Routing NTP traffic from PFsense through VPN.

  • I'm stuck with an ISP that has blocked port 123 both ways for us (long story), so I'm attempting to get the time through VPN.

    The VPN connection works fine and I was able to route all LAN originated NTP through the VPN connection. I would like however to have all machines on LAN to get the time from PFsense and let PFsense get the time from internet.

    So far the only way I got to work was by adding a static route to the IP of a NTP server. This will likely break if the IP should change though.

    Is it at all possible to somehow route only firewall originated NTP traffic through the VPN connection (without manually adding a static route)? I've tried floating rules with a source of This Firewall, but that didn't work after numerous attempts.

  • Use a local GPS receiver and connect that to your pfSense

    On the next occasion kick your ISP's butt.

  • LAYER 8 Global Moderator

    Good advice ^

    There are many ways to run a ntp server on inexpensive hardware - I run a stratum 1 on raspberry pi with addon gps board.  Total cost was less then $100.. Pi, case, power supply, sd card, add on board, antenna.. Can be done even cheaper for sure..

  • I'll take that as a no (to being able to do it with policy based routing) then. :D

    Thanks all.

  • If setfib(1) was usable on pfSense and integrated to the GUI so that the FIBs could be managed easily you could use them for policy routing but only based on the destination addresses which would be fine assuming the NTP peers are known and don't change. This would of course require integration with the OpenVPN start/stop events to properly hook the custom FIBs when appropriate.

Log in to reply