NTP widget time wrong?
-
Did you create a NAT rule for NTP?
I have an alias set up for 192.168.1.1 and 127.0.0.1 and anything not going to them "!" negated send to the firewalls IP 192.168.1.1 that will serve the requests. Works great like this. I had issues with manually setting it all the time I set them all to the firewalls IP, as time was jumping all over during tests like my TIME was hacked by 10-15 mins. Weird right, well it was a cyber security class so what do you expect you only learn by trial and error.
-
If it's configured only as a PPS source it will remain accurate but not actually sync the time. Though I would expect that only to apply to local source in pfSense itself.
How is ntp configured in pfSense? -
@anthonys said in NTP widget time wrong?:
Hi @Ramosel,
It all seems to be working.... but appears to me, it's just the widget that lags
I believe you are correct. Check the existing discussion Dashboard - NTP widget Server Time
Thanks Anthonys. I wonder why your thread didn't show in my search?
I thought I'd messed up the NTP server build and was going through Phil's time refinement process... the more I worked on the GPS-NTP-PPS thing the more the NTP clock drifted (probably not, but it sure felt that way).
Just odd to me that the widget for a "TIME" server has a dysfunctional clock.
-
@Ramosel said in NTP widget time wrong?:
Just odd to me that the widget for a "TIME" server has a dysfunctional clock.
What time server are you using ??
pfSense is a firewall, not a Time server.
And my guess is that the NTP server is distributing the correct time, mine does.
It's just the Widget that doesn't spend CPU-Cycles on autorefresh.IMHO - It's kind'a nitpicking.
I have absolutely no issue, having to hit "Refresh" to update the time. Especially when i have the correct time in the lower left of my PC desktop screen.If you need a display with an accurate clock, buy one.
SNTP sync'ed - pricey
https://www.american-time.com/product/clock-digital-poe-4-red-6-digit/Or use TVB's "Java Clock", since your PC is already in sync.
http://leapsecond.com/java/gpsclock.htmYou could even DIY an ESP32 based NTP sync'ed display clock for a decent price.
http://w8bh.net/NTP_DualClock.pdf
And sync it to your new Raspi "Stratum 0" Clock./Bingo
-
@bingo600 do you have a NAT for your NTP set???
-
@stephenw10 said in NTP widget time wrong?:
If it's configured only as a PPS source it will remain accurate but not actually sync the time. Though I would expect that only to apply to local source in pfSense itself.
How is ntp configured in pfSense?Thanks, Steve! Just odd this is normal considering what the "time server" widget is there for. Is this an issue that is even noted for revisit with the pfSense code slingers?
My NTP is just set with the new GPS/NTP server IP address on the local lan, preferred, server
Then I have two pools, not preferred, pool
2.north-america.pool.ntp.org
2.pfSense.pool.NHP.org
and lastly, one nist server, as a server
time-c-b.nist.govThat gives me the head count for 3 or more sources.
Off topic: I'm still waiting on OpenWRT 23.05 release to nail down the "switch issue" with the Marvell chipset. Although the configuration you and I worked out has not shown the problem many others were seeing (I think the complexity of the configuration superseded possibility of mishandling routing on the vlans). But, I think the writing is on the wall for the Marvell based products. And, they'll never support mesh. So I've started playing with the e8450 as apparently Mediatek has hired one of the OpenWRT devs to write their drivers... so I'm figuring that is one of the chipsets that will remain viable and supported in OpenWRT for some time to come.
-
@JonathanLee
I suppose you mean NAT redirection , to catch "Naugthy clients" that doesn't adhere to the NTP server they get from DHCPNope ...
All my NTP clients seem to be well behaved.
I don't log many rogue NTP requests.I only allow NTP requests to TFW (pfSense IF's) on all but one Vlan.
My pfSense & Linux servers are Synced to my two "stratum 0" Boxes , and have a few selected "stratum 1" servers as backup./Bingo
-
@bingo600 said in NTP widget time wrong?:
What time server are you using ??
pfSense is a firewall, not a Time server.
And my guess is that the NTP server is distributing the correct time, mine does.
It's just the Widget that doesn't spend CPU-Cycles on autorefresh.Bingo, now that I understand what the issue is, I agree. But spending the time to build up a GPS based Stratum 1 time server then have the widget lag... was a bit disconcerting. I spent a lot of time trying to fix something that wasn't broke. Unfortunately, when I searched the issue here, I wasn't shown Anthonys' previous thread. Of all the widgets on the dashboard, I somehow had the mistaken idea the NTP widget would be the ONE to have have accurate "TIME".
The time server I am using is Raspberry Pi based, uses a GPS hat from Uputronics and after a couple of other builds (that showed the same widget issue in pfSense), I settled on the configuration from Phil Randal (Phil's Occasional Blog). His build is much more involved but really ties down the "time" function of GPS as opposed to location or movement. He also makes it easy to use or not use various GPS sources from config files on the server. The other option is to remove the hat and run u-Blox u-Center software to access and configure the GPS settings of the M8/8 chip via USB-C on the hat itself.
All of the time needy devices on my network are getting their time from pfSense, I may need to reassess that. But, until now, it has worked for years with offsite sources.
Hopefully the devs will look at this and fix it at some point... wasted cpu cycles or not. My little SG-4860 generally runs at about 10% load, so I think I have the available cycles to support a fully functional widget.
Until then, maybe an option to NOT show a dysfunctional clock and a disclaimer of it's shortcomings might be a nice stopgap.
-
@Ramosel said in NTP widget time wrong?:
time-c-b.nist.gov
Just tried adding that...somehow pfSense is not seeing it as a valid address after clicking save. I take it the "c" is for central time.
login-to-view
login-to-viewTried the IP and it took that...
login-to-view
login-to-view -
@NollipfSense time-c-g.nist.gov resolves just fine. But you shouldn't be marking things as pools when they are not pools.
;; QUESTION SECTION: ;time-c-g.nist.gov. IN A ;; ANSWER SECTION: time-c-g.nist.gov. 3600 IN A 129.6.15.30https://tf.nist.gov/tf-cgi/servers.cgi
Looks like you have a space on the end there as well..
-
@johnpoz Thanks John, I'll fix that.
That worked...
login-to-view
login-to-view -
@NollipfSense said in NTP widget time wrong?:
@Ramosel said in NTP widget time wrong?:
time-c-b.nist.gov
Just tried adding that...somehow pfSense is not seeing it as a valid address after clicking save. I take it the "c" is for central time.
No, it's just a lesser used IPV4 server in Boulder. Dave MIlls is an old acquaintance and when I spoke with him about my pfSense setup a few years back he said the a-b servers get hammered the most... all the IPV6 guys flock to the d-b and e-b servers... use c-b.
https://tf.nist.gov/tf-cgi/servers.cgi
-
@Ramosel
That is actually not a bad price for the "Hat" ... €50 from France.Right now i'm doing a DIY NTP server, with an OrangePI One.
That will be built in my - RAPCO 1804 L25C GPSDO Receiver
login-to-viewI have chosen the OrangePi over the RasPi's (I have 10+ 3B's in the drawer), due to the Lan CHIP being connected directly to the SoC.
The RasPi 3B Lan chip is actually USB coupled, and that causes a bit of jitter.This is my current "burn in" test of the OrangePi.
With a DS3231 IIC Module - https://www.aliexpress.com/item/32822420722.html$ sudo i2cdetect -y 1 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: -- -- -- -- -- -- -- -- 10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30: 30 -- 32 33 34 35 36 -- -- -- -- -- -- -- -- -- 40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 50: 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 70: -- -- -- -- -- -- -- --$ sudo hwclock --verbose hwclock from util-linux 2.36.1 System Time: 1695225080.007973 Trying to open: /dev/rtc0 Using the rtc interface to the clock. Last drift adjustment done at 1695223549 seconds after 1969 Last calibration done at 1695223549 seconds after 1969 Hardware clock is on UTC time Assuming hardware clock is kept in UTC time. Waiting for clock tick... ...got clock tick Time read from Hardware Clock: 2023/09/20 15:51:41 Hw clock time : 2023/09/20 15:51:41 = 1695225101 seconds since 1969 Time since last adjustment is 1552 seconds Calculated Hardware Clock drift is 0.000000 seconds 2023-09-20 17:51:39.554254+02:00The hardware will be "transplanted" into the GPSDO Box , and i will piggyback on the existing Trimble GPS receiver (RX + 1PPS).
Then install & run GPSD + NTP w. 1-PPS support/Bingo
-
@bingo600 yes, that is what I mean to NAT to your NTP server's IP address for clients not manually going to it. For me I use authenticated NTP so the firewall points to those when requests hit the firewall.
-
@bingo600 said in NTP widget time wrong?:
@Ramosel
That is actually not a bad price for the "Hat" ... €50 from France.Right now i'm doing a DIY NTP server, with an OrangePI One.
That will be built in my - RAPCO 1804 L25C GPSDO ReceiverI like that, sweet. Thanks for the info. Most of these builds are turning off the USB and using GPIO. The i2c gets really simple. Phil gets really deep into fine tuning after you get it running... I need to go back and do more, but I though the Pi NTP server was causing the widget issue. Now that I know it's not, I'll dig deeper into the GPS/NTP/PPS dialog.
pi@RPi4b-NTP-GPS:~ $ i2cdetect -y 1
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- 42 -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- UU -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --I'm curious if Phil's build would work on the Orange Pi??
http://www.philrandal.co.uk/blog/archives/2019/04/entry_213.html -
Cannot get the devices to agree on time, one will be -0.046s while another device will be +0.045s
-
@Ramosel said in NTP widget time wrong?:
I'm curious if Phil's build would work on the Orange Pi??
http://www.philrandal.co.uk/blog/archives/2019/04/entry_213.htmlThe Trimble TSIP protocol is somewhat special, compared to NMEA.
But i'm in contact with the maintainer of the TSIP part of GPSD, and he's quite sure GPSD will work.
Even with a receive only (Uart RX + 1-PPS) connection. I can't (won't) connect TX to the OrangePI, as that "belongs to the Rapco".If i go totally crazy i could test for "missing 1-PPS" for ie. 20 sec , and then switch over to a 1-PPS divided down from the 10MHz OCXO in the Rapco.
That way "I'll be somewhat in sync .. Depends on the holdover routine in the Rapco" even with a GPS outage.Hmmm .... Maybe the HW dependent part should be moved to the "Off Topic thread" you made.
https://forum.netgate.com/topic/182811/raspberry-gps-based-time-server/Bingo
-
@bingo600 said in NTP widget time wrong?:
Hmmm .... Maybe the HW dependent part should be moved to the "Off Topic thread" you made.
https://forum.netgate.com/topic/182811/raspberry-gps-based-time-serverSure, now that I know I'm not crazy and the NTP clock is really grunged... I'm good here. I doubt that I'd ever build what you have, but you've got me interested and I'd sure like to follow the build. Use my thread or start your own, I'm cool either way.
Rick