Clock Issue
-
-
@elvisimprsntr Yeah I will set that and a google DNS server just incase there is ever an issue with the resolver.
-
You need to be able to forward DNS requests to a public DNS server, otherwise public domain names will not resolve, which is exactly what you were seeing with the NTP pools.
-
@elvisimprsntr Im using the Resolver service so those entries shouldn't be needed as that talks to the root DNS servers but its probably good to have that setting set as a backup
-
I have just checked the documentation and it looks like the wan does need to be selected, its just not very intuitive from the interface as its called NTP server and you would expect you are selecting the interfaces you want the server to listen and respond on, not call out on:
-
I use DNS Resolver as well. I enable transparent mode so all DHCP clients use my local DNS first, but you have to configure a public DNS server under System -> General
Then add a FW rule to redirect all public DNS and NTP queries to my local server,
-
@elvisimprsntr I dont use forwarding mode, ideally you want that off as for more privacy and security you want it going to the root servers not your ISP, google etc
-
I use Q9 encrypted (port 853) DNS. They seem to do a good job.
-
Yup ntp will bind to those interface addresses for outbound queries. That usually still works because most configurations have outbound NAT rules for those subnets and default routes via the WAN. But if you don't have one of those things it will fail.
-
I believe you have come to the wrong conclusion about having to have WAN selected for the NTP server configuration interfaces. It’s true for how you have your PFS set up. Possibly because of interfaces you have selected in the DNS resolver network settings. This is just a guess on my part.
For comparison, I use resolver.
DNS server settings are empty, resolver behavior is set to use local DNS, ignore remote DNS servers.
Resolver is set up in a transparent zone with DNSSEC support enabled.
Resolver is set to listen to all network interfaces and is listening on all outgoing network interfaces. This is a stock out of the box setting.
The NTP server is enabled and set to listen on all interfaces except WAN.
The only difference is I have set up time server pools that are closest to me rather than use the PFSense pools. -
Check the states. You will see the outgoing ntp queries are sourced from an internal IP and NAT'd.
