Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NTP Setup

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 13.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coxhaus
      last edited by

      I am trying to setup NTP for both syncing outside and providing SNTP service inside my network.  I have included a few pictures of my setup.  I am using the standard 0.pfsense.pool.ntp.org time pool.  When I do a NSLookup for 0.pfsense.pool.ntp.org  the IPs don't match the IP under status.  Is this a problem?  Is there anything I need to do on the firewall to keep from advertising SNTP out?

      PS
      I changed NTP server to be LAN only.  The address is a time server in the status page but it does not match 0.pfsense.ntp.org pool as far as I can tell.

      I guess I should add I have 3 static routes. Do I need to do anything with the alias created for snort for additional networks?  Is NTP going to be available on the static route networks?
      Capturef10.PNG
      Capturef10.PNG_thumb
      Capturef11.PNG
      Capturef11.PNG_thumb
      Capturef12.PNG
      Capturef12.PNG_thumb
      Capturef13.PNG
      Capturef13.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • M
        mer
        last edited by

        DNS pools are designed to return different addresses whenever you query them.  Why?  Typically load balancing.  You'd probably see the same thing if you do nslookup on google.com if you are going to outside dns servers.  This lets you get multiple servers fairly easily:  you just enter 0.pfsense.pool.ntp.org multiple times in the list.  You can also use 1.pfsense.pool.ntp.org.  Most folks will suggest having 3-5 servers configured.

        Services->NTP you have only LAN selected?  That should limit queries to inbound on the LAN interface, should not be allowing any queries on the WAN side (basically tell the service to listen on LAN not on WAN).  Your 3 static routes, they all go out your LAN interface?  If so, then NTP should also be available to clients on them.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          unless he created a wan rule that allowed access to ntp, doesn't really matter if he listens on all of them or not.  Without a wan firewall rule to allow query, nobody could talk to ntp running on pfsense from the wan side.  But agree if no need, why even listen.

          You might want to change your pool to be a continental  in your region of the globe so you talk to ntp servers that are closer to you.  Less delay in the query, etc.  The pool is designed to use servers close to you, but can not hurt to get more specific either using correct zone for you, or even using your specific country zone.  Only time I wouldn't do that is if your country doesn't have a lot of people in the pool.

          You can also just point to public ntp servers directly vs using pool members.  Here is listing of stratum one http://support.ntp.org/bin/view/Servers/StratumOneTimeServers

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            mer
            last edited by

            Thanks John.  I was hedging my bets, wasn't sure if selecting WAN would have created an automatic rule allowing the query.  Now I know it won't.

            1 Reply Last reply Reply Quote 0
            • MikeV7896M
              MikeV7896
              last edited by

              A little more info on the NTP pool…

              You can specify continent - i.e. 0.north-america.pool.ntp.org, and in some cases, even country - i.e. 0.us.pool.ntp.org

              I would recommend browsing http://www.pool.ntp.org/zone/@. Click a continent, and that will give the hostnames that can be used for the continent and will also list the countries in that continent and how many NTP servers are participating in the NTP pool for each. You can click a country for some statistics for that country.

              A note about IPv6... The NTP pool DNS is set up to return IPv6 servers ONLY when looking up 2.*.pool.ntp.org. So if you wanted an IPv6 server to be the first attempt, put a 2 hostname first.

              The S in IOT stands for Security

              1 Reply Last reply Reply Quote 0
              • C
                coxhaus
                last edited by

                This all sounds good guys I will try to narrow down my pool to my central time zone.

                One more question.  I was trying to setup my Cisco SG300-28 switch with NTP from pfsense.  I selected SNTP unicast defining the pfsense VLAN and using the pfsense IP address.  The one question which came up is do I want polling? How should I set polling? Leave it off or on?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  yes you would want to enable polling.. You can check if your sync with the ntp source from cli of your sg300 doing show sntp status, or looking in the gui.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • C
                    coxhaus
                    last edited by

                    Yes. Polling fixed it.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.