NTP Configuration for LAN & VLANs
-
I have NTP on each interface, real and imagined, and pass that address with DHCP. NTP is answered by the local interface and does not need to traverse the firewall.
The only time I need a rule is if I am blocking a network from talking to This Firewall. -
@32g3liqxu8 said in NTP Configuration for LAN & VLANs:
Set NTP server via DHCP server and DHCP Static Mappings to point to LAN Gateway
Just so you know - many devices will not read this info and use it. Not dhcp problem, its a client problem. Many iot devices if need time will have it hard coded (stupid I know).. Others will sit there stupid even if they could get it from dhcp, etc.
So you might need to either set on the device which ntp to use, you may want to do the interception of ntp if they are hardcoded, or you might want to look to what fqdn they are resolving for some ntp server and set a host override to pfsense IP you want to use.
-
@johnpoz thank you for your response. I will setup interception of ntp as well. I do have an IoT VLAN
In terms of setting up NTP, which approach is recommended? Set NTP interface to LAN only or LAN and VLANS or LocalHost only. Set ACLs or don't set ACLs? Most of the examples I found only show one LAN so I was not sure how to best go about handling VLANs
Thank you
-
@viragomann thank you for your response
-
@32g3liqxu8 I point my vlans to their own vlan interface, but either or both - doesn't really matter what IP on pfsense you point it to be honest - as long as you set your firewall rules to allow talking to the IP your setting your clients to use.
Overall not a fan of any sort of interception - unless there is no other way to do what you want. Like stupid devices that would hard code an ntp IP vs a fqdn. If they resolve a fqdn for their ntp - say a pool address, I have some "stupid" smart lightbulbs - that for sure were not meant to be sold in in just the UK, that use a hardcoded uk.ntp.pool.org fqdn for example - I just set a host override to resolve that to a pfsense IP..
There are always multiple ways to skin any cat ;) Depending you may need to use a few different methods to cover all the different sorts of cats on your network hehehe
-
@andyrh thank you for your response
-
@32g3liqxu8 you may want to as you are setting this all up do some validation of your clients are actually doing what you want them to - ie getting ntp from your ntp server, be that pfsense or some other ntp. I run a stratum 1 ntp server on a pi for example that I mostly use for most everything. Pfsense syncs its ntp time to that anyway, so doesn't really matter if they talk to pfsense IP or the ntp server IP, etc. But if your going to do interception it is easier to just send that to pfsense loopback address.
So you may want to do some sniffing (packet captures) to validate your clients are talking to who you want them to talk to, if they do not have the ability to check on them with say like ntpq or something..
-
@johnpoz hahaha, I understand. I think I have a game plan now. I have a couple of "stupid" smart lightbulbs as well. I will use ntopng to determine if any of my devices are pulling an outside ntp server and do the host override method.
Thanks again for your help
-
@johnpoz
I cannot see, what's the benefit of knowing, which NTP server the client would request if he could and adding a host override for it.In my home installation I simply redirect all NTP requests to the pfSense LAN IP. That's pretty quick and easy and the clients are happy, me too.
I do the same with DNS. -
@viragomann said in NTP Configuration for LAN & VLANs:
what's the benefit of knowing
That your settings worked? If you don't care where your devices get their time - why go through the trouble of setting anything. My point was if your going to the trouble of wanting your devices to use your settings. You might want to validate that they are.
Which is why I brought up the dhcp thing - just because you hand out ntp via dhcp doesn't always mean that is what a device will use.
If you know clients ask for pool.ntp.org - setting this in your host override means they would resolve this to the IP you want, and no need to do "redirection". As I said not a fan of redirection, you don't have to do that if you don't want - if your happy just redirecting.
-
@johnpoz
I've no concerns about redirecting NTP or any other requests to what I want in my network.
As NTP or DNS doesn't use TLS, the client doesn't notice that.My point was if your going to the trouble of wanting your devices to use your settings. You might want to validate that they are.
Yes, I can be sure, that the internal devices are requesting my NTP server, since I redirect any requests to it.
If I do a host override and the devices NTP setting changes with an firmware upgrade, I could not. -
@viragomann said in NTP Configuration for LAN & VLANs:
devices NTP setting changes with an firmware upgrade, I could not.
Valid point..
-
By default pfSense hands it's own interface address to clients to use in each subnet via DHCP and the NTP server listens on all interfaces.
What is it you're trying to address by using any other configuration?Also be aware that selecting specific interfaces in the NTP settings also restricts the source IPs NTP uses to update against external servers. So you must have NAT to cover that. Normally you always would but it can be difficult to diagnose if you hit that issue.
Steve
-
@stephenw10 I’m not trying to address anything specific just trying to learn and understand what would be considered best practice. A lot of the community guides just show LAN being selected as the interface for demonstration but never explain “why” they’re making just that selection over say, Localhost. I have VLANs setup as well so I was curious what the community recommends and “why”. My setup is a home setup with a LAN and multiple VLANs - nothing special. I really just wanted to try it out. Any additional guidance you could provide would be helpful. Thank you
-
Personally I use the default setup for NTP. You don't ever want to expose that to the WAN but the default firewall rules prevent that.
