NTP woes
-
The big hand is on the...
Actually, I have my NTP server set up to use 4 public sources,
Thanks, perhaps a NTP server of my own is what I need to get what I want? I basically want to control where my clients go to get their time. Your setup sounds neat, but a bit complicated for simpler needs perhaps?
-
For the vast majority of people using the public pool or https://www.cloudflare.com/time/ is fine. If you don't mind leap smearing time.google.com is also good.
Agreed, this is probably what I should go for, keeping a stratum server going is a bit much for my needs, I was just concerned about security of the protocol. But as said below, I probably over-thinked this a bit... :)
-
For the vast majority of people using the public pool or https://www.cloudflare.com/time/ is fine. If you don't mind leap smearing time.google.com is also good.
Agreed, this is probably what I should go for, keeping a stratum server going is a bit much for my needs, I was just concerned about security of the protocol. But as said below, I probably over-thinked this a bit... :)
A nice addition would be to use NTPv3, but for some reason cant find where to get the auth keys... will continue looking :)
-
A NTP server is built into pfsense. You just have to configure it. It's not difficult. You just select some public servers to use and enable the NTP server. It's really that simple. You only need one server, but can use multiple for redundancy. If nothing else, you could just use pool.ntp.org. I even created a DNS alias for it, so that my portable devices will use my server at home and the real pool.ntp.org when I'm away.
BTW, my Asus tablet wants to use some server in Asia, so I also created an alias for that server to point it to mine. If manufacturers insist on hard coding an NTP server, they should be using pool.ntp,org, which will geolocate the best server.
-
Agreed, this is probably what I should go for, keeping a stratum server going is a bit much for my needs
Every NTP server is a stratum server. If you use a stratum 1 source, yours becomes stratum 2, with 15 the maximum. Sources such as a GPS receiver are stratum 0, so the NTP server connected to it becomes stratum 1.
Here's some NTP info.
-
-
@viragomann said in NTP woes:
BTW, my Asus tablet wants to use some server in Asia, so I also created an alias for that server to point it to mine.
I simply redirect any NTP requests from my networks to pfSense LAN address, as well as DNS.
Should also work with localhost as target.
Well, simple when you know it :) Much appreciated, will try to configure this. I suppose I could use destination "This firewall" instead of any LAN Address? Thanks!
-
Agreed, this is probably what I should go for, keeping a stratum server going is a bit much for my needs
Every NTP server is a stratum server. If you use a stratum 1 source, yours becomes stratum 2, with 15 the maximum. Sources such as a GPS receiver are stratum 0, so the NTP server connected to it becomes stratum 1.
Here's some NTP info.
Oh! Will read some. I thought "stratum" was when you had your own GPS. Thanks for the link! :)
-
A NTP server is built into pfsense. You just have to configure it. It's not difficult. You just select some public servers to use and enable the NTP server. It's really that simple. You only need one server, but can use multiple for redundancy. If nothing else, you could just use pool.ntp.org. I even created a DNS alias for it, so that my portable devices will use my server at home and the real pool.ntp.org when I'm away.
BTW, my Asus tablet wants to use some server in Asia, so I also created an alias for that server to point it to mine. If manufacturers insist on hard coding an NTP server, they should be using pool.ntp,org, which will geolocate the best server.
That was the part I was qondering a bit about, but saw @viragomann had already shared his redirect rule for this. Will give it a go! Thanks! :)
-
I suppose I could use destination "This firewall" instead of any LAN Address?
I don't think, that "This firewall" will work, since it covers multiple IPs. As far as I know, that's not working in redirect targets.
As I mentioned, localhost or even single address > 127.0.0.1 should work as well."Internal" is a interface group in my setup, including all internal interfaces I want to rule apply to.
Edit localhost thx to @Bob-Dig
-
Here are my rules, working so far.
-
@viragomann said in NTP woes:
"Internal" is a interface group in my setup, including all internal interfaces I want to rule apply to.
Had no idea these existed! This makes things a bit easier, thanks!
-
-
I get the first two lines, but what is the third used for?
It is not needed here but if the host is already connecting to the firewall, then this is allowed and I don't have to make the rule on that interface.
Now, that I am thinking about it, my solution to not redirect traffic already going to the firewall isn't that great to look at, probably should redirect everything.
-
@bob-dig Thanks for explaining, and well, it helped me... :)
-
But... With this NTP redirect rule in place, should I still need to allow each network access to the NTP server?? I thought this was that setup, or have I managed to get something wrong...
It works, I now see the pfSense IP instead of a pool one for NTP, but, is this expected?
-
I get the first two lines, but what is the third used for?
It is not needed here but if the host is already connecting to the firewall, then this is allowed and I don't have to make the rule on that interface.
I'd say, the third one is all you really need.
It covers all interface assigned addresses as well as localhost. And since you don't redirect interface IPs, you need all of them.
But you can spare the first two rules, since the third covers also both protocols, IPv4 and v6. -
Interesting... It seemed to be working, then I renamed the interface group, and while the config looks ok (reflects the new name), it now tries to get NTP from all over the place again...
-
it now tries to get NTP from all over the place again...
Your internal devices?
They will not notice the redirection. When devices tries to request e.g. 1.1.1.1 and pfSense redirects it to itself, it sends response packets back with 1.1.1.1 as source address. Hence the device will think, it's all right, the server is responding as expected.
You can check the states for outbound NTP connections to see if your rules are working.
-
@viragomann said in NTP woes:
it now tries to get NTP from all over the place again...
Your internal devices?
Yes, they are trying to get NTP from WAN addresses again... I have not yet enabled the NTP server of pfSense, but anyhow, they should try NTP from pfSenseIP:123, right?
