Why use pfsense as an NTP server?
I'm wondering, is there any benefit to using the pfsense box itself as the NTP server for your internal networks? I mean, is it keeping better time than external time servers that most computers/workstations are already programmed to check automatically?
I know the NTP traffic is really small, so if I setup the proper rules, is it worth keeping that traffic "in network", or is it so trivial that the pass any-to-any rules on the various interfaces we've got setup is enough.
I'm not asking how to set all this up, that's pretty easy. I was just wondering why somebody would want to do it. I have searched for any helpful posts or articles on this, but it's mostly the instructions for how to make it all work.
I guess if I'm asking "why do it", I don't really need to do it...
Anybody got any insight? Thanks!
KOM last edited by
NTP sources can have jitter, lag and other artifacts from being on the public Internet. These problems don't exist to anywhere near the same degree on LAN. What that means is that your LAN clients will all have the same time if they fetch it from the router. If each LAN client has to fetch his own time from the Internet, they can be slightly off as compared to each other as measured in milliseconds. Usually this isn't that important for most people. Kerberos auth like MS AD requires timestamps that are within 5 minutes of domain time, but even with a jittery NTP server, you wouldn't be 5 minutes out of sync.
chpalmer last edited by
Also helps keep the traffic down on the external servers.
Grimson Banned last edited by
And you can use a GPS module for even more accuracy: https://docs.netgate.com/pfsense/en/latest/book/services/ntpd-gps.html
jahonix last edited by
All of the above and if I think about my 50+ hosts at home alone all querying ntp.org instead of only my router the motivation should be clear.
The new paradigm seems to be data-abstention (at least in Europe/Germany).
Gertjan last edited by
Added to all that : my pfSense doesn't do much anyway (35 hosts), and upstream bandwith is always not enough ....
I know the NTP traffic is really small,
Already touched on but don't forget very small time X number of clients can equal not so small ;)
Also touched on with your time source being common and local your machines time will all be better in sync then all your different clients talking to different servers with different jitter and response times depending.
The question should be more to you have a box that can be ntp server that is local - why would you not just have your local clients point to it?
The question should be more do you have a box that can be ntp server that is local - why would you not just have your local clients point to it?
I agree with that, and it makes sense. So, would it better network etiquette (netiquette? :)) to program the settings into each client/host to use the pfsense box as the NTP server, or setup pfsense to do the redirect work itself?
You do not need to redirect anything... Just hand out ntp via dhcp and you would hope most clients would use that.. If clients do not, then you might have to set them on the client to point to your local ntp..
Where you might want to redirect or setup some host overrides is iot devices that might be harded coded query a specific ntp name or IP.
Found some bad programmed iot devices that for example use wrong freaking country ntp pool.. Some lights I have hit uk.pool.ntp.org for example.. Morons!! ;)
For starters if they want their device to use ntp that is great, they should prob use the custom listing you can setup with ntp.org like pfsense did.. Or atleast let the user change it - because not even in the UK.. Im in the US.. So some lazy coding there for sure ;) Not like I bought UK version of the lights, bought them off amazon and they are US lightbulbs.. So why they freaking point to uk ntp pool? ;)
How deep you want to get into it is up to you - I love ntp so much I run a local ntp stratum 1 on a pi ;) that serves up to the pool ;)
KOM last edited by
Some lights I have hit uk.pool.ntp.org for example.. Morons!! ;)
They wanted to use NTP servers closest to the Greenwich Meridian for the sake of precision...
heheeheh - yeah maybe ;)
My bad it wasn't the actual "light" is was the HS110 smart switches...
I will have to put that override back in for uk.pool.ntp.org ;)