{"id":6405,"date":"2020-07-14T23:55:43","date_gmt":"2020-07-14T20:55:43","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6405"},"modified":"2024-03-14T22:11:28","modified_gmt":"2024-03-14T19:11:28","slug":"how-to-configure-ntp-server-on-pfsense","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-configure-ntp-server-on-pfsense\/","title":{"rendered":"How to Configure NTP Server on pfSense"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to configure NTP server on pfSense. <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/www.pfsense.org\/about-pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">pfSense<\/a> software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability. One these features being the ability to provide NTP services. <\/p>\n\n\n\n<p>NTP, the Network Time Protocol, is used to keep computer clocks accurate by synchronizing them over the Internet or a local network, or by following an accurate hardware receiver that interprets GPS, DCF-77, NIST or similar time signals.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuring NTP Server on pfSense<\/h2>\n\n\n\n<p>By default, pfSense ships with NTP daemon, which controls time synchronization with connected devices. As such, with minimal configurations, pfSense can function as an NTP server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure pfSense Time Synchronization<\/h3>\n\n\n\n<p>Before it is able to provide accurate time services to the connec, it is wise to ensure that pfSense time is synchronized with other time servers and its time is accurate.<\/p>\n\n\n\n<p>To achieve this, head over to pfSense web interface and navigate to <strong>System &gt; General Setup<\/strong>. <\/p>\n\n\n\n<p>Under the <strong>Localization<\/strong> configuration section;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set your correct timezone (geographic region) e.g, our zone is <strong>Europe\/Nicosia<\/strong>.<\/li>\n\n\n\n<li>Define your time  servers. In this case, we go with the default pfSense NTP pool server, <strong>2.pfsense.pool.ntp.org<\/strong>.<\/li>\n\n\n\n<li>If you use hostname for a time server, ensure that you have DNS setup in your pfSense for name resolution.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1255\" height=\"287\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/pfsense-timeserver.png\" alt=\"Configure pfSense Time Synchronization\" class=\"wp-image-6410\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/pfsense-timeserver.png?v=1594759095 1255w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/pfsense-timeserver-768x176.png?v=1594759095 768w\" sizes=\"(max-width: 1255px) 100vw, 1255px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring NTP Server<\/h3>\n\n\n\n<p>Once your pfSense time is synchronized, you can now proceed to configure it to provide time services for your network devices.<\/p>\n\n\n\n<p>On pfSense web interface, navigate to <strong>Services &gt; NTP<\/strong>.<\/p>\n\n\n\n<p>On the default <strong>Settings<\/strong> tab, is the <strong>NTP Server Configuration<\/strong> options.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Select NTP Service Interface<\/h4>\n\n\n\n<p>Select an Interface on which NTP service daemon will listen or bind to. Such an interface will be used by the pfSense NTP server to sent out time queries from remote hosts as well as server the NTP clients. We use the three Interfaces here; <strong>LAN, OPT1, localhost<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1262\" height=\"365\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/interfaces-1.png\" alt=\"pfSense NTP server interfaces\" class=\"wp-image-6411\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/interfaces-1.png?v=1594759180 1262w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/interfaces-1-768x222.png?v=1594759180 768w\" sizes=\"(max-width: 1262px) 100vw, 1262px\" \/><\/figure>\n\n\n\n<p>To select more than on Interface, press and hold <strong>Ctrl<\/strong> button while selecting.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure NTP Time Servers<\/h4>\n\n\n\n<p>In this section, you need to configure the time servers from which your pfSense NTP service will query for time synchronization. The servers defined here are usually pre-populated from the time servers defined on the <strong>System &gt; General Setup<\/strong>, localization section.<\/p>\n\n\n\n<p>It is recommended that you define at least three time servers to ensure time accuracy.<\/p>\n\n\n\n<p>In this tutorial, we are going to add the following public pool time servers;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>0.europe.pool.ntp.org\n1.europe.pool.ntp.org\n2.europe.pool.ntp.org\n3.europe.pool.ntp.org<\/code><\/pre>\n\n\n\n<p>Basically, these are the servers located in our region for that matter. You can find a list of NTP pool time servers for your region\/continent on <a rel=\"noreferrer noopener\" href=\"http:\/\/www.pool.ntp.org\/en\/\" target=\"_blank\">NTP Public Pool Time Servers<\/a>.<\/p>\n\n\n\n<p>Therefore, click the <strong>Add<\/strong> button to enter the NTP pool hostnames of your preferred region.<\/p>\n\n\n\n<p>While adding the time servers, there are options to either, set your preferred time server over all defined servers (<strong>Prefer<\/strong>), disable the use of a specific time server (<strong>No Check<\/strong>) and whether the server is a pool of time servers (<strong>pool<\/strong>).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1260\" height=\"725\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/time-server-pool.png\" alt=\"How to Configure NTP Server on pfSense\" class=\"wp-image-6412\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/time-server-pool.png?v=1594759531 1260w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/time-server-pool-768x442.png?v=1594759531 768w\" sizes=\"(max-width: 1260px) 100vw, 1260px\" \/><\/figure>\n\n\n\n<p><strong>NOTE<\/strong>: In regards to selecting a preferred time server, even if you select all of the defined time servers as <strong>Prefer<\/strong>, only the first prefer is retained upon hitting the <strong>Save<\/strong> button.<\/p>\n\n\n\n<p>For the other configuration options, we will enable logging and RRD graphs for NTP statistics and leave the options with the default settings.<\/p>\n\n\n\n<p>Note that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the <strong>Orphan mode<\/strong> allows the system clock to be used when no other clocks are available.&nbsp;The number set defines the stratum position of the live time servers.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1255\" height=\"624\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/loggins-n-other-options.png\" alt=\"pfSense NTP server logging\" class=\"wp-image-6413\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/loggins-n-other-options.png?v=1594759592 1255w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/loggins-n-other-options-768x382.png?v=1594759592 768w\" sizes=\"(max-width: 1255px) 100vw, 1255px\" \/><\/figure>\n\n\n\n<p>Click <strong>Save<\/strong> to save the changes.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Access Control to NTP Service<\/h4>\n\n\n\n<p>Click on the <strong>ACLs<\/strong> tab to define how NTP clients are allowed to interact with NTP server. Some of the default access restriction options include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>Kiss-o'-Death (KoD)<\/code><\/strong> : rate-limits NTP client requests that are sent very frequently<\/li>\n\n\n\n<li><code><strong>nomodify<\/strong><\/code>: prevents any changes to the configuration via the ntpq and ntpdc queries. This can be used to prevent against amplification attacks.<\/li>\n\n\n\n<li><code><strong>notrap<\/strong><\/code>: prevents&nbsp;<code>ntpdc<\/code>&nbsp;control message protocol traps.<\/li>\n\n\n\n<li><code><strong>nopeer<\/strong><\/code>:  disables any new peer association formation.<\/li>\n\n\n\n<li><code><strong>noquery<\/strong><\/code>: denies&nbsp;<code>ntpq<\/code>&nbsp;and&nbsp;<code>ntpdc<\/code>&nbsp;queries, but not time queries, from being answered. This however, disables the NTP status page.<\/li>\n<\/ul>\n\n\n\n<p>Define network access restrictions to allow specific set of servers to obtain time services from your pfSense NTP server. To add more networks\/hosts, simply click the <strong>Add<\/strong> button. Note that for every network\/host defined, you can specify their specific restriction options.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1257\" height=\"786\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ntp-acl.png\" alt=\"pfSense NTP server access control lists\" class=\"wp-image-6414\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ntp-acl.png?v=1594759668 1257w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ntp-acl-768x480.png?v=1594759668 768w\" sizes=\"(max-width: 1257px) 100vw, 1257px\" \/><\/figure>\n\n\n\n<p>For the GPS and Pulse Per Second (PPS) configuration options, we will go with the default.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">&nbsp;Configure NTP Client<\/h3>\n\n\n\n<p>Next, you can now configure your client systems to query and synchronize their time services with your pfSense time server.<\/p>\n\n\n\n<p>In this tutorial, we are using Ubuntu 20.04 system as out test NTP client.<\/p>\n\n\n\n<p>Check the current time on the client before synchronization.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>timedatectl status<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n               Local time: Fri 2020-06-12 22:55:20 EEST\n           Universal time: Fri 2020-06-12 19:55:20 UTC \n                 RTC time: Fri 2020-06-12 19:55:20     \n                Time zone: Asia\/Nicosia (EEST, +0300)  \nSystem clock synchronized: no                          \n              NTP service: inactive                    \n          RTC in local TZ: no\n<\/code><\/pre>\n\n\n\n<p>As you can see, the time is almost one month behind.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Synchronize time manually using ntpdate<\/h4>\n\n\n\n<p>Run the command below to install ntpdate on Ubuntu 18.04<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install ntpdate -y<\/code><\/pre>\n\n\n\n<p>To manually synchronize time with NTP server using&nbsp;<strong>ntpdate<\/strong>;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ntpdate 192.168.57.100<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>14 Jul 22:24:35 ntpdate[7189]: adjust time server 192.168.57.100 offset -0.003687 sec<\/code><\/pre>\n\n\n\n<p>Well, seems all is well with manual time synchronization.<\/p>\n\n\n\n<p>If you however, get such an output instead;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>14 Jul 22:32:39 ntpdate[7205]: no server suitable for synchronization found<\/code><\/pre>\n\n\n\n<p>Then most probably your firewall is blocking you. To find out, Navigate to <strong>Status &gt; System logs &gt; Firewall<\/strong>. Click on the <strong>Dynamic view<\/strong> and click on the filter icon. Enter the IP address of your client system as the source IP address, se the destination port to NTP port 123 and protocol to UDP.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1257\" height=\"556\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ntp-firewall-filter.png\" alt=\"\" class=\"wp-image-6415\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ntp-firewall-filter.png?v=1594759740 1257w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/ntp-firewall-filter-768x340.png?v=1594759740 768w\" sizes=\"(max-width: 1257px) 100vw, 1257px\" \/><\/figure>\n\n\n\n<p>Then click <strong>Apply Filter<\/strong>.<\/p>\n\n\n\n<p>Next, re-run the ntpdate command above. At the bottom, of the firewall logs filter, you should see if there is any denied entry. See example below;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1255\" height=\"152\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/denied-ntp-queries.png\" alt=\"\" class=\"wp-image-6416\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/denied-ntp-queries.png?v=1594759767 1255w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/denied-ntp-queries-768x93.png?v=1594759767 768w\" sizes=\"(max-width: 1255px) 100vw, 1255px\" \/><\/figure>\n\n\n\n<p>If the requests are denied, adjust your firewall rules to allow access to NTP server port 123\/UDP.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1264\" height=\"500\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/allow-ntp-queries-fw.png\" alt=\"\" class=\"wp-image-6417\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/allow-ntp-queries-fw.png?v=1594759787 1264w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/07\/allow-ntp-queries-fw-768x304.png?v=1594759787 768w\" sizes=\"(max-width: 1264px) 100vw, 1264px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Synchronize time automatically with NTP<\/h4>\n\n\n\n<p>Run the command below to install ntp;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install ntp -y<\/code><\/pre>\n\n\n\n<p>Edit the NTP configuration file and set the pfSense NTP Interface address as the NTP server address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ntp.conf<\/code><\/pre>\n\n\n\n<p>Comment out the default NTP servers and add your pfSense server interface IP address.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n#pool 0.ubuntu.pool.ntp.org iburst\n#pool 1.ubuntu.pool.ntp.org iburst\n#pool 2.ubuntu.pool.ntp.org iburst\n#pool 3.ubuntu.pool.ntp.org iburst\n#\n## Use Ubuntu's ntp server as a fallback.\n#pool ntp.ubuntu.com\n<strong>server 192.168.57.100\n<\/strong>...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the configuration.<\/p>\n\n\n\n<p>Restart NTP service daemon.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart ntp<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify time synchronization<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ntpq -p<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>     remote           refid      st t when poll reach   delay   offset  jitter\n==============================================================================\n*192.168.57.100  129.242.234.4    2 u   20   64    1    0.574  -17.818   0.873<\/code><\/pre>\n\n\n\n<p>Recheck the time on your client;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>timedatectl status<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n               Local time: Tue 2020-07-14 23:17:25 EEST\n           Universal time: Tue 2020-07-14 20:17:25 UTC \n                 RTC time: Fri 2020-06-12 20:17:05     \n                Time zone: Asia\/Nicosia (EEST, +0300)  \nSystem clock synchronized: no                          \n              NTP service: inactive                    \n          RTC in local TZ: no \n<\/code><\/pre>\n\n\n\n<p>And there you go.<\/p>\n\n\n\n<p>You might be wondering why timedatectl status shows as clock not synchronized and ntp service inactive. This is because, we are not using Systemd timesyncd for NTP synchronization.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/docs.netgate.com\/pfsense\/en\/latest\/book\/services\/ntpd-server.html\" target=\"_blank\">pfSense NTP server configuration<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-ntp-server-using-chrony-on-centos-8\/\" target=\"_blank\">Setup NTP Server using Chrony on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-ntp-server-using-ntpd-on-debian-10-buster\/\" target=\"_blank\">Setup NTP server Using NTPd on Debian 10 Buster<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/configure-ntp-server-using-ntpd-on-fedora-30\/\" target=\"_blank\">Configure NTP Server using NTPd on Fedora 30<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-ntp-server-using-ntpd-on-fedora-29-fedora-28\/\" target=\"_blank\">How to Install and Configure NTP Server Using NTPd on Fedora 29\/Fedora 28<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-ntp-server-using-chrony-on-fedora-29\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Install and Configure NTP Server Using Chrony on Fedora 29\/Fedora 28<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to configure NTP server on pfSense. pfSense software is a free, open source customized distribution of FreeBSD specifically<\/p>\n","protected":false},"author":1,"featured_media":12718,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,44,236,930,1454,34],"tags":[1809,1808,243,1757,1807,1810,1806],"class_list":["post-6405","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-firewall","category-ntp","category-ntpd","category-pfsense","category-security","tag-configure-pfsense-as-ntp","tag-ntp-acl","tag-ntpd","tag-pfsense","tag-pfsense-ntp-server","tag-pfsense-ntp-server-configuration","tag-setup-pfsense-as-ntp-server","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6405"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6405"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6405\/revisions"}],"predecessor-version":[{"id":21450,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6405\/revisions\/21450"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12718"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}