SOLVED: NTP Issues anyone? Set a NAT rule and send all NTP traffic to the firewall.
-
Hello fellow NetGate community,
If you are having issues with systems and not having the ability to set the NTP server on the device itself, use a NAT rule it fixed everything for me.
(Image: Alias set to redirect all NTP traffic on 123 back to the firewall address.)
(Image: Auto Firewall Rule made with NAT, mark it to log.)
(Image: Logs)
Once this is set up correctly any device will be routed for time to your firewall where it can correctly handle the time, this helps with delays caused by different time servers, or devices you cannot manually set to use the firewall for NTP.
It works everything is working like a Swiss watch now on the LAN, even that old Airport extreme that you can no longer change the NTP server on.
-
@jonathanlee yep, well known trick.
We do the same for dns too. -
@netblues yes!! DNS I just did that one and set to 127.0.0.1 thoe.
Any other recommendations? Xbox ONE http/https did not work to force it into the proxy 3128
-
@netblues do you also do this with IPv6 for the loopback ::1 ?
-
Why not just to your WAN address? That is what we do. No NAT involved. I do not want anyone from outside on my LAN subnet anywhere.
-
@chpalmer I was having time issues for interfaces from lan airport to devices. I wanted pfSense to issue all the same time. I had massive drift. pfSense can have a ntp server that you can add many ntp servers to and it finds the avg for them all and issues that.
-
@jonathanlee Got it. I thought you were bringing traffic from outside your network.
-
Hi, I am able to do the sane thing but with out a LAN alias.
interface rule below
-
Thanks for the reply, I noticed you have invert match radio button set as checked this will cause the firewall to use everything but 127.0.0.1. (Loopback)
You have to think about it in terms of all the devices want to use different time servers. Example Windows wants a windows server, Apple wants an Apple time server, small differences cause issues with clocking rates for example if my airport extreme wants an Apple time server over a different stratum server.
The goal for me is any lan device that is on my network that wants to use NTP port 123 have the NAT network address translation redirect that request so it will pull time only from the firewall on 192.168.1.1:123. The destination will always be different if you have not manually set your time servers on each device on your lan network. This takes that manually configuring each device out of the equation. Each system when it wants a time update will send a request to i.e. Windows timer server or Apple's time server etc, The firewall will intercept that request and change it so that the firewall will be the one to send the reply with the time update. Netgate's pfSense can have many time servers, it will even take and auto adjust time based on the how many servers you have included in your time pool. So if jitter or stratum changes occur the firewall will still be as close to the atomic clock as possible because of the math based auto adjustments built into the firewall.
I have 4 time pools.
(Image: NAT Running and Redirected NTP request to the firewall)
(Image: Time Pool and you can see the offsets, stratum number)
Please Check your state when time is issued to make sure you have a redirect running and not a WAN address. This show the request was made from a source, what was the original request, as well as the overide or redirect that issued the time.
(Image: Majority Must agree on time)
-
Years ago Cisco Routers would have to have a clock rate set DTE, DCE so they would communicate correctly.
I think and one can say the same issue occurs when your firewall and wireless ap and devices all have different time, the system routing traffic thinks it has jitter or latency issues with systems that are in bridge mode. The goal is to have the router and systems like AP's have the time as close as possible.
I hope that helps. So yours may still be passing NTP to Wan addresses and not to the firewall because it is inverted.
-
@jonathanlee City based time zones built for metro area large traffic patterns is what confuses me with a set up like this. The 5 -10 min variations to help the flow of traffic. So everyone is not leaving at 5:00pm at the same 5:00pm.
When I worked in Chicago Some of our work phones would have upwards of 15 min differences to what i thought was to help with traffic patterns from office to offices. Because they all took time from the cell towers.
-
@jonathanlee Nah.. I doubt it,
Gsm engineers had a chronic disrespect into bringing correct time to phones.
The features were there, but they couldn't care less.
Then Internet came around and solved it, bypassing them. -
@jonathanlee
Thank you for the insight and pointing out my miss configuration. I didn’t see it till you said something. Where I had loop back 127.0.0.1 I should’ve had IOTWiFi addresses.
I used the net gate recipes for redirecting DNS and applied it to NTP.
Have a good weekend
