Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd)

    Scheduled Pinned Locked Moved General pfSense Questions
    136 Posts 14 Posters 32.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @AndyRH
      last edited by

      @andyrh nice way to look at it.. I concur!

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @Sergei_Shablovsky
        last edited by

        @sergei_shablovsky

        an evasive post but important: (for all :))

        I recommend it to all who to use GPSD based stratum1 NTP - follow and update guidelines!!! (on your network NTP source)

        https://www.theregister.com/2021/10/19/gpsd_bug_reset/

        we run it and it affects our settings:
        https://www.ntpsec.org/white-papers/stratum-1-microserver-howto/#RASPBIAN

        the biggest thanks to Gary Miller and others 🖐

        7ab8f6d2-ea15-442b-9095-0dcdaf0c93ee-image.png

        feefe826-a015-4fcb-9419-7c75add68420-image.png

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        Sergei_ShablovskyS 1 Reply Last reply Reply Quote 3
        • Sergei_ShablovskyS
          Sergei_Shablovsky @DaddyGo
          last edited by

          @daddygo said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

          I recommend it to all who to use GPSD based stratum1 NTP - follow and update guidelines!!! (on your network NTP source)
          https://www.theregister.com/2021/10/19/gpsd_bug_reset/
          we run it and it affects our settings:
          https://www.ntpsec.org/white-papers/stratum-1-microserver-howto/#RASPBIAN

          Let's to remind very old but useful Network Time Protocol: Best Practices White Paper

          —
          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
          Help Ukraine to resist, save civilians people’s lives !
          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

          1 Reply Last reply Reply Quote 0
          • Sergei_ShablovskyS
            Sergei_Shablovsky @AndyRH
            last edited by Sergei_Shablovsky

            @andyrh said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

            NTP service has no known vulnerabilities at this time. (Software is secure)
            It is simple to use and hard to mess up, does that help security?

            “If something in Internet was not already hacked, this is not because it’s strong, it’s because till this time no one pay serious attention on this “something”(c)myself

            No one goes deeply and care about how this old things working, but only after a lot of crashes, transporting issues, and some quantity of broken peoples lifes community starting SLOWLY changing mindset about needs to keep up to date old protocols that used in billions devices from your coffee maker, heart cardio stimulator, cars to blood pumps, very big oil & gas sea tankers, citie's energy stations, etc...

            —
            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
            Help Ukraine to resist, save civilians people’s lives !
            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

            DaddyGoD 1 Reply Last reply Reply Quote 0
            • DaddyGoD
              DaddyGo @Sergei_Shablovsky
              last edited by

              @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

              it’s because till this time no one pay serious attention on this “something”(me)

              😉

              Hmmm, that's a serious formula, but just think of all the stratum1 satellites... (there are a few of them)
              The NTP is currently massive....
              (but like everything else it may be vulnerable)

              everything would be dead without it, think of the stock exchange, credit card transactions that are dampened by prime number encryption and much more....

              BTW:
              use your power for good things 😉

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
              • M
                mer
                last edited by

                I feel like I am missing something here.
                Synchronizing time across the network, even if a single server and single client, means what?
                client asks a configured server "what time do you think it is" and then applies alogrithms on the reply.

                Security wise:
                What level of trust does the client have for the server it's asking? One would think the client shouldn't be configured to as clients it doesn't trust.

                Granted:
                NTP servers typically are open, so anyone can ask them, which could result in DOS from the server. But "so what"? Client can't talk to a server?

                So: I think a lot of this discussion is based on standing up a server not simply being a client.
                If your pfSense box is going to have an independent time source at stratum 1, of course make it so only your desired clients (your network) use it as a definitive source of time.

                JKnottJ 1 Reply Last reply Reply Quote 1
                • JKnottJ
                  JKnott @mer
                  last edited by

                  @mer

                  One thing to remember is you can set up NTP with multiple sources. You should have at least 3, so that if one starts providing bad data, then it will be ignored. This makes it difficult to tamper with.

                  I have 5 sources, 3 of which are stratum 1 and 2 stratum 2.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 2
                  • Sergei_ShablovskyS
                    Sergei_Shablovsky @DaddyGo
                    last edited by

                    @daddygo said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                    @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                    it’s because till this time no one pay serious attention on this “something”(me)

                    use your power for good things 😉

                    Sorry my misstyping, I mean that’s phrase made by myself. :)

                    —
                    CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                    Help Ukraine to resist, save civilians people’s lives !
                    (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                    DaddyGoD 1 Reply Last reply Reply Quote 0
                    • Sergei_ShablovskyS
                      Sergei_Shablovsky @bingo600
                      last edited by Sergei_Shablovsky

                      @bingo600 said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                      If i was to change from NTP, to something "Brand new". I would prob. consider Chrony instead.

                      Thank You again one time for suggestion.

                      Just for anyone this Comparison of NTP implementations

                      Ok, I agree with You: for various reasons (some of it are very valuable like less dependent from main CPU frequency changes (because power management enabled in BIOS), link delay/jitter/lost packets, noticeable working speed,...) the Chrony looks like more logical solution both for NTP client & server.

                      —
                      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                      Help Ukraine to resist, save civilians people’s lives !
                      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                      bingo600B 1 Reply Last reply Reply Quote 0
                      • bingo600B
                        bingo600 @Sergei_Shablovsky
                        last edited by

                        @sergei_shablovsky
                        Even though Chrony is "Shining Brand New" , i would .. As it is the industry standard.
                        Still prefer NTP to be the timeserver on pfSense

                        Chrony would be something i'd play with on a separate host , if i wanted to.

                        /Bingo

                        If you find my answer useful - Please give the post a 👍 - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
                        • P
                          Patch
                          last edited by

                          @bingo600 said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                          Even though Chrony is "Shining Brand New" , i would .. As it is the industry standard.
                          Still prefer NTP to be the timeserver on pfSense

                          Imo Chrony is just plan better and can see no reason not to use it on pfsense

                          • Time synchronisation is better (faster and more accurate synchronisation)
                          • Better reporting via the combination of
                          chronyc tracking
                          chronyc sources
                          chronyc sourcestats
                          chronyc clients
                          

                          So I would like to see chrony on pfsense. For me it would be cleaner than using my Proxmox host for chrony / site time.

                          Sergei_ShablovskyS 2 Replies Last reply Reply Quote 0
                          • Sergei_ShablovskyS
                            Sergei_Shablovsky @Patch
                            last edited by

                            @patch Even more:

                            chrony vs ntp
                            Things chrony can do better than ntp:

                            chrony can perform usefully in an environment where access to the time reference is intermittent. ntp needs regular polling of the reference to work well.

                            chrony can usually synchronise the clock faster and with better time accuracy.

                            chrony quickly adapts to sudden changes in the rate of the clock (e.g. due to changes in the temperature of the crystal oscillator). ntp may need a long time to settle down again.

                            chrony can perform well even when the network is congested for longer periods of time.

                            chrony in the default configuration never steps the time to not upset other running programs. ntp can be configured to never step the time too, but in that case it has to use a different means of adjusting the clock (daemon loop instead of kernel discipline), which may have a negative effect on accuracy of the clock.

                            chrony can adjust the rate of the clock in a larger range, which allows it to operate even on machines with broken or unstable clock (e.g. in some virtual machines).

                            chrony is smaller, it uses less memory and it wakes up the CPU only when necessary, which is better for power saving.

                            Things chrony can do that ntp can’t:

                            chrony supports the Network Time Security (NTS) authentication mechanism.

                            chrony supports hardware timestamping on Linux, which allows an extremely stable and accurate synchronisation in local network.

                            chrony provides support for isolated networks whether the only method of time correction is manual entry (e.g. by the administrator looking at a clock). chrony can look at the errors corrected at different updates to work out the rate at which the computer gains or loses time, and use this estimate to trim the computer clock subsequently.

                            chrony provides support to work out the gain or loss rate of the real-time clock, i.e. the clock that maintains the time when the computer is turned off. It can use this data when the system boots to set the system time from a corrected version of the real-time clock. These real-time clock facilities are only available on Linux, so far.

                            Things ntp can do that chrony can’t:

                            ntp supports all operating modes from RFC 5905, including broadcast, multicast, and manycast server/client. However, the broadcast and multicast modes are inherently less accurate and less secure (even with authentication) than the ordinary server/client mode, and should generally be avoided.

                            ntp supports the Autokey protocol (RFC 5906) to authenticate servers with public-key cryptography. Note that the protocol has been shown to be insecure and has been obsoleted by NTS (RFC 8915).

                            ntp has been ported to more operating systems.

                            ntp includes a large number of drivers for various hardware reference clocks. chrony requires other programs (e.g. gpsd or ntp-refclock) to provide reference time via the SHM or SOCK interface.

                            —
                            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                            Help Ukraine to resist, save civilians people’s lives !
                            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                            1 Reply Last reply Reply Quote 0
                            • Sergei_ShablovskyS
                              Sergei_Shablovsky @bingo600
                              last edited by

                              @bingo600

                              Please describe step-by-step how to properly installing Chrony on pfSense.

                              Thank You so much!

                              —
                              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                              Help Ukraine to resist, save civilians people’s lives !
                              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                              bingo600B 1 Reply Last reply Reply Quote 0
                              • Sergei_ShablovskyS
                                Sergei_Shablovsky @Patch
                                last edited by Sergei_Shablovsky

                                @patch said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                So I would like to see chrony on pfsense. For me it would be cleaner than using my Proxmox host for chrony / site time.

                                How to ask (with a positive result, of course), the pfSense dev team about including Chrony as package ?

                                Because in comparison “Chrony vs ntpd”, the Chrony are the winner no doubt.

                                —
                                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                Help Ukraine to resist, save civilians people’s lives !
                                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                1 Reply Last reply Reply Quote 0
                                • bingo600B
                                  bingo600 @Sergei_Shablovsky
                                  last edited by

                                  @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                  @bingo600

                                  Please describe step-by-step how to properly installing Chrony on pfSense.

                                  Thank You so much!

                                  As I wrote , i would do it on a separate host.
                                  And my preferred target would be a linux (Debian 10)

                                  /Bingo

                                  If you find my answer useful - Please give the post a 👍 - "thumbs up"

                                  pfSense+ 23.05.1 (ZFS)

                                  QOTOM-Q355G4 Quad Lan.
                                  CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                  LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @bingo600
                                    last edited by johnpoz

                                    @bingo600 said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                    would do it on a separate host.

                                    Yeah I am agreement here - while pfsense can do many amazing things, and can run quite a few different services for your network from just a home setup to enterprise level.

                                    Doesn't always mean its the best thing for every job.. If the ntp features do not fit into your wants/needs for your network. Then run ntp on something else..

                                    There could be many reasons why your pfsense box is not the best fit for your networks stable ntp source. For starters - its load will fluctuate as your network runs traffic through it at vary levels throughout the day, other services you might be running on it already can and will effect its temp as loads on those fluctuate.. Depending on what hardware your running it on - might not be suited for say PPS input, etc. This sort of stuff does not make for the most accurate and stable time source - if what your looking for is dead nuts time within a few ms or even nanoseconds :)

                                    If your goal is highly reliable highly accurate ntp source.. Running it on something else is prob going to be best bang for the buck here. Not saying you can not provide ntp from pfsense - but its not all that costly or involved to provide a much better source for your network on something else.. This will give you wide choice in actual time software used, better hardware for time, if all it does provide time, is overall load and temp can be better controlled for more accurate time keeping.. etc..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
                                    • Sergei_ShablovskyS
                                      Sergei_Shablovsky @johnpoz
                                      last edited by Sergei_Shablovsky

                                      @johnpoz said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                      @bingo600 said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                      would do it on a separate host.

                                      Yeah I am agreement here - while pfsense can do many amazing things, and can run quite a few different services for your network from just a home setup to enterprise level.

                                      We all love pfSense software, because this we all are here. :)

                                      Doesn't always mean its the best thing for every job.. If the ntp features do not fit into your wants/needs for your network. Then run ntp on something else..

                                      Let’s note, the ACCURATE TIMESTAMP is one of the core things in processing on fw/main gate. This is not something we may name “extra” or “additional”. This is core.

                                      There could be many reasons why your pfsense box is not the best fit for your networks stable ntp source. For starters - its load will fluctuate as your network runs traffic through it at vary levels throughout the day, other services you might be running on it already can and will effect its temp as loads on those fluctuate.. Depending on what hardware your running it on - might not be suited for say PPS input, etc. This sort of stuff does not make for the most accurate and stable time source - if what your looking for is dead nuts time within a few ms or even nanoseconds :)

                                      At this point Let me to be disagreeing with You: in most cases pfSense running on separate server, powerful, with 2 PSU and several WANs to avoid outage.
                                      And of course, FreeBSD daemon to work with PPS source like GPS receiver thru the COM port - eating only smallest fraction of total CPU power and interrupts. So, running You this NTP service + GPS on COM port or not - not making impact on whole system.

                                      If your goal is highly reliable highly accurate ntp source.. Running it on something else is prob going to be best bang for the buck here.
                                      As I note several post before, there are several BIG disadvantages of this:

                                      • round trip to other node and back (thru the switch, other system drivers, etc..) impact on accuracy of timestamp. Because the are measurement in milliseconds / nanoseconds;
                                      • you need care about extra one server (time server), this mean double PSU, double Eth connection, best available servers hardware, memory, enterprise (mean big MTBF hours), etc...

                                      Not saying you can not provide ntp from pfsense - but its not all that costly or involved to provide a much better source for your network on something else.. This will give you wide choice in actual time software used, better hardware for time, if all it does provide time, is overall load and temp can be better controlled for more accurate time keeping.. etc..

                                      Another time not agree: now are quite little a choice, ntpd or Chrony. Please look at the comparison table.

                                      —
                                      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                      Help Ukraine to resist, save civilians people’s lives !
                                      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky
                                        last edited by

                                        @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                        now are quite little a choice

                                        What about openntpd, ntpsec and if windows shop just windows way of doing it, and there is also just sntp - my point was more to what ntp implementations are primary choice for your OS your wanting to run.. And how it integrates with the hardware your wanting to run it on.

                                        this mean double PSU, double Eth connection, best available servers hardware, memory, enterprise (mean big MTBF hours), etc...

                                        If your worried about NTP in the enterprise.. I highly doubt you would be doing it on pfsense to be honest.. More than likely you would have some ntp appliance or multiple ones most likely, etc.

                                        Sorry but if your goal is ntp.. In an enterprise I sure wouldn't be running it on my firewall/router ;) And more likely than not I wouldn't be setting up any hardware - what would be done is get a box that is designed to provide NTP to the enterprise..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        Sergei_ShablovskyS 1 Reply Last reply Reply Quote 1
                                        • Sergei_ShablovskyS
                                          Sergei_Shablovsky @johnpoz
                                          last edited by

                                          @johnpoz said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                          @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                          this mean double PSU, double Eth connection, best available servers hardware, memory, enterprise (mean big MTBF hours), etc...

                                          If your worried about NTP in the enterprise.. I highly doubt you would be doing it on pfsense to be honest.. More than likely you would have some ntp appliance or multiple ones most likely, etc.

                                          Sorry but if your goal is ntp.. In an enterprise I sure wouldn't be running it on my firewall/router ;) And more likely than not I wouldn't be setting up any hardware - what would be done is get a box that is designed to provide NTP to the enterprise..

                                          I clearly understand Your point.

                                          But anyway, the so-called “NTP Server” (in case that they cannot obtain PPS thru the radio waves, but only thru the GPS receiver) - is no more than the same 'nix system for embedded platforms, that running inside the device.
                                          This is exactly the same as having separate x86_64 server, but less flexible and more dependent on a yearly payment for device developer for firmware upgrade.

                                          Am I wrong here?

                                          —
                                          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                          Help Ukraine to resist, save civilians people’s lives !
                                          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                          1 Reply Last reply Reply Quote 0
                                          • DaddyGoD
                                            DaddyGo @Sergei_Shablovsky
                                            last edited by

                                            @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                            Sorry my misstyping, I mean that’s phrase made by myself. :)

                                            😉

                                            Furthermore...

                                            Everything you need to know about NTP at enterprise and industrial level can be found here:

                                            https://www.meinbergglobal.com/

                                            Doing NTP well is not easy, because, say, one temperature dependency of crystal can throw the whole thing in the trash.
                                            (Not to mention the delay of the NTP distribution network)

                                            That's why this hardware costs so damn much, stability - stability - compensation and stability again.
                                            on pfSense is not worth thinking about it...
                                            (if you want to have close to exact time on your network, choose something like this:
                                            https://nguvu.org/pfsense/network%20time%20protocol%20(ntp)/ntp-server/)

                                            More for, say, data centre switches or audio systems, bank App, stock exchange, credit card schemes, NASA :)) - ......it's a big question really...

                                            or PTP (AES67, DANTE, digital audio word clock, etc:
                                            https://en.wikipedia.org/wiki/Precision_Time_Protocol

                                            Cats bury it so they can't see it!
                                            (You know what I mean if you have a cat)

                                            Sergei_ShablovskyS P JKnottJ 4 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.