target          Route           Genmask         Flags Metric Ref      Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 enp0s31f6
10.1.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6.1
10.2.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6
10.2.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6.2
10.3.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6.3
10.4.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6.4
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s31f6
$ lsof -i:123
COMMAND     PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
pihole-FT 44598 pihole   33u  IPv4 1067467      0t0  UDP *:ntp

DNS service offered by pihole is reachable on all nics from all vlans.

BR Chris

I don't know.

Did you try ntpdig also with the correct addresses (10.x.y.z)?
Also, have you tried enabling debug mode and see what is the difference?