OpenNTP configuration blues



  • Hi, I'm new to pfSense so please forgive me if I am being dense here.

    It appears the only way to set (a single) source server for the OpenNTP package is from the "Setup Wizard".  The Services –> OpenNTPD page is rather, umm, brief.  In the past, I have found that it can be beneficial to query more than one ntp time source.  In addition, there is no facility to add optional flags, like in my network "broadcast 10.0.255.255" since my clients listen to ntp broadcasts.  /usr/local/pkg/openntpd.xml and system_ntp_configure() in /etc/inc/system.inc would need to be updated to support these features.  Is this in the works, is there a better way, or should I take a stab at it?

    Andrew


  • Rebel Alliance Developer Netgate

    The upstream NTP servers are set under System > General, I suppose that could be moved to the NTP config (or at least cross-linked). You can set multiple servers by separating them with spaces, iirc.

    There were some binary fixes to OpenNTP recently (not released yet) that fix a few bugs, but no new config has been added to the GUI yet.

    If you want to edit those settings in, feel free, if people find it helpful we'll include it.


  • LAYER 8 Global Moderator

    I personally just update openntp binary with actual ntp binary.  And then just edit /etc/ntp.conf to what I want and start up ntpd directly.

    I just not a fan of openntp at all, if that is what they want to use for basis of the pfsense image great.  But they should make it very easy to replace.

    For example a firmware upgrade overwrites ntp.conf

    Maybe someone should write a package to fully replace openntp with ntp and nice gui for config ;)


  • Rebel Alliance Developer Netgate

    We actually include both ntpd binaries (/usr/local/sbin/ntpd and /usr/sbin/ntpd) but we stuck with open because it lets you selectively bind/respond on specific IPs, while the FreeBSD version doesn't. We have some users that rely on that functionality.



  • @jimp:

    The upstream NTP servers are set under System > General, I suppose that could be moved to the NTP config (or at least cross-linked). You can set multiple servers by separating them with spaces, iirc.

    Thanks, I missed that tab.  On my browser (iceweasel/firefox 3.5.16) the "System" drop-down menu is right above the "Help" drop-down menu, making it impossible to access "System" pages without telling FF to "View –> Page Style --> No Style".

    There were some binary fixes to OpenNTP recently (not released yet) that fix a few bugs, but no new config has been added to the GUI yet.

    I can't seem to find up-to-date documentation for OpenNTP, in particular documenting the ntp.conf parameters.  One key point for me will be integrating the BSD PPS GPS NTP (say that 5 times fast) driver.  Can OpenNTP work with a kernel driver?  I'm going to run 30 feet of LMR400 across my roof to get a better view of the GPS constellation for my Z3801A, so this is very important to me.

    If you want to edit those settings in, feel free, if people find it helpful we'll include it.

    I was thinking about that.  I need to get stable before I mess everything with the 2.1-DEV tree.

    Andrew


  • Rebel Alliance Developer Netgate

    @andrewinhawaii:

    Thanks, I missed that tab.  On my browser (iceweasel/firefox 3.5.16) the "System" drop-down menu is right above the "Help" drop-down menu, making it impossible to access "System" pages without telling FF to "View –> Page Style --> No Style".

    Might be your theme, I think someone fixed that already with some of the other themes, pfsense_ng is the current default. I believe codered and some others might have had a problem like that.

    @andrewinhawaii:

    I can't seem to find up-to-date documentation for OpenNTP, in particular documenting the ntp.conf parameters.  One key point for me will be integrating the BSD PPS GPS NTP (say that 5 times fast) driver.  Can OpenNTP work with a kernel driver?  I'm going to run 30 feet of LMR400 across my roof to get a better view of the GPS constellation for my Z3801A, so this is very important to me.

    Not sure there. We do include PPS_SYNC in the kernel but I believe only FreeBSD's ntpd can tie into it.


  • LAYER 8 Global Moderator

    "because it lets you selectively bind/respond on specific IPs"

    I get the respond portion, and yeah ntpd does not allow you pick to only bind to specific interfaces/ips – but that is what restrict is for.  And also its a firewall box.. That is what firewall rules are for ;) heheh

    couple simple restrict lines and either ntpd will respond to you or it wont using specific interfaces.  I would not see an issue unless you say had same network on multiple interfaces?


  • Rebel Alliance Developer Netgate

    Well that isn't exactly the same thing. Binding to one IP changes how the responses are sourced for cases like VPNs, and not binding at all is more secure than merely filtering responses. Having the code to set that up for FreeBSD's NTP would help the cause though, it was just too much work at the time.

    I don't remember the issue with NTP but here is a similar one for SNMP, given that they're both UDP services it may be similar reasoning.

    SNMP bound to all interfaces, if you query it, will respond from whatever IP is "closer" to the client. So if you are on DMZ and query SNMP on the LAN IP of the firewall, it responds from the firewall's DMZ IP. Bind only to the LAN IP and the problem goes away.

    For the case of coming over an IPsec VPN, binding only on the interface included in the Phase 2 of the VPN allows it to talk properly over the VPN, where otherwise it has issues for some of the same reasons as above. It would try to respond back via the default gateway and use the wrong IP in the process, so it wouldn't match the Phase 2 and it would miss the VPN.

    Now admittedly I'm not intimately familiar with FreeBSD's ntp so I don't know if the restrict options can actually change the binding. If they do, it's news to me, but it would be very welcome news. I would very much like to use FreeBSD's ntp so we can use things like ntpq to get a detailed status report from it.


Log in to reply