NTP server, no localhost?

q54e3w · Mar 15, 2020, 9:52 PM

Why is there no ability to select localhost in the NTP server settings? I wanted to configure my firewall to only listen on a specific set of subnet and the localhost for any redirects. The only way appears to enable all interfaces as a wildcard which enables the localhost.
In the DNS resolver I can select localhost so assumed I would have been able to for NTP too.
Would like to understand why not if theres a reason for the difference.
Verified behavior in 2.4.4 and 2.4.5-RC.

JKnott · Mar 15, 2020, 10:00 PM

@q54e3w

????

You're supposed to configure NTP to use a server that's closer to International Atomic Time. Other than using a computer's hardware clock, I have never heard of using anything other than NTP servers as a source. Once you have a NTP server running, you can have other devices use it.

On my network, I have pfSense pointing to 4 pool.ntp.org servers. At work last year, I was working on a project where they had 2 GPS receivers for NTP stratum 0 servers.

q54e3w · Mar 15, 2020, 10:10 PM

I have several local GPS/PPS time based servers including a LeoNTP that pfSense syncs to. I wanted to ensure that any devices that are hardcoded to use external NTP servers are redirected back to my firewall for time.
EDIT: for example, Chinese security cameras, Android, Amazon FireTV devices etc.

JKnott · Mar 15, 2020, 10:12 PM

@q54e3w

That is not the way I read your question. I suspect you may want to redirect the NTP requests you your own address, not make the pfSense NTP server use the localhost address.

kiokoman · Mar 15, 2020, 10:54 PM

select the interfaces you need, start ntp server and
you can port forward to intercept any traffic that try to go out through NTP port and redirect to, for example "LAN/OPT address" (which represent the ip of pfsense for that interface) or another ntp server

take in mind that NAT rules are evaluated before firewall rules so all other rules i'm showing will never apply, in this example only the one with NAT under description will match the traffic

stephenw10 · Mar 16, 2020, 1:37 AM

Hmm, yeah not sure why localhost isn't an option there. As you say the only way to select it is through 'all interfaces'.

You could open a feature request if one does not already exist:
https://redmine.pfsense.org/

Steve

q54e3w · Mar 16, 2020, 1:49 AM

Thanks Steve. I don't see one so created one under Issue #10348.