Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NTP Confusion

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlum
      last edited by

      This ought to be pretty simple…

      I have 4 NTP server names in System-> General Setup.

      On Services-> NTP one of the internal subnets is selected - the intention is for pfSense to serve NTP to that subnet.

      On Status->NTP all 4 servers are "Unreach/Pending".

      Packet trace on WAN interface shows all NTP requests going to the public servers with the source address of the selected private subnet... so obviously that isn't going to work. I'm sure this makes sense in some warped reality,  but i don't get it. Meanwhile, the rest of the NTP traffic from various other subnets is finding its way out the WAN interface with an actual WAN source address (its been NATed).

      So, how do you actually configure NTP on a pfSense box? I want to server NTP to selected subnets. Also, pfSense needs to act as a client to keep its self synced, but should not under any circumstances start serving NTP on a public interface.

      1 Reply Last reply Reply Quote 0
      • T
        tlum
        last edited by

        Apparently the NTP client is retarded, it'll ignore the appropriate gateway if you don't bind the server to the interface its on. If you do your client will sync with the public servers, but then you have an NTP listener on every IP in every public block, without pfSense giving advanced access to things like access control through the GUI.

        edit

        Strike that, it has more to do with the configuration of the subnet. The subnet in question - on which the pfSense NTP server should service clients - is specifically configured with no access to the outside; there is no NAT and no allow rules for any traffic.

        When you select no interface under Services->NTP then the ntpd is bound to all internal subnets, NOT to any WAN interfaces… although it didn't bind to my isolated subnet either and I still have no idea why that is. As long as one of those interfaces has a NAT rule the pfSense NTP client will get out to the public NTP servers.

        If you select specific interface(s) ntpd will bind only to those, including, and most importantly, when its opening a client connection with an external server. So, it looks like if you want an isolated subnet you still need to NAT the pfSense interface address, or bind to another subnet which already has outbound NAT.

        1 Reply Last reply Reply Quote 0
        • D
          deltalord
          last edited by

          Thanks so much!

          Unselecting any interface under "Services –-> NTP" solved the Unreach/Pending issue and my clients are able to sync with the pfSense NTP Server.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.