Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Am I really using pfSense as NTP server ...?

    Scheduled Pinned Locked Moved General pfSense Questions
    31 Posts 8 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Yes, ntpd should just respond to clients locally. That should not generate additional external queries.

      F 1 Reply Last reply Reply Quote 1
      • F
        furom @stephenw10
        last edited by furom

        @stephenw10 said in Am I really using pfSense as NTP server ...?:

        Yes, ntpd should just respond to clients locally. That should not generate additional external queries.

        So I could be forwarding queries somehow... I certainly don't intend to, I would be very happy keeping clients in sync with pfSense. Does my rule for catching NTP look alright? Before that I had all sorts of NTP requests blocked, so thought a NAT was the way to go, but perhaps pfSense is not what actually responds in my case?

        NollipfSenseN 1 Reply Last reply Reply Quote 0
        • F
          furom @RobbieTT
          last edited by

          @RobbieTT Thanks :) What I am concerned about is if my clients are in fact served by pfSense, or if my NAT is not enough to contain local NTP traffic...

          RobbieTTR 1 Reply Last reply Reply Quote 0
          • RobbieTTR
            RobbieTT @furom
            last edited by

            @furom Understood. Are you going to post your Status / NTP table?

            ☕️

            F 1 Reply Last reply Reply Quote 0
            • F
              furom @RobbieTT
              last edited by

              @RobbieTT Here it is, it looks a lot like yours I suppose
              5081d01a-69c3-4f49-98fa-f634b38a2fe6-image.png

              RobbieTTR 1 Reply Last reply Reply Quote 0
              • NollipfSenseN
                NollipfSense @furom
                last edited by NollipfSense

                @furom said in Am I really using pfSense as NTP server ...?:

                So I could be forwarding queries somehow... I certainly don't intend to,

                If you look at your firewall rule, in the comment you stated that indeed to "redirect NTP to pfSense." So, that implied it was by design. Here is mine also as well as firewall rule:

                Screenshot 2023-06-06 at 8.28.28 AM.png

                Screenshot 2023-06-06 at 8.31.45 AM.png

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                F 1 Reply Last reply Reply Quote 0
                • RobbieTTR
                  RobbieTT @furom
                  last edited by

                  @furom It's not looking that healthy. One active peer is good but there are no other NTP servers with "Candidate" status.

                  Has it recently been restated?

                  ☕️

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    furom @RobbieTT
                    last edited by

                    @RobbieTT Yes, I have been fiddling with it, so probably why

                    1 Reply Last reply Reply Quote 0
                    • F
                      furom @NollipfSense
                      last edited by

                      @NollipfSense said in Am I really using pfSense as NTP server ...?:

                      @furom said in Am I really using pfSense as NTP server ...?:

                      So I could be forwarding queries somehow... I certainly don't intend to,

                      If you look at your firewall rule, in the comment you stated that indeed to "redirect NTP to pfSense." So, that implied it was by design. Here is mine also:

                      Screenshot 2023-06-06 at 8.28.28 AM.png

                      Well, yes. I wrote the rule with intention to send all traffic to pfSense. I believe that part to work fine, but what actually responds to it, if it is pfSense or some external NTP is the question as I did get KoD packets from external NTP servers

                      RobbieTTR 1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        It's ntpd that responds locally. There is no forwarding ntp queries.

                        You should be able to see states for ntp queries that are somehow missing your redirect. If they exist.

                        The only other option might be that clients are using one of the encrypted ntp types to connect externally. But if that was the case you probably wouldn't see the KoD packets. Not something I've ever looked into though.

                        Steve

                        F RobbieTTR 2 Replies Last reply Reply Quote 0
                        • RobbieTTR
                          RobbieTT @furom
                          last edited by

                          @furom ntpq is polling at the correct rate, which is at the default of 64 seconds, but it will relax to a slower rate if/when it is happy.

                          At this point I think we are looking at your ntpq instance issuing KoD at a LAN client or clients. This may be due to an excessive request rate or simply due to ntpq not being happy about its own status.

                          ☕️

                          F 1 Reply Last reply Reply Quote 0
                          • F
                            furom @stephenw10
                            last edited by

                            @stephenw10 said in Am I really using pfSense as NTP server ...?:

                            It's ntpd that responds locally. There is no forwarding ntp queries.

                            You should be able to see states for ntp queries that are somehow missing your redirect. If they exist.

                            The only other option might be that clients are using one of the encrypted ntp types to connect externally. But if that was the case you probably wouldn't see the KoD packets. Not something I've ever looked into though.

                            Steve

                            Ok. Well, it was just a bit of a mystery, probably not something to dig much deeper in. Thanks all for the feedback and insights. :)

                            1 Reply Last reply Reply Quote 0
                            • F
                              furom @RobbieTT
                              last edited by

                              @RobbieTT Well, if so, shouldn't these KoD packets originate from pfSense? Anyhow, I haven't seen any new ones since yesterday, so guess whatever the issue was is gone for now at least. Thanks :)

                              V 1 Reply Last reply Reply Quote 0
                              • RobbieTTR
                                RobbieTT @stephenw10
                                last edited by

                                @stephenw10 said in Am I really using pfSense as NTP server ...?:

                                The only other option might be that clients are using one of the encrypted ntp types to connect externally. But if that was the case you probably wouldn't see the KoD packets. Not something I've ever looked into though.

                                Steve

                                Steve, your instinct is correct as an encrypted ntp would not return a KoD. It would either drop or, more helpfully, issue a CRYP response.

                                ☕️

                                1 Reply Last reply Reply Quote 1
                                • V
                                  viragomann @furom
                                  last edited by

                                  @furom
                                  Did you forward NAT request to your pfSense on local interfaces?

                                  F 1 Reply Last reply Reply Quote 1
                                  • F
                                    furom @viragomann
                                    last edited by

                                    @viragomann Yes, I have rules like this in place on them
                                    b5c5dbcb-d510-4644-bcb7-9ed039619ff9-image.png

                                    V 1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann @furom
                                      last edited by

                                      @furom
                                      No, that is a simple pass rule.
                                      I was asking if you redirect all NTP requests to pfSense.

                                      F 1 Reply Last reply Reply Quote 0
                                      • F
                                        furom @viragomann
                                        last edited by

                                        @viragomann Sure, I know, NAT one is in the first post

                                        V 1 Reply Last reply Reply Quote 0
                                        • V
                                          viragomann @furom
                                          last edited by

                                          @furom
                                          Ah ya.
                                          So I guess, that the KoDs came from pfSense.

                                          The client might be configured to request an NTP pool. But since all requests are redirected to the pfSense NTP server, this one gets many requests in a period of time and sends a KoD then.
                                          However, the client thinks, he got the KoD from one of the pool server he was requesting, because pfSense is using the origin request IP as source in responds.

                                          Had the same issue lately after redirecting NTP requests.

                                          F RobbieTTR 2 Replies Last reply Reply Quote 2
                                          • F
                                            furom @viragomann
                                            last edited by

                                            @viragomann said in [Solved] Am I really using pfSense as NTP server ...?:

                                            @furom
                                            Ah ya.
                                            So I guess, that the KoDs came from pfSense.

                                            The client might be configured to request an NTP pool. But since all requests are redirected to the pfSense NTP server, this one gets many requests in a period of time and sends a KoD then.
                                            However, the client thinks, he got the KoD from one of the pool server he was requesting, because pfSense is using the origin request IP as source in responds.

                                            Had the same issue lately after redirecting NTP requests.

                                            Thanks, Yeah, that's probably it then. Thanks for having a look at it :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.