NTP Configuration for LAN & VLANs
-
@andyrh thank you for your response
-
@32g3liqxu8 you may want to as you are setting this all up do some validation of your clients are actually doing what you want them to - ie getting ntp from your ntp server, be that pfsense or some other ntp. I run a stratum 1 ntp server on a pi for example that I mostly use for most everything. Pfsense syncs its ntp time to that anyway, so doesn't really matter if they talk to pfsense IP or the ntp server IP, etc. But if your going to do interception it is easier to just send that to pfsense loopback address.
So you may want to do some sniffing (packet captures) to validate your clients are talking to who you want them to talk to, if they do not have the ability to check on them with say like ntpq or something..
-
@johnpoz hahaha, I understand. I think I have a game plan now. I have a couple of "stupid" smart lightbulbs as well. I will use ntopng to determine if any of my devices are pulling an outside ntp server and do the host override method.
Thanks again for your help
-
@johnpoz
I cannot see, what's the benefit of knowing, which NTP server the client would request if he could and adding a host override for it.In my home installation I simply redirect all NTP requests to the pfSense LAN IP. That's pretty quick and easy and the clients are happy, me too.
I do the same with DNS. -
@viragomann said in NTP Configuration for LAN & VLANs:
what's the benefit of knowing
That your settings worked? If you don't care where your devices get their time - why go through the trouble of setting anything. My point was if your going to the trouble of wanting your devices to use your settings. You might want to validate that they are.
Which is why I brought up the dhcp thing - just because you hand out ntp via dhcp doesn't always mean that is what a device will use.
If you know clients ask for pool.ntp.org - setting this in your host override means they would resolve this to the IP you want, and no need to do "redirection". As I said not a fan of redirection, you don't have to do that if you don't want - if your happy just redirecting.
-
@johnpoz
I've no concerns about redirecting NTP or any other requests to what I want in my network.
As NTP or DNS doesn't use TLS, the client doesn't notice that.My point was if your going to the trouble of wanting your devices to use your settings. You might want to validate that they are.
Yes, I can be sure, that the internal devices are requesting my NTP server, since I redirect any requests to it.
If I do a host override and the devices NTP setting changes with an firmware upgrade, I could not. -
@viragomann said in NTP Configuration for LAN & VLANs:
devices NTP setting changes with an firmware upgrade, I could not.
Valid point..
-
By default pfSense hands it's own interface address to clients to use in each subnet via DHCP and the NTP server listens on all interfaces.
What is it you're trying to address by using any other configuration?Also be aware that selecting specific interfaces in the NTP settings also restricts the source IPs NTP uses to update against external servers. So you must have NAT to cover that. Normally you always would but it can be difficult to diagnose if you hit that issue.
Steve
-
@stephenw10 I’m not trying to address anything specific just trying to learn and understand what would be considered best practice. A lot of the community guides just show LAN being selected as the interface for demonstration but never explain “why” they’re making just that selection over say, Localhost. I have VLANs setup as well so I was curious what the community recommends and “why”. My setup is a home setup with a LAN and multiple VLANs - nothing special. I really just wanted to try it out. Any additional guidance you could provide would be helpful. Thank you
-
Personally I use the default setup for NTP. You don't ever want to expose that to the WAN but the default firewall rules prevent that.
