NTP Setup

coxhaus · Jan 30, 2016, 6:02 AM

I am trying to setup NTP for both syncing outside and providing SNTP service inside my network. I have included a few pictures of my setup. I am using the standard 0.pfsense.pool.ntp.org time pool. When I do a NSLookup for 0.pfsense.pool.ntp.org the IPs don't match the IP under status. Is this a problem? Is there anything I need to do on the firewall to keep from advertising SNTP out?

PS
I changed NTP server to be LAN only. The address is a time server in the status page but it does not match 0.pfsense.ntp.org pool as far as I can tell.

I guess I should add I have 3 static routes. Do I need to do anything with the alias created for snort for additional networks? Is NTP going to be available on the static route networks?

mer · Jan 30, 2016, 8:50 AM

DNS pools are designed to return different addresses whenever you query them. Why? Typically load balancing. You'd probably see the same thing if you do nslookup on google.com if you are going to outside dns servers. This lets you get multiple servers fairly easily: you just enter 0.pfsense.pool.ntp.org multiple times in the list. You can also use 1.pfsense.pool.ntp.org. Most folks will suggest having 3-5 servers configured.

Services->NTP you have only LAN selected? That should limit queries to inbound on the LAN interface, should not be allowing any queries on the WAN side (basically tell the service to listen on LAN not on WAN). Your 3 static routes, they all go out your LAN interface? If so, then NTP should also be available to clients on them.

johnpoz · Jan 30, 2016, 1:38 PM

unless he created a wan rule that allowed access to ntp, doesn't really matter if he listens on all of them or not. Without a wan firewall rule to allow query, nobody could talk to ntp running on pfsense from the wan side. But agree if no need, why even listen.

You might want to change your pool to be a continental in your region of the globe so you talk to ntp servers that are closer to you. Less delay in the query, etc. The pool is designed to use servers close to you, but can not hurt to get more specific either using correct zone for you, or even using your specific country zone. Only time I wouldn't do that is if your country doesn't have a lot of people in the pool.

You can also just point to public ntp servers directly vs using pool members. Here is listing of stratum one http://support.ntp.org/bin/view/Servers/StratumOneTimeServers

mer · Jan 30, 2016, 2:14 PM

Thanks John. I was hedging my bets, wasn't sure if selecting WAN would have created an automatic rule allowing the query. Now I know it won't.

MikeV7896 · Jan 30, 2016, 2:54 PM

A little more info on the NTP pool…

You can specify continent - i.e. 0.north-america.pool.ntp.org, and in some cases, even country - i.e. 0.us.pool.ntp.org

I would recommend browsing http://www.pool.ntp.org/zone/@. Click a continent, and that will give the hostnames that can be used for the continent and will also list the countries in that continent and how many NTP servers are participating in the NTP pool for each. You can click a country for some statistics for that country.

A note about IPv6... The NTP pool DNS is set up to return IPv6 servers ONLY when looking up 2.*.pool.ntp.org. So if you wanted an IPv6 server to be the first attempt, put a 2 hostname first.

coxhaus · Jan 30, 2016, 7:03 PM

This all sounds good guys I will try to narrow down my pool to my central time zone.

One more question. I was trying to setup my Cisco SG300-28 switch with NTP from pfsense. I selected SNTP unicast defining the pfsense VLAN and using the pfsense IP address. The one question which came up is do I want polling? How should I set polling? Leave it off or on?

johnpoz · Jan 30, 2016, 7:37 PM

yes you would want to enable polling.. You can check if your sync with the ntp source from cli of your sg300 doing show sntp status, or looking in the gui.

coxhaus · Jan 30, 2016, 8:22 PM

Yes. Polling fixed it.