Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenNTP configuration blues

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrewinhawaii
      last edited by

      Hi, I'm new to pfSense so please forgive me if I am being dense here.

      It appears the only way to set (a single) source server for the OpenNTP package is from the "Setup Wizard".  The Services –> OpenNTPD page is rather, umm, brief.  In the past, I have found that it can be beneficial to query more than one ntp time source.  In addition, there is no facility to add optional flags, like in my network "broadcast 10.0.255.255" since my clients listen to ntp broadcasts.  /usr/local/pkg/openntpd.xml and system_ntp_configure() in /etc/inc/system.inc would need to be updated to support these features.  Is this in the works, is there a better way, or should I take a stab at it?

      Andrew

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The upstream NTP servers are set under System > General, I suppose that could be moved to the NTP config (or at least cross-linked). You can set multiple servers by separating them with spaces, iirc.

        There were some binary fixes to OpenNTP recently (not released yet) that fix a few bugs, but no new config has been added to the GUI yet.

        If you want to edit those settings in, feel free, if people find it helpful we'll include it.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          I personally just update openntp binary with actual ntp binary.  And then just edit /etc/ntp.conf to what I want and start up ntpd directly.

          I just not a fan of openntp at all, if that is what they want to use for basis of the pfsense image great.  But they should make it very easy to replace.

          For example a firmware upgrade overwrites ntp.conf

          Maybe someone should write a package to fully replace openntp with ntp and nice gui for config ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            We actually include both ntpd binaries (/usr/local/sbin/ntpd and /usr/sbin/ntpd) but we stuck with open because it lets you selectively bind/respond on specific IPs, while the FreeBSD version doesn't. We have some users that rely on that functionality.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              andrewinhawaii
              last edited by

              @jimp:

              The upstream NTP servers are set under System > General, I suppose that could be moved to the NTP config (or at least cross-linked). You can set multiple servers by separating them with spaces, iirc.

              Thanks, I missed that tab.  On my browser (iceweasel/firefox 3.5.16) the "System" drop-down menu is right above the "Help" drop-down menu, making it impossible to access "System" pages without telling FF to "View –> Page Style --> No Style".

              There were some binary fixes to OpenNTP recently (not released yet) that fix a few bugs, but no new config has been added to the GUI yet.

              I can't seem to find up-to-date documentation for OpenNTP, in particular documenting the ntp.conf parameters.  One key point for me will be integrating the BSD PPS GPS NTP (say that 5 times fast) driver.  Can OpenNTP work with a kernel driver?  I'm going to run 30 feet of LMR400 across my roof to get a better view of the GPS constellation for my Z3801A, so this is very important to me.

              If you want to edit those settings in, feel free, if people find it helpful we'll include it.

              I was thinking about that.  I need to get stable before I mess everything with the 2.1-DEV tree.

              Andrew

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                @andrewinhawaii:

                Thanks, I missed that tab.  On my browser (iceweasel/firefox 3.5.16) the "System" drop-down menu is right above the "Help" drop-down menu, making it impossible to access "System" pages without telling FF to "View –> Page Style --> No Style".

                Might be your theme, I think someone fixed that already with some of the other themes, pfsense_ng is the current default. I believe codered and some others might have had a problem like that.

                @andrewinhawaii:

                I can't seem to find up-to-date documentation for OpenNTP, in particular documenting the ntp.conf parameters.  One key point for me will be integrating the BSD PPS GPS NTP (say that 5 times fast) driver.  Can OpenNTP work with a kernel driver?  I'm going to run 30 feet of LMR400 across my roof to get a better view of the GPS constellation for my Z3801A, so this is very important to me.

                Not sure there. We do include PPS_SYNC in the kernel but I believe only FreeBSD's ntpd can tie into it.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "because it lets you selectively bind/respond on specific IPs"

                  I get the respond portion, and yeah ntpd does not allow you pick to only bind to specific interfaces/ips – but that is what restrict is for.  And also its a firewall box.. That is what firewall rules are for ;) heheh

                  couple simple restrict lines and either ntpd will respond to you or it wont using specific interfaces.  I would not see an issue unless you say had same network on multiple interfaces?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Well that isn't exactly the same thing. Binding to one IP changes how the responses are sourced for cases like VPNs, and not binding at all is more secure than merely filtering responses. Having the code to set that up for FreeBSD's NTP would help the cause though, it was just too much work at the time.

                    I don't remember the issue with NTP but here is a similar one for SNMP, given that they're both UDP services it may be similar reasoning.

                    SNMP bound to all interfaces, if you query it, will respond from whatever IP is "closer" to the client. So if you are on DMZ and query SNMP on the LAN IP of the firewall, it responds from the firewall's DMZ IP. Bind only to the LAN IP and the problem goes away.

                    For the case of coming over an IPsec VPN, binding only on the interface included in the Phase 2 of the VPN allows it to talk properly over the VPN, where otherwise it has issues for some of the same reasons as above. It would try to respond back via the default gateway and use the wrong IP in the process, so it wouldn't match the Phase 2 and it would miss the VPN.

                    Now admittedly I'm not intimately familiar with FreeBSD's ntp so I don't know if the restrict options can actually change the binding. If they do, it's news to me, but it would be very welcome news. I would very much like to use FreeBSD's ntp so we can use things like ntpq to get a detailed status report from it.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.