Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd)

    Scheduled Pinned Locked Moved General pfSense Questions
    136 Posts 14 Posters 51.0k Views 18 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Online
      johnpoz LAYER 8 Global Moderator @JKnott
      last edited by

      @JKnott my pi ntp server has gps already.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • Sergei_ShablovskyS Offline
        Sergei_Shablovsky @e-1-1
        last edited by

        @e-1-1 said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

        Doesn't make sense to me. Not to mention chrony is already available in FreeBSD.

        Because of this I’m asking again and again about Chrony implementation in pfSense.

        I really think that so famous and rich company like Netgear have a budget for this.

        —
        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
        Help Ukraine to resist, save civilians people’s lives !
        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

        1 Reply Last reply Reply Quote 0
        • Sergei_ShablovskyS Offline
          Sergei_Shablovsky @JKnott
          last edited by

          @JKnott

          Need to note that local RS-232 directly (not through RS-232<~>USB adapter) connected GPS receiver with PPS signals OR GSM receiver with PPS signal -> are Stratum 1.

          Stratum 0 - this is for local-connected atomic clock. Yeah, some hi-education Institutes, financial and militarily of course in US already have it. ;)

          —
          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
          Help Ukraine to resist, save civilians people’s lives !
          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

          JKnottJ dennypageD 2 Replies Last reply Reply Quote 0
          • Sergei_ShablovskyS Offline
            Sergei_Shablovsky @JKnott
            last edited by

            @JKnott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

            @Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

            Chrony is a better time server so I use it.

            In what way? It can have accuracy comparable to PTP, but only if your source is that accurate. This means you'd need your own stratum 0 source, such as GPS or the cell phone network. IIRC, GPS is supposed to be accurate within 30 nS and the cell network within 1.5 uS. If you're using a source on the Internet, it won't get you much. If you do have your own stratum 0, you might also want to get one of those Facebook atomic clock cards to use with it.

            Thank You for very interesting link. I hear about but now see the real results, need to dive in …:)

            I do understand it has some advantages for devices that are not always connected to the Internet.

            No, this would be more for systems that may suffer from GPS spiffing and jamming (war in Ukraine, war in Israel and possible next escalation between China and US, EU and russia, South and North Koreas - all this rapidly involves civil GSM technologies right now …).

            PTP is designed for networks where extremely precise timing is necessary, including with SyncE, but other than that, it would be hard to justify worrying about it.

            If I understand all “time card” docs and specifications, bulky and proprietary rack time-servers would be replaced by tiny 1CPU server with 2xPSU and this “time card” (and a little bit antennas from server room to rooftop;)

            BTW, I cannot read anything about how to resolving radio interference on antennas in server room… Looks like developers are focused more on electronics and less on radio/antennas-related things. Am I wrong?

            —
            CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
            Help Ukraine to resist, save civilians people’s lives !
            (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

            JKnottJ 1 Reply Last reply Reply Quote 0
            • Sergei_ShablovskyS Offline
              Sergei_Shablovsky @dennypage
              last edited by

              @dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

              Yes, chronyd is a much better time keeper than ntpd. ~1us vs a few tens of us against a local stratum 1. But still, a few 10s of us is pretty damn good. But that kind of precision isn't that important for a firewall.

              Hm… Are You sure that chrony are enough for speeds 10G+ per interface? :)

              —
              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
              Help Ukraine to resist, save civilians people’s lives !
              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @Sergei_Shablovsky
                last edited by

                @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                Need to note that local RS-232 directly (not through RS-232<~>USB adapter) connected GPS receiver with PPS signals OR GSM receiver with PPS signal -> are Stratum 1.

                I have wondered about this. While the instantaneous time could be off with USB, NTP averages in the long term. How much is the clock in error after it's been running for a while?

                Stratum 0 - this is for local-connected atomic clock. Yeah, some hi-education Institutes, financial and militarily of course in US already have it. ;)

                The source, such as GPS, is stratum 0 and the first NTP server is stratum 1. The atomic clock provides stability to the local time.

                BTW, one thing some people don't seem to understand is NTP is supposed to be traceable to International Atomic Time. A few years ago, I was working on a project for a light rail transit system in Toronto. The spec called for the NTP servers to be connected to the parent company's NTP server, falling back to the GPS receivers should that connection fail. Whoever wrote that clearly had no idea how NTP worked. They should have said to peer or at least be a client of the parent NTP servers, in addition to GPS. Since both the local and parent NTP servers were traceable back to IAT, there should be no significant difference between them.

                Here's an interesting read about time:
                From Sundials To Atomic Clocks

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                dennypageD 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @Sergei_Shablovsky
                  last edited by

                  @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                  If I understand all “time card” docs and specifications, bulky and proprietary rack time-servers would be replaced by tiny 1CPU server with 2xPSU and this “time card” (and a little bit antennas from server room to rooftop;)

                  BTW, I cannot read anything about how to resolving radio interference on antennas in server room… Looks like developers are focused more on electronics and less on radio/antennas-related things. Am I wrong?

                  I'm not sure what you're getting at, but if that's a concern just put the receiver someplace other than the server room. In fact, GPS might not work at all in a server room simply because the signal is blocked by reinforced concrete.

                  I had an example of this when I worked at IBM. My office was in the Canadian HQ and the building held about 5000 employees. You could get FM radio reception near the windows, but not if you were well away from them.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
                  • dennypageD Offline
                    dennypage @Sergei_Shablovsky
                    last edited by

                    @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                    Need to note that local RS-232 directly (not through RS-232<~>USB adapter) connected GPS receiver with PPS signals OR GSM receiver with PPS signal -> are Stratum 1.

                    Stratum 0 - this is for local-connected atomic clock. Yeah, some hi-education Institutes, financial and militarily of course in US already have it. ;)

                    • Stratum 0 is any reference clock. It may be an atomic clock, GNSS receiver, WWV receiver, a crystal oscillator from your watch, etc.
                    • Stratum 1 is the system (host) directly connected to the reference clock offering NTP services.

                    Yes, you can actually have a USB connected GPS stratum 0 device. They were done as a special project by Eric Raymond, the original author of gpsd. They're rare, but I think you can even still buy one. Good for a few milliseconds. I probably still have one in a box somewhere, along with several other of my early stratum 0 devices. 😨

                    1 Reply Last reply Reply Quote 0
                    • dennypageD Offline
                      dennypage @JKnott
                      last edited by

                      @JKnott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                      BTW, one thing some people don't seem to understand is NTP is supposed to be traceable to International Atomic Time.

                      Traceability is to Coordinated Universal Time (UTC) rather than International Atomic Time (TAI). There's a 37 second difference. 😵

                      stephenw10S JKnottJ 2 Replies Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator @dennypage
                        last edited by

                        @dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                        There's a 37 second difference.

                        Gah. 😵 indeed!

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ Offline
                          JKnott @dennypage
                          last edited by

                          @dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                          Traceability is to Coordinated Universal Time (UTC) rather than International Atomic Time (TAI). There's a 37 second difference.

                          UTC is based on IAT and then adjusted for leap seconds. From that article I linked to:

                          "International Atomic Time (abbreviated TAI, from its French name temps atomique international[1]) is a high-precision atomic coordinate time standard based on the notional passage of proper time on Earth's geoid.[2] TAI is a weighted average of the time kept by over 450 atomic clocks in over 80 national laboratories worldwide.[3] It is a continuous scale of time, without leap seconds, and it is the principal realisation of Terrestrial Time (with a fixed offset of epoch). It is the basis for Coordinated Universal Time (UTC), which is used for civil timekeeping all over the Earth's surface and which has leap seconds."

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          dennypageD 1 Reply Last reply Reply Quote 0
                          • JKnottJ Offline
                            JKnott @stephenw10
                            last edited by

                            @stephenw10 said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                            @dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                            There's a 37 second difference.

                            Gah. 😵 indeed!

                            That's already adjusted for with UTC.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • dennypageD Offline
                              dennypage @JKnott
                              last edited by

                              @JKnott While UTC uses TAI as the basis for Top Of Second (TOS), TAI does not have any concept of leap. UTC, which does have leap, is the basis for NTP.

                              1 Reply Last reply Reply Quote 0
                              • Sergei_ShablovskyS Offline
                                Sergei_Shablovsky @JKnott
                                last edited by Sergei_Shablovsky

                                @JKnott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                If I understand all “time card” docs and specifications, bulky and proprietary rack time-servers would be replaced by tiny 1CPU server with 2xPSU and this “time card” (and a little bit antennas from server room to rooftop;)

                                BTW, I cannot read anything about how to resolving radio interference on antennas in server room… Looks like developers are focused more on electronics and less on radio/antennas-related things. Am I wrong?

                                I'm not sure what you're getting at, but if that's a concern just put the receiver someplace other than the server room. In fact, GPS might not work at all in a server room simply because the signal is blocked by reinforced concrete.

                                I say You more: even ordinary green leafs may blocking the GPS signal from satellite…:)

                                Maximum shielded wire connection to GPS satellite (!!!, no GSM-source from cellular base station nearby!) antenna to small electrical scheme and than for motherboard’s DB-9 of RS-232 MUST BE LESS than ~15m.

                                This also mean that You need place the GPS satellite antenna to rooftop where are 180 degrees on both X and Y axes of clear sky view to receive signals from no less than 3 satellite. And no any skyscrapers nearby, no any big trees or hi-powered (3-5-20kWA electrical lines) on a distance 50-200m.

                                So, back to the server room, as a result You have only 2-3m of this shielded wire from hole in the wall to DB-9 of RS-232 in server.

                                But anyway, it’s not “just put the GPS antenna somewhere out of the server room”. Definitely not.

                                —
                                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                Help Ukraine to resist, save civilians people’s lives !
                                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                RobbieTTR JKnottJ 2 Replies Last reply Reply Quote 1
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  I have found it surprising how well GPS works with a restricted view of the sky. Of course when you look into GPS it's amazing it works at all. 😉

                                  1 Reply Last reply Reply Quote 1
                                  • RobbieTTR Offline
                                    RobbieTT @Sergei_Shablovsky
                                    last edited by

                                    @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                    Maximum shielded wire connection to GPS satellite (!!!, no GSM-source from cellular base station nearby!) antenna to small electrical scheme and than for motherboard’s DB-9 of RS-232 MUST BE LESS than ~15m.

                                    This also mean that You need place the GPS satellite antenna to rooftop where are 180 degrees on both X and Y axes of clear sky view to receive signals from no less than 3 satellite. And no any skyscrapers nearby, no any big trees or hi-powered (3-5-20kWA electrical lines) on a distance 50-200m.

                                    So, back to the server room, as a result You have only 2-3m of this shielded wire from hole in the wall to DB-9 of RS-232 in server.

                                    But anyway, it’s not “just put the GPS antenna somewhere out of the server room”. Definitely not.

                                    I scratching my head a little at what you are aiming at but little of what you say here is true. I can help to resolve these errors though.

                                    You don't need an antenna from a roof to a server; indeed, in many situations this would be a bad idea. GPS time source equipment can be colocated with, close to or even combined with the antenna. This time source can then be distributed by the network cabling - it is a network time after all.

                                    You don't need 180º X & Y view of a clear sky - far from it. With that kind of view you would, at times, exceed 12 satellites. Additionally, GPS orbits are far from geostationary. The rip around our planet pretty quickly in predictable patterns for the GPS almanac to form a dynamic lattice that, from a receiver's perspective, will provide suitable sources with only a limited amount of LoS available. It is a far cry from where we started, when we had a limited constellation and warfare cognisant of GPS-dawn and sunset.

                                    Regarding satellites needed, for a meaningful position you really need 4 satellites, dropping to 3 if a known or predictable height is available. But yes, if you are driving your server room and roof around Manhattan then having more satellites available would help. If your building is more known for being immovable and even surveyed as such then you only need a view of 1 GPS satellite at a time to use GPS timing.

                                    Of course, GPS is not for everyone and even it it was the usual redundancy and diversity considerations would see it augmented by dedicated fibre, ToD receivers, GSM, ToD beacons plus atomic clocks et al. Whilst my experience is more at the strategic scale of GPS management I do have a Veracity Timenet GPS unit on my home network. My network rack is surrounded by concrete and below any achievable LoS and I would never run an external antenna directly to it.

                                    I do have an external pole-mount antenna in a box but waiting for the next round of roof work to fit it. I'm in no hurry as the network GPS receiver has a simple patch antenna on an upstairs window with a short cable to the receiver, which is plugged into the nearby ethernet socket. Even In this 'terrible' location it has at least 8 satellites to work with.

                                    Not everything is difficult.

                                    ☕️

                                    RobbieTTR johnpozJ JKnottJ 3 Replies Last reply Reply Quote 3
                                    • RobbieTTR Offline
                                      RobbieTT @RobbieTT
                                      last edited by RobbieTT

                                      This is how craptostic a timing reference can be located - at the rarely photographed arse-end of my network. The blue arrows are the GPS/PPS network timing box, stuck on the backside of a bedroom TV and the patch antenna sitting on a window sill:

                                      alt text

                                      The secret to comedy.

                                      ☕️

                                      stephenw10S 1 Reply Last reply Reply Quote 2
                                      • johnpozJ Online
                                        johnpoz LAYER 8 Global Moderator @RobbieTT
                                        last edited by johnpoz

                                        @RobbieTT yeah I use to have the antenna just sitting on the top of my desk in my office and would work.. I did move it to the garage a while back and the antenna sits on top of the garage door railing.. Can see more sats from there. I believe my problems in the office started after we added way more insulation in the attic.. There is no insulation above it where its at in the garage.

                                        sats.jpg

                                        The pi sits behind my TV in living room, where the cable runs through the wall into the garage..

                                        I am not a guru when it comes to the stuff, but it is fascinating to me. From my understanding the time from the sats to be accurate you need to work out some math and set a fudge, etc. to account for stuff. I was just more after the pps signal the gpshat provides once it can see enough sats.. I never bothered to work out the correct fudge factor

                                        pps8.jpg

                                        While I might be off by a few ms of "true" time.. It was a fun project to setup, and for sure is close enough for me.. My little pi ntp server also polls just ntp servers out on the internet. From the output of ntpq the gps time on shm (0) is not even a candidate, if the pps source would go away.

                                        Which was my problem I was seeing, couldn't see enough sats to get sync I believe and so pps was never kicking in. Once I moved the antenna to the garage that started working again.. From the output of cgps shows I can see a lot of sats.

                                        But it for sure worked before just with the antenna in my office.. Not even near a window, etc.

                                        I think the total cost, with the pi was under a hundred bucks total.. The pi, the hat, the little antenna, everything. And I already had the pi so cost of the project was just the hat, the antenna to be honest.. ntp and talking to sats is for sure a fun little project, if this sort of stuff interests you.. And can be done for very reasonable "hobby" money if you will.

                                        Is my little ntp server providing "true" time that you would need in some scientific setting - prob not.. But it very stable, ie it doesn't drift much and I like having it running it on my network and syncing all my devices too it.. Even if its off by a few ms from "true"..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        1 Reply Last reply Reply Quote 1
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator @RobbieTT
                                          last edited by

                                          @RobbieTT said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                          The secret to comedy.

                                          Ha 😂

                                          1 Reply Last reply Reply Quote 0
                                          • JKnottJ Offline
                                            JKnott @Sergei_Shablovsky
                                            last edited by

                                            @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                            But anyway, it’s not “just put the GPS antenna somewhere out of the server room”. Definitely not.

                                            You put the receiver and NTP server elsewhere, where there is a signal. Nothing new here. Often, both devices are in the same box. Here is one example.

                                            PfSense running on Qotom mini PC
                                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                            UniFi AC-Lite access point

                                            I haven't lost my mind. It's around here...somewhere...

                                            dennypageD 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.