pfSense as NTP authority
-
I need to set up a very specific environment to carry out a test that involves certificates and that's why I need to have an NTP working on the network. My big issue is that I was unable to make pfSense 2.7.2 be the NTP authority in my scenario. I came to the conclusion that I could solve the timetable problem with or by making pfSense an author and distributing its own timetable, without it ever having an internet connection (Which would be perfect for my specific case), or for it to pull the NTP from the windows server AD server and distributed it to the scenario. Both cases would solve my problem, I managed to make the winserver's NTP work, but pfSense does not synchronize the time with it nor distribute it. Could anyone help me with this? Just like I said, it's a very specific case, not for a real environment, just for a test that needs to follow these parameters.
-
@T2M5 The second option worked after a some time, crazy, I defined the windows ad as NTP authority changing AnnounceFlags to 5 on registry key and the pfSense get time of win and distribute on the network.
-
Worked but don't totally. The pfsense get the pool time of windows but won't synchronize with it and don't distribute the time of windows, it distribute the own time. This would worked if the windows ad can be syncronized with the pfsense, but this don't worked. And I return to the begin the problem.
-
@T2M5 said in pfSense as NTP authority:
The pfsense get the pool time
If you just point to 1 ntp, its not a pool and shouldn't be set as a pool..
-
@johnpoz I changed it to "Server" but for some reason it didn't work. If the pfsense ntp server is unable to contact the remote ntp server to get the time, it will distribute its own time/date if it is orphan mode number high, wright? Because if this work, I will solution my problem.
-
@T2M5 why would ntp in pfsense not be able to talk to something on your local network providing time?
I run a little pi as a stratum 1 ntp server, has a gps hat and uses the pps signal to sync.. Talking to some internal ntp server is no different than talking to external ntp servers from ntp point of view.
-
@johnpoz you have rason, this can be worked perfectly. Thanks so much for you help. Have a nice day bro.
-
@T2M5 yeah its normally common practice to run an internal ntp server(s).. And then have other also internal servers that provide this to the rest of your network.. so you don't have all your devices in your network talking to outside sources.
The could be your AD infrastructure for sure if you were a MS shop.. but also can be anything running ntp as well - could be just some linux box you have running, or some pi with a gps hat, etc. or just syncing with outside ntp.
If the ntp can sync time with something internally, then sure it can be used to serve up ntp to the rest of your internal network, etc.
Been a while since I did this with AD, but I do recall you can set it to be NTP server like you mention that 5 number
It might be trying to peer vs just having pfsense be a client? If you want it to actually peer with the ntp server on pfsense - you would have to adjust the ntp setting in pfsense I believe.. I don't think out of the box it likes to peer with anything.. And to be honest unless it had is own time reference, not sure I would set it to be a peer.
-
@johnpoz I chose to use an NTP master on Linux CentOS and point pfsense to it to then distribute to network clients. It was actually much easier and quicker to configure, I tried a few times to synchronize with ad but there was always a problem somewhere, pfsense wouldn't synchronize or distribute, or vice versa.
Not that it doesn't work, but I couldn't get it to work lol. But I will try to distribute the time through chroync in Linux to the pfSense and define it as Server and to point every client to the pfSense.
Thank you very much for your help, you saved me a lot of headaches bro.
