PfSense as NTP server

  • I was wondering if there is any benefit to having the pfSense act as the NTP server for downstream switches? Should I be defining external NTP servers in my managed switches or allow the pfSense to do this.

    Are there any security considerations with NTP that should be aware of?


  • LAYER 8 Global Moderator

    Well for one you limit the amount of traffic outbound to ntp since only pfsense and or other local ntp would be going outbound.  This makes more sense when you have large number of internal devices.

    It is well established practice to run an internal ntp that provides good time for all your internal devices.. Pointing all your devices outbound for ntp can create unwanted traffic.. While ntp traffic is not a significant amount of traffic.. Having say 100 or 1000 devices all talking abound for ntp is way more external traffic than say having pfsense sync its time and then your local devices syncing to it.

    This also should remove delay and jitter between the time server and the time client to allow for more consistent time across your environment..  Vs having multiple devices all talking across the public network even to the same source will for sure see different delay and jitter across time.  While local lan traffic this delay and jitter should be very constant.

  • I have a Raspberry Pi v2 set up with a GPS hat that acts as my NTP server, feeding pfSense so I have all the pretty graphing offered here and a local server. The time stability offered by the Pi is far better than I get even using my ISP's public NTP server, other single public servers or pool servers. With the Pi option I can skip external servers and their issues, simplifying my timekeeping.

    I add the Pi, pfSense and the server to my client's NTP config so they have a time source of some sort if one of the systems is down for some reason.

    The AdaFruit forums have some excellent topics on setting up the card they sell to provide a GPS based clock.

  • Thank you both. I were to use the pfSense as an NTP server for subnets on my network would I then need to define the pfSense as the NTP server on each of the switches and endpoints? Would I use the firewall address or the FQDN ?

  • LAYER 8 Netgate

    If you have DNS that points to the inside address, you can use and FQDN. Else use the IP address. Up to you. FQDN lets you change the NTP server without touching all the clients by just changing the DNS resource record.

  • Since I'm using pfSense as my DNS server (behind a PI-Hole blocker) I have the pfSense DHCP server pass out the preferred NTP servers so I don't have to go to multiple systems to tweak them. A couple boxes that have static addresses assigned do have the NTP servers defined in their config and do need individually tweaked which is much more aggravation than the DHCP option.

    I use the FQDN here too, that lets me easily move a server to a new IP if I decide to rearrange my IP assignments. Every step you automate is one you won't forget to do and get a 2:00 AM call about!

Log in to reply