Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense as NTP server

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? Offline
      A Former User
      last edited by

      I was wondering if there is any benefit to having the pfSense act as the NTP server for downstream switches? Should I be defining external NTP servers in my managed switches or allow the pfSense to do this.

      Are there any security considerations with NTP that should be aware of?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well for one you limit the amount of traffic outbound to ntp since only pfsense and or other local ntp would be going outbound.  This makes more sense when you have large number of internal devices.

        It is well established practice to run an internal ntp that provides good time for all your internal devices.. Pointing all your devices outbound for ntp can create unwanted traffic.. While ntp traffic is not a significant amount of traffic.. Having say 100 or 1000 devices all talking abound for ntp is way more external traffic than say having pfsense sync its time and then your local devices syncing to it.

        This also should remove delay and jitter between the time server and the time client to allow for more consistent time across your environment..  Vs having multiple devices all talking across the public network even to the same source will for sure see different delay and jitter across time.  While local lan traffic this delay and jitter should be very constant.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • stan-qazS Offline
          stan-qaz
          last edited by

          I have a Raspberry Pi v2 set up with a GPS hat that acts as my NTP server, feeding pfSense so I have all the pretty graphing offered here and a local server. The time stability offered by the Pi is far better than I get even using my ISP's public NTP server, other single public servers or pool servers. With the Pi option I can skip external servers and their issues, simplifying my timekeeping.

          I add the Pi, pfSense and the server to my client's NTP config so they have a time source of some sort if one of the systems is down for some reason.

          The AdaFruit forums have some excellent topics on setting up the card they sell to provide a GPS based clock.

          1 Reply Last reply Reply Quote 0
          • ? Offline
            A Former User
            last edited by

            Thank you both. I were to use the pfSense as an NTP server for subnets on my network would I then need to define the pfSense as the NTP server on each of the switches and endpoints? Would I use the firewall address or the FQDN ?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              If you have DNS that points to the inside address, you can use and FQDN. Else use the IP address. Up to you. FQDN lets you change the NTP server without touching all the clients by just changing the DNS resource record.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • stan-qazS Offline
                stan-qaz
                last edited by

                Since I'm using pfSense as my DNS server (behind a PI-Hole blocker) I have the pfSense DHCP server pass out the preferred NTP servers so I don't have to go to multiple systems to tweak them. A couple boxes that have static addresses assigned do have the NTP servers defined in their config and do need individually tweaked which is much more aggravation than the DHCP option.

                I use the FQDN here too, that lets me easily move a server to a new IP if I decide to rearrange my IP assignments. Every step you automate is one you won't forget to do and get a 2:00 AM call about!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.