pfSense time/internal clock (NTP client) origin
pfSense firewall log shows UDP connections from my WAN address to 126.96.36.199:123 (forum is not letting me post the domain name which also hosts a web site, but it contains the words russian and brides - look it up on a whois service if needed). I disabled the NTP service but these connections persist.
Am I right to assume that:
- these connections originate from pfsense software and not from other devices on my network (all other devices are behind NAT and have private IP addresses; their connections in the log have private addresses as source)
- pfSense has internal ntp client with its own configuration, different from the NTP server in the web UI - probably configured to get its time from some NTP pool?
- among other services, the aforementioned domain is running a public NTP server that just happens to be part of that pool
Does this make sense?
It's not entirely clear to me how pfSense gets its own time, since pfsense docs say (link censored by forum spam filter ): "NTP daemon configured at Services > NTP --- also keeps the clock in sync against remote NTP servers as an NTP client itself". However as stated, I have disabled the daemon and can still see NTP connections originating from my WAN address.
If it was coming from an internal machine you would see that NAT'd in the open state on WAN.
The ntp client in pfSense is not the ntp server daemon, ntpd. Disabling the service does not disable the client.
Yes, almost certainly that is just part of the ntp pool you are using. You can set specific ntp servers to use instead to check.
yeah that is a member of the pool, you can see its info here
All kinds of people are members of the pool - sure even Russian Bride sites ;)
As already mentioned - you can actually set the ntp servers you use vs using pool.. You can find some here
Thank you for confirming this - I was trying to find exactly something like the link to ntppool.org but just couldn't find a way to confirm this specific address.
Where would I configure the time servers that the pfSense ntp client uses?
In the ntp settings
Oh for pfsense itself, those would be done in the general setttings
Thanks again, don't know how I missed that...