• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd)

General pfSense Questions
14
136
32.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Sergei_Shablovsky
    last edited by Sergei_Shablovsky Apr 24, 2023, 11:25 PM Oct 20, 2021, 8:56 PM

    Generally speaking, better to have time synchronized in all network below pfSense. Especially that is important for nowaday's business.
    So, having NTP server (with appropriate fw/routing rules for internal network) on pfSense are standard for each serious SysAdmin at last 8+ years.

    But time changes and Network Time Security (NTS) come to replace old, outdated, unsecured NTP. (If You not familiar with topic, please read this as start point).

    What is Your opinion about asking the NetGate to replace outdated and unsecured NTP by NTS (because NTPsec already are in FreeBSD ports, have a lot of installations, and no serious bugs or vulnerabilities) ?

    —
    CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
    Help Ukraine to resist, save civilians people’s lives !
    (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

    J B D 3 Replies Last reply Oct 20, 2021, 9:00 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky
      last edited by Oct 20, 2021, 9:00 PM

      @sergei_shablovsky You could ask them ;)

      I run ntpsec on my stratum 1 timeserver..

      pi@ntp:~ $ ntpq -V
      ntpq ntpsec-1.2.1+20-gcb9d08ca5
      pi@ntp:~ $ 
      

      Pfsense just points to it for time..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      S 1 Reply Last reply Oct 20, 2021, 9:06 PM Reply Quote 1
      • S
        Sergei_Shablovsky @johnpoz
        last edited by Oct 20, 2021, 9:06 PM

        @johnpoz said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

        @sergei_shablovsky You could ask them ;)

        The answer all time dependent on “how much people’s really need this” ;) Because of this I asking here

        I run ntpsec on my stratum 1 timeserver..

        pi@ntp:~ $ ntpq -V
        ntpq ntpsec-1.2.1+20-gcb9d08ca5
        pi@ntp:~ $ 
        

        Pfsense just points to it for time..

        You have separate machine especially for timeserver?

        —
        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
        Help Ukraine to resist, save civilians people’s lives !
        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

        J 1 Reply Last reply Oct 20, 2021, 9:11 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky
          last edited by johnpoz Oct 20, 2021, 9:14 PM Oct 20, 2021, 9:11 PM

          @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

          You have separate machine especially for timeserver?

          Yeah I have a raspberry pi with a gps hat that I use as my networks stratum 1 server, and also serve this up to the ntp pool via both ipv4 and IPv6 ;)

          login-to-view
          login-to-view

          ntp is a hobby of mine ;) There are a few people on the forums that run ntp for "fun" hehehe

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          S 3 Replies Last reply Oct 20, 2021, 9:26 PM Reply Quote 1
          • S
            Sergei_Shablovsky @johnpoz
            last edited by Sergei_Shablovsky Oct 20, 2021, 9:30 PM Oct 20, 2021, 9:26 PM

            @johnpoz said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

            @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

            You have separate machine especially for timeserver?

            Yeah I have a raspberry pi with a gps hat that I use as my networks stratum 1 server, and also serve this up to the ntp pool via both ipv4 and IPv6 ;)

            login-to-view

            Good solution, but we need something more serious, 2 PSU, robust working, etc...
            Because separate rack server is too much energy consuming, and become another one point of failure, we decide just to attach GPS receiver directly to COM1 on back of pfSense server (we have another one on front panel of server already).

            I just asking this topic due recently we bought for one of projects new Garmin GPS 16x-HVS (more robust and stable working, and same or better receiver sensitivity rather 19x-HVS, especially for non-moving objects like rack server).

            ntp is a hobby of mine ;)

            Glad to read this. Many years ago (early 2000’) I also play with it. Heh!

            There are a few people on the forums that run ntp for "fun" hehehe

            For us NTP is not fun ;) Just a part of serious work and obligations.

            —
            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
            Help Ukraine to resist, save civilians people’s lives !
            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

            J 1 Reply Last reply Oct 20, 2021, 9:30 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky
              last edited by johnpoz Oct 20, 2021, 9:32 PM Oct 20, 2021, 9:30 PM

              @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

              For us NTP is not fun ;) Just a part of serious work and obligations.

              In a work setup - we always ran commercial NTP servers.. I use to manage those back in the day, before I moved to a different department..

              Those are not all that cheap ;) But when you have global network and 1000's of devices and clients - no you don't fire up a pi with a gps hat ;) heheh

              If I recall some of them were from https://www.meinbergglobal.com

              We had a few different ones around the globe.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              S 1 Reply Last reply Oct 21, 2021, 4:06 PM Reply Quote 2
              • S
                Sergei_Shablovsky @johnpoz
                last edited by Oct 20, 2021, 9:32 PM

                @johnpoz said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                You have separate machine especially for timeserver?

                Yeah I have a raspberry pi with a gps hat that I use as my networks stratum 1 server, and also serve this up to the ntp pool via both ipv4 and IPv6 ;)

                Which GPS receiver are a You using?
                And is it COM or USB connected?

                —
                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                Help Ukraine to resist, save civilians people’s lives !
                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                J 1 Reply Last reply Oct 20, 2021, 9:33 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky
                  last edited by johnpoz Oct 20, 2021, 9:39 PM Oct 20, 2021, 9:33 PM

                  @sergei_shablovsky its a hat! plugs onto the pi - give me a sec and look it up.

                  this is the one using
                  https://store.uputronics.com/index.php?route=product/product&product_id=81

                  HAB-GPSPI-NAN

                  Wow just looked up my order, back in early 2016.. Still going strong ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  Q 1 Reply Last reply Oct 21, 2021, 3:26 AM Reply Quote 2
                  • Q
                    q54e3w @johnpoz
                    last edited by Oct 21, 2021, 3:26 AM

                    I'd rather have PTP personally.

                    S 2 Replies Last reply Oct 21, 2021, 4:46 PM Reply Quote 0
                    • B
                      bingo600 @Sergei_Shablovsky
                      last edited by bingo600 Oct 21, 2021, 7:07 AM Oct 21, 2021, 7:01 AM

                      @sergei_shablovsky
                      IMHO pfSense should continue using the "Industri standard" NTP, that is installed on thousands of servers around the world.

                      If you need ntpsec, do as @johnpoz
                      Make a dedicated NTP server facing public, with ntpsec , and point your internal servers to the ntpsec box.

                      If i was to change from NTP, to something "Brand new". I would prob. consider Chrony instead.

                      Or maybe even look at Ntimed (which i suppose have excellent FreeBSD support , since PHK has been digging deep into it) , it just seems a bit immature.
                      https://news.ycombinator.com/item?id=8781435

                      /Bingo

                      If you find my answer useful - Please give the post a 👍 - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      M S 3 Replies Last reply Oct 21, 2021, 7:15 AM Reply Quote 2
                      • M
                        mer @bingo600
                        last edited by Oct 21, 2021, 7:15 AM

                        @bingo600
                        All good suggestions. It's always different thinking "serving NTP" or "I'm a NTP client". Different mindsets, especially if you are making the server available to the general public.

                        ntimed: here's the pkg-descr from the port:

                        This is a preview/early-acces/alpha/buzzword-of-the-times release of a
                        new FOSS project written to gradually take over the world of networked
                        timekeeping.

                        No secret on their goal, is there? :)

                        1 Reply Last reply Reply Quote 1
                        • S
                          Sergei_Shablovsky @johnpoz
                          last edited by Sergei_Shablovsky May 5, 2022, 2:48 AM Oct 21, 2021, 4:06 PM

                          @johnpoz said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                          @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                          For us NTP is not fun ;) Just a part of serious work and obligations.

                          In a work setup - we always ran commercial NTP servers.. I use to manage those back in the day, before I moved to a different department..

                          Those are not all that cheap ;) But when you have global network and 1000's of devices and clients - no you don't fire up a pi with a gps hat ;) heheh

                          Totally agree with a You. Sorry, not mention to confuse You. ;)

                          If I recall some of them were from https://www.meinbergglobal.com

                          We had a few different ones around the globe.

                          Really great hardware, I know this brand: VERY robust and reputable. But as any big brand, sometime a little bit sticky to old NTP implementation and not so fast providing fresh firmware updates...

                          Thanks You again one time for suggestions. I hope this would be helpful for big amount of professionals here.

                          —
                          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                          Help Ukraine to resist, save civilians people’s lives !
                          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                          1 Reply Last reply Reply Quote 0
                          • S
                            Sergei_Shablovsky @q54e3w
                            last edited by Sergei_Shablovsky Nov 13, 2021, 4:50 AM Oct 21, 2021, 4:46 PM

                            @q54e3w said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                            I'd rather have PTP personally.
                            **

                            Whenever PTP positioned as “instead of millisecond-level synchronization, PTP networks aim to achieve nanosecond- or even picosecond-level synchronization”, I am not agree that “hardware timestamping“ in PTP on non-special server are much better than NTP/NTS, because “hardware timestamping” in this case based on CPU master clocking. But this is not accurate because BIOS/UEFI CPU/RAM settings, I mean threads, buffers, etc...

                            Generally saying, You are right and I agree with You in case of using separate HARDWARE time-clocking-specialed device (like we see several replies above, 1U rack solution or standalone device with a bunch connectors for GPS/GSM/radio antennas, to receive synchro signals from different sources).

                            If Your server have no directly attached time-source device, any time sync thru ordinary fiber or Eth would have the same disadvantages.
                            (If I loose something, just correct me, please)

                            But in this topic I’l try to discuss on scheme “pfSense on server + GPS receiver (or any other time-source device) + Time Protocol”. No matter, for inside networks behind pfSense, or serving NTP for outside users.

                            —
                            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                            Help Ukraine to resist, save civilians people’s lives !
                            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                            1 Reply Last reply Reply Quote 0
                            • S
                              Sergei_Shablovsky @bingo600
                              last edited by Sergei_Shablovsky Oct 21, 2021, 5:05 PM Oct 21, 2021, 5:02 PM

                              @bingo600 said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                              Thank You for opinion!

                              @sergei_shablovsky
                              IMHO pfSense should continue using the "Industri standard" NTP, that is installed on thousands of servers around the world.

                              But this is really old, outdated, and vulnerable solution. Agree?

                              If you need ntpsec, do as @johnpoz
                              Make a dedicated NTP server facing public, with ntpsec , and point your internal servers to the ntpsec box.

                              As I wrote before, in case using non-specialized time-source device, like a just another one server, we receive some disadvantages:

                              • power consuming;
                              • several additional rules for pfSense for internal networks;
                              • several additional rules for pfSense for NTP users outside;
                              • another one (+1) point of failure; (for example if You have two(2) pfSense+GPS on COM port in HA-scheme, Your NTP service also protected, otherwise a You need two(2) dedicated NTP servers and synchronization between them...)

                              If i was to change from NTP, to something "Brand new". I would prob. consider Chrony instead.

                              Or maybe even look at Ntimed (which i suppose have excellent FreeBSD support , since PHK has been digging deep into it) , it just seems a bit immature.
                              https://news.ycombinator.com/item?id=8781435

                              /Bingo

                              Generally say, in IT I am “conservative”” in mind, so rarely try to using “all newest”. ;) This topic I start about really outdated and vulnerable NTP need to be replaced. And mine proposition are NTPsec.

                              Please, describe in short about advantages Chrony & Ntimed against NTP and NTPsec. Thank You for Your time!

                              —
                              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                              Help Ukraine to resist, save civilians people’s lives !
                              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                              J 1 Reply Last reply Oct 21, 2021, 5:05 PM Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator @Sergei_Shablovsky
                                last edited by Oct 21, 2021, 5:05 PM

                                @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                **really outdated and vulnerable NTP”” need to be replaced.

                                What specific vulnerability are you talking about.. Just because NTP has been around long time - does not mean its not been kept up to date for security issues.

                                While current version is a year so old 4.2.8p15, I wouldn't call it outdated..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                M S 2 Replies Last reply Oct 21, 2021, 6:48 PM Reply Quote 2
                                • M
                                  mer @johnpoz
                                  last edited by Oct 21, 2021, 6:48 PM

                                  @johnpoz My understanding of current NTPD is there is a lot of security stuff that can be used/implmented but "it's not the default".

                                  if defaults were changed to be tighter, then new deployments (maybe upgrades) would be tighter but existing ones would need manual changes.

                                  That argument I think applies to ntpsec: new deployments are affected but existing ones aren't.

                                  J 1 Reply Last reply Oct 21, 2021, 6:52 PM Reply Quote 1
                                  • J
                                    johnpoz LAYER 8 Global Moderator @mer
                                    last edited by johnpoz Oct 21, 2021, 7:06 PM Oct 21, 2021, 6:52 PM

                                    @mer said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                    "it's not the default".

                                    Well that is on the runner of the software.. Are you saying there should be something changed in default settings of ntp server on pfsense?

                                    I wouldn't in a million years provide such a service off my firewall to the public internet, ntp on pfsense is meant for ntp server for your local network.

                                    And if I was going to provide it as public service - I would make sure I go through its config, etc. To make sure nothing stupid is in there ;)

                                    edit: There was a thread around here somewhere someone asking about NTPv3 auth - rfc 1305, which you can do with pfsense ntp.. I don't think it was that long ago.. I personally don't get the need to be honest. While sure I could see wanting to make sure your talking to a specific ntp server externally.. Just run your own internal ntp - and not have to worry about any of that.. Not really seeing the need for any sort of ntp security on my own local secure network. If you ask me - just something else that could break ;) For very little security benefit..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    M B 2 Replies Last reply Oct 21, 2021, 7:05 PM Reply Quote 2
                                    • M
                                      mer @johnpoz
                                      last edited by Oct 21, 2021, 7:05 PM

                                      @johnpoz I agree 100% with you. A lot of discussions around services like this seem to devolve to "the defaults aren't good/secure enough and should change".
                                      50% take that stance the other 50% say "If you are standing something up you need to go through the defaults first".

                                      Kind of like "what editor should be the default, vi or ee"

                                      J 1 Reply Last reply Oct 21, 2021, 7:10 PM Reply Quote 0
                                      • J
                                        johnpoz LAYER 8 Global Moderator @mer
                                        last edited by johnpoz Oct 21, 2021, 7:15 PM Oct 21, 2021, 7:10 PM

                                        @mer agree.. If your not a fan of the defaults - change them.. Defaults are almost always what they are to minimize chance of it not working.. What is the most basic config I can put in - that pretty much a given it will "work". That is the default..

                                        Nobody says that default working config = secure ;)

                                        While I agree as something like pfsense matures and stuff its using evolves - defaults change, and old non secure stuff can drop off. I do recall not that long ago some issues people were having because the changed and dropped off some ssh ciphers from the default config - which broke some users access via their ssh clients, because their clients were out dated, etc.

                                        Default broke shit ;) heheh atleast from the users point of view.. I don't see pretty much anything be it ntp, ssh, web being locked down to tightest mos secure best practice from a security point of view for defaults.. Because its less likely to just work out of the box - which when it doesn't work out of the box, users not happy ;)

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        1 Reply Last reply Reply Quote 1
                                        • B
                                          bingo600 @johnpoz
                                          last edited by Oct 21, 2021, 7:46 PM

                                          @johnpoz said in [Network Time Security (NTS, NTPsec) to replace

                                          I wouldn't in a million years provide such a service off my firewall to the public internet, ntp on pfsense is meant for ntp server for your local network.

                                          I totally agree here.
                                          When i worked w. PIX/ASA , there was a sntp client , no NTP service.

                                          In fact NTP service prob. doesn't belong on a firewall , just a sync client. pointing to an inside NTP server.

                                          And if I was going to provide it as public service - I would make sure I go through its config, etc. To make sure nothing stupid is in there ;)

                                          The last OOPZ i know about in NTPD was the amplification attack,
                                          and that is easily avoided in the setup today.

                                          And i agree with : What security issues needs to be fixed in NTP right now ?

                                          /Bingo

                                          If you find my answer useful - Please give the post a 👍 - "thumbs up"

                                          pfSense+ 23.05.1 (ZFS)

                                          QOTOM-Q355G4 Quad Lan.
                                          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                          1 Reply Last reply Reply Quote 0
                                          1 out of 136
                                          • First post
                                            1/136
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.