Why use pfsense as an NTP server?
-
I'm wondering, is there any benefit to using the pfsense box itself as the NTP server for your internal networks? I mean, is it keeping better time than external time servers that most computers/workstations are already programmed to check automatically?
I know the NTP traffic is really small, so if I setup the proper rules, is it worth keeping that traffic "in network", or is it so trivial that the pass any-to-any rules on the various interfaces we've got setup is enough.
I'm not asking how to set all this up, that's pretty easy. I was just wondering why somebody would want to do it. I have searched for any helpful posts or articles on this, but it's mostly the instructions for how to make it all work.
I guess if I'm asking "why do it", I don't really need to do it...
Anybody got any insight? Thanks!
Jeff
-
NTP sources can have jitter, lag and other artifacts from being on the public Internet. These problems don't exist to anywhere near the same degree on LAN. What that means is that your LAN clients will all have the same time if they fetch it from the router. If each LAN client has to fetch his own time from the Internet, they can be slightly off as compared to each other as measured in milliseconds. Usually this isn't that important for most people. Kerberos auth like MS AD requires timestamps that are within 5 minutes of domain time, but even with a jittery NTP server, you wouldn't be 5 minutes out of sync.
-
Also helps keep the traffic down on the external servers.
-
And you can use a GPS module for even more accuracy: https://docs.netgate.com/pfsense/en/latest/book/services/ntpd-gps.html
-
All of the above and if I think about my 50+ hosts at home alone all querying ntp.org instead of only my router the motivation should be clear.
The new paradigm seems to be data-abstention (at least in Europe/Germany). -
Added to all that : my pfSense doesn't do much anyway (35 hosts), and upstream bandwith is always not enough ....
-
@akuma1x said in Why use pfsense as an NTP server?:
I know the NTP traffic is really small,
Already touched on but don't forget very small time X number of clients can equal not so small ;)
Also touched on with your time source being common and local your machines time will all be better in sync then all your different clients talking to different servers with different jitter and response times depending.
The question should be more to you have a box that can be ntp server that is local - why would you not just have your local clients point to it?
-
@johnpoz said in Why use pfsense as an NTP server?:
The question should be more do you have a box that can be ntp server that is local - why would you not just have your local clients point to it?
I agree with that, and it makes sense. So, would it better network etiquette (netiquette? :)) to program the settings into each client/host to use the pfsense box as the NTP server, or setup pfsense to do the redirect work itself?
Jeff
-
You do not need to redirect anything... Just hand out ntp via dhcp and you would hope most clients would use that.. If clients do not, then you might have to set them on the client to point to your local ntp..
Where you might want to redirect or setup some host overrides is iot devices that might be harded coded query a specific ntp name or IP.
Found some bad programmed iot devices that for example use wrong freaking country ntp pool.. Some lights I have hit uk.pool.ntp.org for example.. Morons!! ;)
For starters if they want their device to use ntp that is great, they should prob use the custom listing you can setup with ntp.org like pfsense did.. Or atleast let the user change it - because not even in the UK.. Im in the US.. So some lazy coding there for sure ;) Not like I bought UK version of the lights, bought them off amazon and they are US lightbulbs.. So why they freaking point to uk ntp pool? ;)
How deep you want to get into it is up to you - I love ntp so much I run a local ntp stratum 1 on a pi ;) that serves up to the pool ;)
-
@johnpoz said in Why use pfsense as an NTP server?:
Some lights I have hit uk.pool.ntp.org for example.. Morons!! ;)
They wanted to use NTP servers closest to the Greenwich Meridian for the sake of precision...
-
heheeheh - yeah maybe ;)
My bad it wasn't the actual "light" is was the HS110 smart switches...
I will have to put that override back in for uk.pool.ntp.org ;)
-
@johnpoz said in Why use pfsense as an NTP server?:
You do not need to redirect anything... Just hand out ntp via dhcp and you would hope most clients would use that.. If clients do not, then you might have to set them on the client to point to your local ntp..
Am I correct in saying you would do this under Services > DHCP Server > Other Options > NTP and then just enter 192.168.0.1 in the field "NTP Server 1"? (if 192.168.0.1 is the LAN address of the pfSense router)
-
@occamsrazor yes in your dhcp server area you can set up to 3 ntp servers to hand out via dhcp. But there is nothing saying that the client will actually use this..
Linux more likely to use these than say windows client - guess to if iot will use it, prob not. Especially when they are hard coded to use some specific pool address like in my above example with uk pool... Stupid devices ;)
Best plan is set your dhcp to use the ntp you want, then watch your dns and network traffic - are they actually using that, if not then look to see what dns they are using and you could override that dns to point to the ntp server you want them to use.
If they are really horribly at it, and have some hard coded IP they point too - then yeah you could do a redirect for ntp on that IP, or just all traffic on udp 123 to what you want them to use locally. Its not like they are doing any sort of authentication that who they are asking for ntp is that specific ntp..
-
@johnpoz said in Why use pfsense as an NTP server?:
If they are really horribly at it, and have some hard coded IP they point too - then yeah you could do a redirect for ntp on that IP, or just all traffic on udp 123 to what you want them to use locally. Its not like they are doing any sort of authentication that who they are asking for ntp is that specific ntp..
That would seem the simplest solution... I could just redirect all NTP requests coming from my LAN to the pfSense NTP server. Do you see any disadvantage to that? I'm mostly Apple and IOS plus some IoT devices and have been reading some reports that Apple devices aren't great at keeping synchronized in latest OS versions so was keen to try. I should add that I've encountered no problems, just keen to play with the capabilities of pfSense....
Could you please remind me where and how to create such a redirect rule? I have this existing port forward rule that intercepts DNS requests and redirects them to my pfSense server - would it be exactly the same but with the NTP port 123 instead?
Thanks...
-
@occamsrazor Yeah it would be the same as dns, just use port 123..
I'm just not a fan of redirection in general.. If you can accomplish what you want without redirecting traffic would be the better option imho.
BTW why are you using alias dnsports? This really would only be 53..
reports that Apple devices aren't great at keeping synchronized in latest OS versions
I have not seen such reports - do you have a link that your seeing this being reported? I only have phones - which would use the cell connection to keep accurate time.. I was just using ipad to show time for a video test of latency, and it was spot on..
-
It just seems like it would be advantageous to have all devices on LAN sync from the same time server, and as pfSense is using multiple NTP servers and then making a single decision as to the time, having them sync to pfSense would keep all devices in fairly perfect sync.
I'm using that alias to redirect both DNS port 53 and DNS-over-TLS port 853 to pfSense Unbound
Re: links on Mac devices (note Mac and specifically Big Sur version, not IOS):
https://apple.stackexchange.com/questions/414088/macos-timed-wont-keep-accurate-time
https://forums.macrumors.com/threads/time-synchronization-command-line-in-macos-big-sur.2279396/I'll admit it's a bit beyond me....
-
@occamsrazor said in Why use pfsense as an NTP server?:
DNS-over-TLS port 853 to pfSense Unbound
That isn't going to work.. Atleast not with any sane client, because the client should be validating the cert.. even if you have pfsense listening on 853, the certs not going to be valid for the cn the client should be checking.
I am not saying its not a good idea to sync all your clients to your local source, I am just against redirection. The correct solution is to point the clients at your ntp server - be it via dns, via dhcp handing it out, be it via configuration on the client directly..
If you can not get your client to use local ntp by normal means - then sure redirect them to accomplish your goal. It would just be my last choice is all.
-
@johnpoz said in Why use pfsense as an NTP server?:
That isn't going to work.. At least not with any sane client, because the client should be validating the cert.. even if you have pfsense listening on 853, the certs not going to be valid for the cn the client should be checking.
It was a long time ago I set this up. I seem to remember the objective may have been to prevent guest devices on my network that might have hard-coded DNS-over-TLS servers from being able to bypass Unbound. I think the objective may have been intentionally for such requests to fail.. umm, maybe?
Edit: It came from this discussion (though I'm no longer using forwarding, am using as resolver): https://forum.netgate.com/topic/135832/quad9-dns-over-tls-setup-with-unbound-forwarding-in-2-4-4-rc
I am not saying its not a good idea to sync all your clients to your local source, I am just against redirection. The correct solution is to point the clients at your ntp server - be it via dns, via dhcp handing it out, be it via configuration on the client directly..
That does seem better, but with a number of different devices such as IOT etc it seems like it would be a lot of work manually configuring and some devices may be hard-coded or or without the option to set manually as you point out. Then, for mobile devices such as laptops and iPhones, I wouldn't want to hard-code to pfSense as they'd then have the wrong NTP server when outside the home, no? I'm in favor of solutions that can be implemented, changed, disabled easily at the router level to avoid this.
I'm sensing I may be overcomplicating solutions to a problem that doesn't exist, but it's fun to experiment :-)
-
@occamsrazor said in Why use pfsense as an NTP server?:
I could just redirect all NTP requests coming from my LAN to the pfSense NTP server.
When I tried that, the traffic was routed but the clients were not able to update their time, indicating some form of validation is used.
-
@patch said in Why use pfsense as an NTP server?:
When I tried that, the traffic was routed but the clients were not able to update their time, indicating some form of validation is used.
I've added the redirect rule but struggling how exactly to test if (a) requests to external NTP servers are indeed getting redirected to pfSense and (b) if they are being successful.
Not sure if this is correct usage on OSX but I'm not sure if the pfSense NTP server is working properly:
Trying to sync with pfSense:
~ % sntp 192.168.0.1 sntp: Exchange failed: Server not synchronized sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout -0.022114 +/- 0.017639 192.168.0.1 192.168.0.1
With redirect rule ENABLED:
~ % sntp time.nist.gov sntp: Exchange failed: Server not synchronized sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout -0.023434 +/- 0.016968 time.nist.gov 132.163.97.4
With redirect rule DISABLED:
~ % sntp time.nist.gov +0.006460 +/- 0.000610 time.nist.gov 132.163.97.4
-
@occamsrazor said in Why use pfsense as an NTP server?:
sntp: Exchange failed: Server not synchronized
that telling me your ntp server on pfsense isn't in sync yet... What is the output of your ntp status on pfsense?
example
See pfsense showing active peer with my local ntp server, and the reach is 377..
Here is me using sntp to talk to ntp service on pfsense (192.168.2.253 in my case for the the vlan that client is on)
root@NewUC:/tmp# sntp 192.168.2.253 sntp 4.2.8p12@1.3728-o (1) 2021-08-22 09:13:56.332459 (+0600) -0.003800 +/- 0.031367 192.168.2.253 s2 no-leap root@NewUC:/tmp#
-
@occamsrazor said in Why use pfsense as an NTP server?:
It just seems like it would be advantageous to have all devices on LAN sync from the same time server, and as pfSense is using multiple NTP servers and then making a single decision as to the time, having them sync to pfSense would keep all devices in fairly perfect sync.
I use 3 stratum 1 servers for my ntp server. However, I have an Asus tablet, which wants to use some server in Asia and there doesn't appear to be any way to change that. So, I watched to see what server host name it was using and then created an alias to send those requests to my own server. I also created an alias for pool.ntp.org and set my notebook to that. This way, I use my server when at home and the pool server when elsewhere.
BTW, I have watched the ntp traffic on my LAN and it's curious to see the clients alternate between IPv4 and IPv6 addresses. I have no idea why that happens, as clients normally prefer IPv6.
-
@johnpoz said in Why use pfsense as an NTP server?:
that telling me your ntp server on pfsense isn't in sync yet... What is the output of your ntp status on pfsense?
NTP Settings:
NTP Status:
SNTP to the active peer directly:
~ % sntp 17.253.122.125 +2.566791 +/- 0.000595 17.253.122.125 17.253.122.125
SNTP to pfSense:
~ % sntp 192.168.0.1 sntp: Exchange failed: Server not synchronized sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout +2.547919 +/- 0.112869 192.168.0.1 192.168.0.1
-
@occamsrazor
You have a low reachability : 7 vs 377
And the jitter of you peers seems "crazy".The delay seems very high : Is this a heavy loaded line or radio/sat based ?
Something seems fishy
-
@bingo600 said in Why use pfsense as an NTP server?:
You have a low reachability : 7 vs 377
And the jitter of you peers seems "crazy".
The delay seems very high : Is this a heavy loaded line or radio/sat based ?
Something seems fishyAgree something seems odd. It's a 50mb fiber line, albeit in Africa. Pings to most NTP servers are around 200ms.
On the Mac side, something is odd. I read these threads:
https://forums.macrumors.com/threads/time-synchronization-command-line-in-macos-big-sur.2279396/
https://apple.stackexchange.com/questions/414088/macos-timed-wont-keep-accurate-time..and it seems there is some weirdness. I tried installing ChronyControl on the Mac:
https://chrony.tuxfamily.org/index.html
https://whatroute.net/chronycontrol.html#overview....and then using that to set the time direct from pfSense server and it seemed to work:
MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 192.168.0.1 2 6 17 24 +41us[ +148us] +/- 114ms
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== 192.168.0.1 4 3 6 +38.937 455.940 +1482us 52us
Remote address : 192.168.0.1 (C0A80001) Remote port : 123 Local address : 192.168.0.10 (C0A8000A) Leap status : Normal Version : 4 Mode : Server Stratum : 2 Poll interval : 6 (64 seconds) Precision : -24 (0.000000060 seconds) Root delay : 0.202484 seconds Root dispersion : 0.011719 seconds Reference ID : 11FD7A7D () Reference time : Sun Aug 22 16:57:16 2021 Offset : -0.000148106 seconds Peer delay : 0.002995686 seconds Peer dispersion : 0.000007154 seconds Response time : 0.000051314 seconds Jitter asymmetry: +0.00 NTP tests : 111 111 1111 Interleaved : No Authenticated : No TX timestamping : Daemon RX timestamping : Kernel Total TX : 4 Total RX : 4 Total valid RX : 4
I think the best troubleshooting would be to try sntp from a non-Mac machine to see if that was different, but at the moment I don't have any.
-
Was going to point you to this one
https://forums.macrumors.com/threads/time-synchronization-command-line-in-macos-big-sur.2279396/Until i saw your post there 34min ago
Seems like chrony is the way to go
Btw: Can you post your ntp stats again ?
Maybe Reach has improved/Bingo
-
@bingo600 said in Why use pfsense as an NTP server?:
Seems like chrony is the way to go
It does, if this kind of thing is critical. Which in my case it isn't really, I just liked the idea of all my devices syncing to pfSense. But as most are Macs and there seems to be an issue, it doesn't seem all that worthwhile to pursue the force redirect to pfSense option.
Btw: Can you post your ntp stats again ?
Maybe Reach has improvedYou must be clairvoyant....
It seems I may have restarted the NTP server shortly before I posted the stats in the previous post, as after restarting the Reach slowly continues to rise until it hits 377.... some googling brought me this...
https://www.linuxjournal.com/article/6812
-
Yeah reach can take a few checks before it shows 377, which just means you have gotten answers for your last 8 checks.
-
@johnpoz said in Why use pfsense as an NTP server?:
Yeah reach can take a few checks before it shows 377, which just means you have gotten answers for your last 8 checks.
Precisely
https://www.ntp.org/ntpfaq/NTP-s-trouble.htm8.1.4. What does 257 mean as value for reach? (Inspired by Martin Burnicki) The value displayed in column reach is octal, and it represents the reachability register. One digit in the range of 0 to 7 represents three bits. The initial value of that register is 0, and after every poll that register is shifted left by one position. If the corresponding time source sent a valid response, the rightmost bit is set. During a normal startup the registers values are these: 0, 1, 3, 7, 17, 37, 77, 177, 377 Thus 257 in the dual system is 10101111, saying that two valid responses were not received during the last eight polls. However, the last four polls worked fine.
Btw:
It's not often you see a Stratum 2 server selected as Active Peer , when there's several Stratum 1 servers available.
Something must be disqualifying them./Bingo
-
@occamsrazor said in Why use pfsense as an NTP server?:
albeit in Africa
You prob want to use the Africa pool then
https://www.pool.ntp.org/zone/africa
server 0.africa.pool.ntp.org server 1.africa.pool.ntp.org server 2.africa.pool.ntp.org server 3.africa.pool.ntp.org
Not sure exactly where your at in Africa - but these should be closer to you.. See the link for all the different pools for the Africa Zone..
Those ones with huge delays are not really going to be good sync choices.
-
@johnpoz said in Why use pfsense as an NTP server?:
You prob want to use the Africa pool then
https://www.pool.ntp.org/zone/africaVery good point! I'm in Kenya and just did some ping tests. Often I avoid servers located in Africa and prefer others as sometimes routing can be weird here, e.g. traffic via undersea cable often goes via Dubai/Mideast, so other places in Africa can often have higher pings than Europe does. But in this case it does seem to be faster...
PING pool.ntp.org (162.159.200.1): 56 data bytes 64 bytes from 162.159.200.1: icmp_seq=0 ttl=52 time=142.945 ms PING ntp1.glb.nist.gov (128.138.141.172): 56 data bytes 64 bytes from 128.138.141.172: icmp_seq=0 ttl=40 time=270.877 ms PING europe.pool.ntp.org (162.159.200.1): 56 data bytes 64 bytes from 162.159.200.1: icmp_seq=0 ttl=52 time=143.169 ms PING africa.pool.ntp.org (41.220.128.73): 56 data bytes 64 bytes from 41.220.128.73: icmp_seq=0 ttl=51 time=110.317 ms PING 0.africa.pool.ntp.org (41.78.128.17): 56 data bytes 64 bytes from 41.78.128.17: icmp_seq=0 ttl=49 time=67.826 ms PING 1.africa.pool.ntp.org (197.82.150.123): 56 data bytes 64 bytes from 197.82.150.123: icmp_seq=0 ttl=50 time=75.761 ms
I still don't seem to be getting a Stratum 1 server though, if that matters...
It then occurred to me - should time.nist.gov, apple, google, etc and the other servers that are not xxx.ntp.org - should they be marked as "Pool" type ones in settings? When I un-mark them as pool I get different results:
-
@occamsrazor no they wouldn't or shouldn't be marked as pool if they come back as single IPs..
So if your going to call out just time vs time1 and time2, etc. for googles ntp, that could very will be a pool.. Same with time.apple.com, but for say time.nist.gov I only show this as answer
;; ANSWER SECTION: time.nist.gov. 3600 IN CNAME ntp1.glb.nist.gov. ntp1.glb.nist.gov. 3600 IN A 132.163.97.4
If the Africa pool is bad for you - yeah could very well be bad peering to cause what you would think should be much lower latency.
I would find some good servers that are as close as you can find.. There are full public lists that you can try and find some that have low delay to you and set those specific vs trying to use a pool. What about the ones listed to be in kenya, what sort of pings do you get to them?
;; QUESTION SECTION: ;ke.pool.ntp.org. IN A ;; ANSWER SECTION: ke.pool.ntp.org. 3600 IN A 160.119.216.202 ke.pool.ntp.org. 3600 IN A 160.119.216.206 ke.pool.ntp.org. 3600 IN A 162.159.200.1 ke.pool.ntp.org. 3600 IN A 162.159.200.123
If your interested in time servers - you could always run your own ;) They can be made with some inexpensive pi or other type low cost sort of computers. There are few here on the board that run them.. I run my own on a pi, etc. Just because its a fun project and ntp is a fascinating protocol..
If that is something that might interest you - here is a link that could get you started.. There are many other resources around as well.
-
@johnpoz said in Why use pfsense as an NTP server?:
@occamsrazor no they wouldn't or shouldn't be marked as pool if they come back as single IPs..
What command do you use to generate that "Answer section" to see if they are Pool or not?
If the Africa pool is bad for you - yeah could very well be bad peering to cause what you would think should be much lower latency.
I would find some good servers that are as close as you can find.. There are full public lists that you can try and find some that have low delay to you and set those specific vs trying to use a pool. What about the ones listed to be in kenya, what sort of pings do you get to them?I added ke.pool.ntp.org and africa.pool.ntp.org and it found some quite local servers with 10ms delays which were sometimes chosen as the active peer, but other times their jitter was higher than time.google.com even though its delay was around 140ms and time.google.com got chosen. It seemed to like time.google.com much of the time.
If your interested in time servers - you could always run your own ;) They can be made with some inexpensive pi or other type low cost sort of computers. There are few here on the board that run them.. I run my own on a pi, etc. Just because its a fun project and ntp is a fascinating protocol..
If that is something that might interest you - here is a link that could get you started.. There are many other resources around as well.
Thanks, it does look interesting, but a bit above my time and effort possibilities at the moment. I do find NTP interesting though...
-
@occamsrazor the command is just dig.. Pretty standard on any linux or bsd box, and you can install it on windows with the isc bind, just the tools only.
here is from my windows 10 machine
C:\ $ dig pool.ntp.org ; <<>> DiG 9.16.19 <<>> pool.ntp.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50475 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pool.ntp.org. IN A ;; ANSWER SECTION: pool.ntp.org. 30 IN A 38.229.52.9 pool.ntp.org. 30 IN A 150.136.0.232 pool.ntp.org. 30 IN A 66.151.147.38 pool.ntp.org. 30 IN A 66.85.78.80 ;; Query time: 6 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Sun Aug 22 17:30:24 Central Daylight Time 2021 ;; MSG SIZE rcvd: 105 C:\
-
@johnpoz said in Why use pfsense as an NTP server?:
@occamsrazor the command is just dig.. Pretty standard on any linux or bsd box, and you can install it on windows with the isc bind, just the tools only.
Thanks, I wasn't aware of that command, and it is inbuilt on OSX as well. Testing the various public servers it would seem that:
xxx.pool.ntp.org
time.apple.com
time.google.com
time.cloudflare.com...are all POOL type addresses, in that dig reports multiple addresses. While these report single addresses...
time.nist.gov
time.facebook.com
time.windows.comSo that's good to know.
I did some more testing with the redirect rule and just can't work out what is happening but I feel it is OSX specific. When I enable the rule with logging I see that NTP requests from some devices on my network get passed to pfSense server and are successful. But requests from my Mac and IOS devices seem to have several attempts failing and others succeeding:
From Macbook running OS Big Sur 11.5.2
~ % sntp time.nist.gov sntp: Exchange failed: Server not synchronized sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout +0.333886 +/- 0.074646 time.nist.gov 128.138.141.172
States
LAN udp 192.168.0.10:50683 -> 127.0.0.1:123 (128.138.141.172:123) NO_TRAFFIC:SINGLE 1 / 0 76 B / 0 B LAN udp 192.168.0.10:57476 -> 127.0.0.1:123 (128.138.141.172:123) SINGLE:MULTIPLE 1 / 1 76 B / 76 B LAN udp 192.168.0.10:60443 -> 127.0.0.1:123 (128.138.141.172:123) SINGLE:MULTIPLE 1 / 1 76 B / 76 B LAN udp 192.168.0.10:64340 -> 127.0.0.1:123 (128.138.141.172:123) NO_TRAFFIC:SINGLE 1 / 0 76 B / 0 B LAN udp 192.168.0.10:64702 -> 127.0.0.1:123 (128.138.141.172:123) NO_TRAFFIC:SINGLE 1 / 0 76 B / 0 B
And I get exactly the same when trying to NTP directly to pfSense server:
~ % sntp 192.168.0.1 sntp: Exchange failed: Server not synchronized sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout sntp: Exchange failed: Timeout +0.335554 +/- 0.072990 192.168.0.1 192.168.0.1
Whereas here is that same Macbook using chronyd to sync, instead of the native ntp client:
LAN udp 192.168.0.10:57610 -> 127.0.0.1:123 (132.163.96.1:123) SINGLE:MULTIPLE 1 / 1 76 B / 76 B
While other devices seem to have only one attempt and succeed (an APC UPS here) to external NTP servers being redirected to pfSense:
LAN udp 192.168.0.210:38141 -> 127.0.0.1:123 (132.163.97.4:123) SINGLE:MULTIPLE 1 / 1 76 B / 76 B
So I'm starting to think it's maybe not something about the redirect, but rather OSX NTP client implementation issue with the pfSense NTP server.
-
Try running it with the debug flag. Perhaps OSX defaults to some authentication?
Steve
-
@occamsrazor I had to use -S switch to get it to work on MacOS
sntp -S pool.ntp.org
-
Thanks for the replies. I installed ChronyControl on both my Macs and disabled the inbuilt NTP client and it seems to be working. Unfortunately I don't have enough time to investigate it all much further now, and in any case I like the functionality that ChronyControl brings so will stick with that for now.