Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Am I really using pfSense as NTP server ...?

    Scheduled Pinned Locked Moved General pfSense Questions
    31 Posts 8 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      furom @viragomann
      last edited by

      @viragomann Yes, I have rules like this in place on them
      b5c5dbcb-d510-4644-bcb7-9ed039619ff9-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @furom
        last edited by

        @furom
        No, that is a simple pass rule.
        I was asking if you redirect all NTP requests to pfSense.

        F 1 Reply Last reply Reply Quote 0
        • F
          furom @viragomann
          last edited by

          @viragomann Sure, I know, NAT one is in the first post

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @furom
            last edited by

            @furom
            Ah ya.
            So I guess, that the KoDs came from pfSense.

            The client might be configured to request an NTP pool. But since all requests are redirected to the pfSense NTP server, this one gets many requests in a period of time and sends a KoD then.
            However, the client thinks, he got the KoD from one of the pool server he was requesting, because pfSense is using the origin request IP as source in responds.

            Had the same issue lately after redirecting NTP requests.

            F RobbieTTR 2 Replies Last reply Reply Quote 2
            • F
              furom @viragomann
              last edited by

              @viragomann said in [Solved] Am I really using pfSense as NTP server ...?:

              @furom
              Ah ya.
              So I guess, that the KoDs came from pfSense.

              The client might be configured to request an NTP pool. But since all requests are redirected to the pfSense NTP server, this one gets many requests in a period of time and sends a KoD then.
              However, the client thinks, he got the KoD from one of the pool server he was requesting, because pfSense is using the origin request IP as source in responds.

              Had the same issue lately after redirecting NTP requests.

              Thanks, Yeah, that's probably it then. Thanks for having a look at it :)

              1 Reply Last reply Reply Quote 0
              • RobbieTTR
                RobbieTT @viragomann
                last edited by RobbieTT

                @viragomann Effectively in this scenario clients that can or prefer to go to external NTP source get pushed to pfSense's internal NTP server. If pfSense is not happy about its own suitability then every request to every external source comes back with a KoD generated by pfSense's ntpq.

                So every restart or ntpq restart will have pfSense issuing KoDs (effectively a 'I don't know, ask someone else' command) to all clients, no matter what external NTP source they think they are asking or trying instead because of the previous KoD... so on they go again with the next attempt.

                ☕️

                V 1 Reply Last reply Reply Quote 1
                • V
                  viragomann @RobbieTT
                  last edited by

                  @RobbieTT
                  Yes, I know.
                  I was unhappy about the many KoD complains in the clients log. So I removed the NTP pool from its settings.

                  RobbieTTR 1 Reply Last reply Reply Quote 0
                  • RobbieTTR
                    RobbieTT @viragomann
                    last edited by RobbieTT

                    @viragomann Don't forget about DHCP Option 42, where you can tell clients where to go (and in what order) for NTP. It can avoid the 'ask me only' and 'I don't know' circular path you found yourself in.

                    ☕️

                    M 1 Reply Last reply Reply Quote 1
                    • M
                      mer @RobbieTT
                      last edited by

                      @RobbieTT This is a very good solution if your pfSense box is handing out DHCP leases for clients behind it. I do this and point all clients to the pfSense box and the pfSense box deals with the "pool". No NAT redirections or anything.

                      RobbieTTR 1 Reply Last reply Reply Quote 0
                      • RobbieTTR
                        RobbieTT @mer
                        last edited by

                        @mer said in [Solved] Am I really using pfSense as NTP server ...?:

                        @RobbieTT This is a very good solution if your pfSense box is handing out DHCP leases for clients behind it. I do this and point all clients to the pfSense box and the pfSense box deals with the "pool". No NAT redirections or anything.

                        I agree but unfortunately some clients don't request the Option in their DHCP Request, so it is not returned with the DHCP ACK.

                        For example, macOS only requests Options 1,3,6,15,51,53,54 and the 255.

                        Other than that I see no downsides.

                        ☕️

                        1 Reply Last reply Reply Quote 1
                        • JonathanLeeJ
                          JonathanLee @furom
                          last edited by JonathanLee

                          @furom have you tried a negated rule and added the loop back and firewall IP addresses as an alias and set a nat rule to anything not that alias redirect to the firewall?

                          I noticed you only have a any any to the loopback. I had some issues with my nat set like that. Mine needed both loopback and firewall. To do that I needed the negated rule with the "!" this way it redirects any NTP requests right to the firewall the clients all work for me, even if they attempt to access a Windows time server.

                          Screenshot 2023-06-13 at 8.46.25 AM.png
                          (Image: showing negated NAT rules)

                          Screenshot 2023-06-13 at 8.46.41 AM.png
                          (Image: showing alias for NTP use)

                          Make sure to upvote

                          F 1 Reply Last reply Reply Quote 1
                          • F
                            furom @JonathanLee
                            last edited by

                            @JonathanLee Hi,
                            This would probably be as good too. My rule above is Any for all my interfaces. It seems to work as intended, all traffic goes to pfSense as is now. But will remember this to try in case of issues in the future. Thanks :)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.