PfSense as NTP Server - Open FW (UDP 123) after first sync with external NTP



  • Hi all,
    I’ve tried to use pfSense as NTP server for devices or servers that are connected. I found it very easy to use which is great. The only problem is that I saw issues with time after first boot before first synchronization with external NTP on internet.

    From my perspective it doesn’t really matter whether I have it in virtual environment or on reliable HW with good internal clock. I simple don’t trust it before first sync.

    My idea is to use cron to check every hour whether pfSense was / wasn’t synchronized and if it wasn’t then disable FW rule which allow UDP 123. Or force a sync and disable firewall if sync wasn’t successful (issue with internet connection) and enable it otherwise.

    So basically NTP server will serve reliable time or will not work at all. From my perspective such setup would be perfect since it is not a problem when a server or device on network cannot sync time for a few hours but it could be a big problem when it gets wrong time.

    Has anyone considered such solution? Would you be so kind and help me with scripting (with commands that should run by cron)?

    Thank you and have a great day.
    Jeff


  • LAYER 8 Global Moderator

    "but it could be a big problem when it gets wrong time."

    Until ntp has sync'd it would not even serve time.  And if the time is WAY off and says good, the client would take forever to sync to it and wouldn't just jump to that time.

    Your idea is pointless with how ntp works..



  • If you need time sooner than you are getting it now you might look at hardware options. I was having networking issues that were making net based ntp unreliable, I worked around the connection issues by building an NTP server on a Raspberry Pi with a GPS based clock and setting it as preferred in the pfSense NTP configuration.

    https://www.adafruit.com/product/2324

    You could also consider adding a serial time server to pfSense, several cheap options are available but since I had a spare Pi and GPS hat I didn't go that route.

    https://www.adafruit.com/products/746



  • NTP has "stratum" that is a measure of quality, lesser the better. Until the NTP service has found a suitable sync source its own stratum will be so high that no client will accept it as a sync source.



  • Thank you - I haven't realized stratum. I checked it only via w32tm /stripchart /computer:ip and after boot it was way off. But if I understand correctly then stratum will be high and time sync service will not accept it.

    But just for fun, could you please tell me how to run "ntpd -gq" on pfSense? I got this error:

    
    30 Jun 17:42:06 ntpd[45163]: ntpd 4.2.8p7@1.3265-o Mon May 16 19:34:33 UTC 2016 (1): Starting
    30 Jun 17:42:06 ntpd[45163]: Command line: ntpd -gq
    30 Jun 17:42:06 ntpd[45163]: proto: precision = 1.199 usec (-20)
    30 Jun 17:42:06 ntpd[45163]: getconfig: Couldn't open : No such file or directory
    30 Jun 17:42:06 ntpd[45163]: unable to bind to wildcard address :: - another process may be running - EXITING
    
    


  • I think you need to give each option individually: ntpd -g -q

    Did you do a ps to be sure that ntpd isn't already running? Only one ntpd can run so you must kill one to start another instance.

    Do you have an ntp.conf file in /etc?

    You realize pfSense doesn't use the /etc location for the conf file? See the ps output for the pfSense location and options used.

    Looking at the ntpd commands here: https://www.eecis.udel.edu/~mills/ntp/html/ntpd.html

    What are you trying to accomplish with the -q option?

    -q – Exit the ntpd just after the first time the clock is set. This behavior mimics that of the ntpdate program, which is to be retired. The -g and -x options can be used with this option. Note: The kernel time discipline is disabled with this option.

    My pfSense uses the -g -c -p options but not the -q.

    I don't understand why you want the ntpd to start, sync and then exit which is what the -q is going to do. That will set the pfSense clock once but without the ntpd running you won't be serving time to other systems or even keeping the pfSense clock in sync with the ntp system.



  • @stan-qaz:

    -q – Exit the ntpd just after the first time the clock is set. This behavior mimics that of the ntpdate program, which is to be retired. The -g and -x options can be used with this option. Note: The kernel time discipline is disabled with this option.

    I don't understand why you want the ntpd to start, sync and then exit which is what the -q is going to do. That will set the pfSense clock once .

    Yes, that's exactly right: you set the clock once from the first available server, then exit.  That way the time on your server is very close, so when you do start ntpd and start disciplining your kernel time, your server time will stabilize very quickly.  If you don't do this, then your server can take quite a bit of time to settle down to a correct value.

    Like you quoted, this is how ntpdate worked, which is or will be deprecated.


  • LAYER 8 Global Moderator

    Im with Stan I just run my own ntp stratum 1 on a pi via gps module.. Cheap, fun project that can be a great learning exp for someone new to ntp, etc… My pfsense is vm so its never going to be a great time source even when sync with local stratum one if you look how tight you can keep time with a good source ;)

    Your talking under $100 for the whole thing, pi, power, sd card for the pi and gps module and battery for the gps module, extended antenna.. Quick write up here http://www.satsignal.eu/ntp/Raspberry-Pi-quickstart.html

    If your worried about your time source being offline when your reboot pfsense, etc. etc.  Get yourself a pi, set it up put it in the corner somewhere and it will run and run and run and run... And provide you nice time for anything on your network..



  • The Pi really works well, mine is an original Pi-2 which has a really slow Ethernet and poor processor compared to newer versions but it works well enough to be far better than the closest ntp servers I can reach on the net. This plot is using both the right and left axis to get a better view of what is happening, with just one axis the disp pretty much swamps the other data.





Log in to reply