NTP Configuration for LAN & VLANs

32G3LiQxu8

Hello, I am looking for advice on what is considered best practice for configuring NTP for LAN and multiple VLANs. I have been playing around with pfsense for a while but still have plenty to learn. Any advice you have would be greatly appreciated.

Option 1:

• Configure NTP Interface to LAN only

• Set NTP server via DHCP server and DHCP Static Mappings to point to LAN Gateway (NTP Interface) Only

• Create a Firewall Rule on each VLAN to allow NTP requests to LAN address only

Option 2:

• Configure NTP interface to LAN Only

• Setup ACLs for each VLAN

• Set NTP server via DHCP server and DHCP Static Mappings to point to the Gateway of that subnet - It should have access since I set the ACLs right?

Option 3?:

• Configure NTP interface to LAN and VLANs

• Set NTP server via DHCP server and DHCP Static Mappings to point to the Gateway of that subnet

viragomann

@32g3liqxu8 said in NTP Configuration for LAN & VLANs:

I am looking for advice on what is considered best practice for configuring NTP for LAN and multiple VLANs.

I assume, you desire that all devices in this network segments use the pfSense NTP.

So I think, best practice is to create an interface group and add all your subnets to it.
Then create a NAT port forwarding rule on this interface group for TCP/UDP and redirect any destination address and port 123 to 127.0.0.1.

By default the NTP is listening on localhost.

AndyRH

I have NTP on each interface, real and imagined, and pass that address with DHCP. NTP is answered by the local interface and does not need to traverse the firewall.
The only time I need a rule is if I am blocking a network from talking to This Firewall.

johnpoz

@32g3liqxu8 said in NTP Configuration for LAN & VLANs:

Set NTP server via DHCP server and DHCP Static Mappings to point to LAN Gateway

Just so you know - many devices will not read this info and use it. Not dhcp problem, its a client problem. Many iot devices if need time will have it hard coded (stupid I know).. Others will sit there stupid even if they could get it from dhcp, etc.

So you might need to either set on the device which ntp to use, you may want to do the interception of ntp if they are hardcoded, or you might want to look to what fqdn they are resolving for some ntp server and set a host override to pfsense IP you want to use.

32G3LiQxu8

@johnpoz thank you for your response. I will setup interception of ntp as well. I do have an IoT VLAN

In terms of setting up NTP, which approach is recommended? Set NTP interface to LAN only or LAN and VLANS or LocalHost only. Set ACLs or don't set ACLs? Most of the examples I found only show one LAN so I was not sure how to best go about handling VLANs

Thank you

32G3LiQxu8

@viragomann thank you for your response

johnpoz

@32g3liqxu8 I point my vlans to their own vlan interface, but either or both - doesn't really matter what IP on pfsense you point it to be honest - as long as you set your firewall rules to allow talking to the IP your setting your clients to use.

Overall not a fan of any sort of interception - unless there is no other way to do what you want. Like stupid devices that would hard code an ntp IP vs a fqdn. If they resolve a fqdn for their ntp - say a pool address, I have some "stupid" smart lightbulbs - that for sure were not meant to be sold in in just the UK, that use a hardcoded uk.ntp.pool.org fqdn for example - I just set a host override to resolve that to a pfsense IP..

There are always multiple ways to skin any cat ;) Depending you may need to use a few different methods to cover all the different sorts of cats on your network hehehe

32G3LiQxu8

@andyrh thank you for your response

johnpoz

@32g3liqxu8 you may want to as you are setting this all up do some validation of your clients are actually doing what you want them to - ie getting ntp from your ntp server, be that pfsense or some other ntp. I run a stratum 1 ntp server on a pi for example that I mostly use for most everything. Pfsense syncs its ntp time to that anyway, so doesn't really matter if they talk to pfsense IP or the ntp server IP, etc. But if your going to do interception it is easier to just send that to pfsense loopback address.

So you may want to do some sniffing (packet captures) to validate your clients are talking to who you want them to talk to, if they do not have the ability to check on them with say like ntpq or something..

32G3LiQxu8

@johnpoz hahaha, I understand. I think I have a game plan now. I have a couple of "stupid" smart lightbulbs as well. I will use ntopng to determine if any of my devices are pulling an outside ntp server and do the host override method.

Thanks again for your help

viragomann

@johnpoz
I cannot see, what's the benefit of knowing, which NTP server the client would request if he could and adding a host override for it.

In my home installation I simply redirect all NTP requests to the pfSense LAN IP. That's pretty quick and easy and the clients are happy, me too.
I do the same with DNS.

johnpoz

@viragomann said in NTP Configuration for LAN & VLANs:

what's the benefit of knowing

That your settings worked? If you don't care where your devices get their time - why go through the trouble of setting anything. My point was if your going to the trouble of wanting your devices to use your settings. You might want to validate that they are.

Which is why I brought up the dhcp thing - just because you hand out ntp via dhcp doesn't always mean that is what a device will use.

If you know clients ask for pool.ntp.org - setting this in your host override means they would resolve this to the IP you want, and no need to do "redirection". As I said not a fan of redirection, you don't have to do that if you don't want - if your happy just redirecting.

viragomann

@johnpoz
I've no concerns about redirecting NTP or any other requests to what I want in my network.
As NTP or DNS doesn't use TLS, the client doesn't notice that.

My point was if your going to the trouble of wanting your devices to use your settings. You might want to validate that they are.

Yes, I can be sure, that the internal devices are requesting my NTP server, since I redirect any requests to it.
If I do a host override and the devices NTP setting changes with an firmware upgrade, I could not.

johnpoz

@viragomann said in NTP Configuration for LAN & VLANs:

devices NTP setting changes with an firmware upgrade, I could not.

Valid point..

stephenw10

By default pfSense hands it's own interface address to clients to use in each subnet via DHCP and the NTP server listens on all interfaces.
What is it you're trying to address by using any other configuration?

Also be aware that selecting specific interfaces in the NTP settings also restricts the source IPs NTP uses to update against external servers. So you must have NAT to cover that. Normally you always would but it can be difficult to diagnose if you hit that issue.

Steve

32G3LiQxu8

@stephenw10 I’m not trying to address anything specific just trying to learn and understand what would be considered best practice. A lot of the community guides just show LAN being selected as the interface for demonstration but never explain “why” they’re making just that selection over say, Localhost. I have VLANs setup as well so I was curious what the community recommends and “why”. My setup is a home setup with a LAN and multiple VLANs - nothing special. I really just wanted to try it out. Any additional guidance you could provide would be helpful. Thank you

stephenw10

Personally I use the default setup for NTP. You don't ever want to expose that to the WAN but the default firewall rules prevent that.