• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NTP Setup

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 4 Posters 13.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    coxhaus
    last edited by Jan 30, 2016, 6:02 AM Jan 30, 2016, 4:58 AM

    I am trying to setup NTP for both syncing outside and providing SNTP service inside my network.  I have included a few pictures of my setup.  I am using the standard 0.pfsense.pool.ntp.org time pool.  When I do a NSLookup for 0.pfsense.pool.ntp.org  the IPs don't match the IP under status.  Is this a problem?  Is there anything I need to do on the firewall to keep from advertising SNTP out?

    PS
    I changed NTP server to be LAN only.  The address is a time server in the status page but it does not match 0.pfsense.ntp.org pool as far as I can tell.

    I guess I should add I have 3 static routes. Do I need to do anything with the alias created for snort for additional networks?  Is NTP going to be available on the static route networks?
    Capturef10.PNG
    Capturef10.PNG_thumb
    Capturef11.PNG
    Capturef11.PNG_thumb
    Capturef12.PNG
    Capturef12.PNG_thumb
    Capturef13.PNG
    Capturef13.PNG_thumb

    1 Reply Last reply Reply Quote 0
    • M
      mer
      last edited by Jan 30, 2016, 8:50 AM Jan 30, 2016, 8:42 AM

      DNS pools are designed to return different addresses whenever you query them.  Why?  Typically load balancing.  You'd probably see the same thing if you do nslookup on google.com if you are going to outside dns servers.  This lets you get multiple servers fairly easily:  you just enter 0.pfsense.pool.ntp.org multiple times in the list.  You can also use 1.pfsense.pool.ntp.org.  Most folks will suggest having 3-5 servers configured.

      Services->NTP you have only LAN selected?  That should limit queries to inbound on the LAN interface, should not be allowing any queries on the WAN side (basically tell the service to listen on LAN not on WAN).  Your 3 static routes, they all go out your LAN interface?  If so, then NTP should also be available to clients on them.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Jan 30, 2016, 1:38 PM

        unless he created a wan rule that allowed access to ntp, doesn't really matter if he listens on all of them or not.  Without a wan firewall rule to allow query, nobody could talk to ntp running on pfsense from the wan side.  But agree if no need, why even listen.

        You might want to change your pool to be a continental  in your region of the globe so you talk to ntp servers that are closer to you.  Less delay in the query, etc.  The pool is designed to use servers close to you, but can not hurt to get more specific either using correct zone for you, or even using your specific country zone.  Only time I wouldn't do that is if your country doesn't have a lot of people in the pool.

        You can also just point to public ntp servers directly vs using pool members.  Here is listing of stratum one http://support.ntp.org/bin/view/Servers/StratumOneTimeServers

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          mer
          last edited by Jan 30, 2016, 2:14 PM

          Thanks John.  I was hedging my bets, wasn't sure if selecting WAN would have created an automatic rule allowing the query.  Now I know it won't.

          1 Reply Last reply Reply Quote 0
          • M
            MikeV7896
            last edited by Jan 30, 2016, 2:54 PM

            A little more info on the NTP pool…

            You can specify continent - i.e. 0.north-america.pool.ntp.org, and in some cases, even country - i.e. 0.us.pool.ntp.org

            I would recommend browsing http://www.pool.ntp.org/zone/@. Click a continent, and that will give the hostnames that can be used for the continent and will also list the countries in that continent and how many NTP servers are participating in the NTP pool for each. You can click a country for some statistics for that country.

            A note about IPv6... The NTP pool DNS is set up to return IPv6 servers ONLY when looking up 2.*.pool.ntp.org. So if you wanted an IPv6 server to be the first attempt, put a 2 hostname first.

            The S in IOT stands for Security

            1 Reply Last reply Reply Quote 0
            • C
              coxhaus
              last edited by Jan 30, 2016, 7:03 PM

              This all sounds good guys I will try to narrow down my pool to my central time zone.

              One more question.  I was trying to setup my Cisco SG300-28 switch with NTP from pfsense.  I selected SNTP unicast defining the pfsense VLAN and using the pfsense IP address.  The one question which came up is do I want polling? How should I set polling? Leave it off or on?

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Jan 30, 2016, 7:37 PM

                yes you would want to enable polling.. You can check if your sync with the ntp source from cli of your sg300 doing show sntp status, or looking in the gui.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • C
                  coxhaus
                  last edited by Jan 30, 2016, 8:22 PM

                  Yes. Polling fixed it.

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received