Why use pfsense as an NTP server?

KOM

@johnpoz said in Why use pfsense as an NTP server?:

Some lights I have hit uk.pool.ntp.org for example.. Morons!! ;)

They wanted to use NTP servers closest to the Greenwich Meridian for the sake of precision...

johnpoz

heheeheh - yeah maybe ;)

My bad it wasn't the actual "light" is was the HS110 smart switches...

I will have to put that override back in for uk.pool.ntp.org ;)

occamsrazor

@johnpoz said in Why use pfsense as an NTP server?:

You do not need to redirect anything... Just hand out ntp via dhcp and you would hope most clients would use that.. If clients do not, then you might have to set them on the client to point to your local ntp..

Am I correct in saying you would do this under Services > DHCP Server > Other Options > NTP and then just enter 192.168.0.1 in the field "NTP Server 1"? (if 192.168.0.1 is the LAN address of the pfSense router)

johnpoz

@occamsrazor yes in your dhcp server area you can set up to 3 ntp servers to hand out via dhcp. But there is nothing saying that the client will actually use this..

Linux more likely to use these than say windows client - guess to if iot will use it, prob not. Especially when they are hard coded to use some specific pool address like in my above example with uk pool... Stupid devices ;)

Best plan is set your dhcp to use the ntp you want, then watch your dns and network traffic - are they actually using that, if not then look to see what dns they are using and you could override that dns to point to the ntp server you want them to use.

If they are really horribly at it, and have some hard coded IP they point too - then yeah you could do a redirect for ntp on that IP, or just all traffic on udp 123 to what you want them to use locally. Its not like they are doing any sort of authentication that who they are asking for ntp is that specific ntp..

occamsrazor

@johnpoz said in Why use pfsense as an NTP server?:

If they are really horribly at it, and have some hard coded IP they point too - then yeah you could do a redirect for ntp on that IP, or just all traffic on udp 123 to what you want them to use locally. Its not like they are doing any sort of authentication that who they are asking for ntp is that specific ntp..

That would seem the simplest solution... I could just redirect all NTP requests coming from my LAN to the pfSense NTP server. Do you see any disadvantage to that? I'm mostly Apple and IOS plus some IoT devices and have been reading some reports that Apple devices aren't great at keeping synchronized in latest OS versions so was keen to try. I should add that I've encountered no problems, just keen to play with the capabilities of pfSense....
Could you please remind me where and how to create such a redirect rule? I have this existing port forward rule that intercepts DNS requests and redirects them to my pfSense server - would it be exactly the same but with the NTP port 123 instead?
Thanks...

johnpoz

@occamsrazor Yeah it would be the same as dns, just use port 123..

I'm just not a fan of redirection in general.. If you can accomplish what you want without redirecting traffic would be the better option imho.

BTW why are you using alias dnsports? This really would only be 53..

reports that Apple devices aren't great at keeping synchronized in latest OS versions

I have not seen such reports - do you have a link that your seeing this being reported? I only have phones - which would use the cell connection to keep accurate time.. I was just using ipad to show time for a video test of latency, and it was spot on..

occamsrazor

@johnpoz

It just seems like it would be advantageous to have all devices on LAN sync from the same time server, and as pfSense is using multiple NTP servers and then making a single decision as to the time, having them sync to pfSense would keep all devices in fairly perfect sync.

I'm using that alias to redirect both DNS port 53 and DNS-over-TLS port 853 to pfSense Unbound

Re: links on Mac devices (note Mac and specifically Big Sur version, not IOS):

https://apple.stackexchange.com/questions/414088/macos-timed-wont-keep-accurate-time
https://forums.macrumors.com/threads/time-synchronization-command-line-in-macos-big-sur.2279396/

I'll admit it's a bit beyond me....

johnpoz

@occamsrazor said in Why use pfsense as an NTP server?:

DNS-over-TLS port 853 to pfSense Unbound

That isn't going to work.. Atleast not with any sane client, because the client should be validating the cert.. even if you have pfsense listening on 853, the certs not going to be valid for the cn the client should be checking.

I am not saying its not a good idea to sync all your clients to your local source, I am just against redirection. The correct solution is to point the clients at your ntp server - be it via dns, via dhcp handing it out, be it via configuration on the client directly..

If you can not get your client to use local ntp by normal means - then sure redirect them to accomplish your goal. It would just be my last choice is all.

occamsrazor

@johnpoz said in Why use pfsense as an NTP server?:

That isn't going to work.. At least not with any sane client, because the client should be validating the cert.. even if you have pfsense listening on 853, the certs not going to be valid for the cn the client should be checking.

It was a long time ago I set this up. I seem to remember the objective may have been to prevent guest devices on my network that might have hard-coded DNS-over-TLS servers from being able to bypass Unbound. I think the objective may have been intentionally for such requests to fail.. umm, maybe?

Edit: It came from this discussion (though I'm no longer using forwarding, am using as resolver): https://forum.netgate.com/topic/135832/quad9-dns-over-tls-setup-with-unbound-forwarding-in-2-4-4-rc

I am not saying its not a good idea to sync all your clients to your local source, I am just against redirection. The correct solution is to point the clients at your ntp server - be it via dns, via dhcp handing it out, be it via configuration on the client directly..

That does seem better, but with a number of different devices such as IOT etc it seems like it would be a lot of work manually configuring and some devices may be hard-coded or or without the option to set manually as you point out. Then, for mobile devices such as laptops and iPhones, I wouldn't want to hard-code to pfSense as they'd then have the wrong NTP server when outside the home, no? I'm in favor of solutions that can be implemented, changed, disabled easily at the router level to avoid this.

I'm sensing I may be overcomplicating solutions to a problem that doesn't exist, but it's fun to experiment :-)

Patch

@occamsrazor said in Why use pfsense as an NTP server?:

I could just redirect all NTP requests coming from my LAN to the pfSense NTP server.

When I tried that, the traffic was routed but the clients were not able to update their time, indicating some form of validation is used.

occamsrazor

@patch said in Why use pfsense as an NTP server?:

When I tried that, the traffic was routed but the clients were not able to update their time, indicating some form of validation is used.

I've added the redirect rule but struggling how exactly to test if (a) requests to external NTP servers are indeed getting redirected to pfSense and (b) if they are being successful.

Not sure if this is correct usage on OSX but I'm not sure if the pfSense NTP server is working properly:

Trying to sync with pfSense:

~ % sntp 192.168.0.1
sntp: Exchange failed: Server not synchronized
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
-0.022114 +/- 0.017639 192.168.0.1 192.168.0.1

With redirect rule ENABLED:

~ % sntp time.nist.gov
sntp: Exchange failed: Server not synchronized
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
-0.023434 +/- 0.016968 time.nist.gov 132.163.97.4

With redirect rule DISABLED:

~ % sntp time.nist.gov
+0.006460 +/- 0.000610 time.nist.gov 132.163.97.4

johnpoz

@occamsrazor said in Why use pfsense as an NTP server?:

sntp: Exchange failed: Server not synchronized

that telling me your ntp server on pfsense isn't in sync yet... What is the output of your ntp status on pfsense?

example

See pfsense showing active peer with my local ntp server, and the reach is 377..

Here is me using sntp to talk to ntp service on pfsense (192.168.2.253 in my case for the the vlan that client is on)

root@NewUC:/tmp# sntp 192.168.2.253
sntp 4.2.8p12@1.3728-o (1)
2021-08-22 09:13:56.332459 (+0600) -0.003800 +/- 0.031367 192.168.2.253 s2 no-leap
root@NewUC:/tmp# 

JKnott

@occamsrazor said in Why use pfsense as an NTP server?:

It just seems like it would be advantageous to have all devices on LAN sync from the same time server, and as pfSense is using multiple NTP servers and then making a single decision as to the time, having them sync to pfSense would keep all devices in fairly perfect sync.

I use 3 stratum 1 servers for my ntp server. However, I have an Asus tablet, which wants to use some server in Asia and there doesn't appear to be any way to change that. So, I watched to see what server host name it was using and then created an alias to send those requests to my own server. I also created an alias for pool.ntp.org and set my notebook to that. This way, I use my server when at home and the pool server when elsewhere.

BTW, I have watched the ntp traffic on my LAN and it's curious to see the clients alternate between IPv4 and IPv6 addresses. I have no idea why that happens, as clients normally prefer IPv6.

occamsrazor

@johnpoz said in Why use pfsense as an NTP server?:

that telling me your ntp server on pfsense isn't in sync yet... What is the output of your ntp status on pfsense?

NTP Settings:

NTP Status:

SNTP to the active peer directly:

~ % sntp 17.253.122.125
+2.566791 +/- 0.000595 17.253.122.125 17.253.122.125

SNTP to pfSense:

~ % sntp 192.168.0.1
sntp: Exchange failed: Server not synchronized
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
sntp: Exchange failed: Timeout
+2.547919 +/- 0.112869 192.168.0.1 192.168.0.1

bingo600

@occamsrazor
You have a low reachability : 7 vs 377
And the jitter of you peers seems "crazy".

The delay seems very high : Is this a heavy loaded line or radio/sat based ?

Something seems fishy

occamsrazor

@bingo600 said in Why use pfsense as an NTP server?:

You have a low reachability : 7 vs 377
And the jitter of you peers seems "crazy".
The delay seems very high : Is this a heavy loaded line or radio/sat based ?
Something seems fishy

Agree something seems odd. It's a 50mb fiber line, albeit in Africa. Pings to most NTP servers are around 200ms.

On the Mac side, something is odd. I read these threads:
https://forums.macrumors.com/threads/time-synchronization-command-line-in-macos-big-sur.2279396/
https://apple.stackexchange.com/questions/414088/macos-timed-wont-keep-accurate-time

..and it seems there is some weirdness. I tried installing ChronyControl on the Mac:
https://chrony.tuxfamily.org/index.html
https://whatroute.net/chronycontrol.html#overview

....and then using that to set the time direct from pfSense server and it seemed to work:

MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 192.168.0.1                   2   6    17    24    +41us[ +148us] +/-  114ms

Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
192.168.0.1                 4   3     6    +38.937    455.940  +1482us    52us

Remote address  : 192.168.0.1 (C0A80001)
Remote port     : 123
Local address   : 192.168.0.10 (C0A8000A)
Leap status     : Normal
Version         : 4
Mode            : Server
Stratum         : 2
Poll interval   : 6 (64 seconds)
Precision       : -24 (0.000000060 seconds)
Root delay      : 0.202484 seconds
Root dispersion : 0.011719 seconds
Reference ID    : 11FD7A7D ()
Reference time  : Sun Aug 22 16:57:16 2021
Offset          : -0.000148106 seconds
Peer delay      : 0.002995686 seconds
Peer dispersion : 0.000007154 seconds
Response time   : 0.000051314 seconds
Jitter asymmetry: +0.00
NTP tests       : 111 111 1111
Interleaved     : No
Authenticated   : No
TX timestamping : Daemon
RX timestamping : Kernel
Total TX        : 4
Total RX        : 4
Total valid RX  : 4

I think the best troubleshooting would be to try sntp from a non-Mac machine to see if that was different, but at the moment I don't have any.

bingo600

@occamsrazor

Was going to point you to this one
https://forums.macrumors.com/threads/time-synchronization-command-line-in-macos-big-sur.2279396/

Until i saw your post there 34min ago

Seems like chrony is the way to go

Btw: Can you post your ntp stats again ?
Maybe Reach has improved

/Bingo

occamsrazor

@bingo600 said in Why use pfsense as an NTP server?:

Seems like chrony is the way to go

It does, if this kind of thing is critical. Which in my case it isn't really, I just liked the idea of all my devices syncing to pfSense. But as most are Macs and there seems to be an issue, it doesn't seem all that worthwhile to pursue the force redirect to pfSense option.

Btw: Can you post your ntp stats again ?
Maybe Reach has improved

You must be clairvoyant....

It seems I may have restarted the NTP server shortly before I posted the stats in the previous post, as after restarting the Reach slowly continues to rise until it hits 377.... some googling brought me this...

https://www.linuxjournal.com/article/6812

johnpoz

Yeah reach can take a few checks before it shows 377, which just means you have gotten answers for your last 8 checks.

bingo600

@johnpoz said in Why use pfsense as an NTP server?:

Yeah reach can take a few checks before it shows 377, which just means you have gotten answers for your last 8 checks.

Precisely
https://www.ntp.org/ntpfaq/NTP-s-trouble.htm

8.1.4. What does 257 mean as value for reach?

(Inspired by Martin Burnicki) The value displayed in column reach is octal, and it represents the reachability register. One digit in the range of 0 to 7 represents three bits. The initial value of that register is 0, and after every poll that register is shifted left by one position. If the corresponding time source sent a valid response, the rightmost bit is set.

During a normal startup the registers values are these: 0, 1, 3, 7, 17, 37, 77, 177, 377

Thus 257 in the dual system is 10101111, saying that two valid responses were not received during the last eight polls. However, the last four polls worked fine.

Btw:
It's not often you see a Stratum 2 server selected as Active Peer , when there's several Stratum 1 servers available.
Something must be disqualifying them.

/Bingo