How To Configure NTP Server on pfSense / OPNsense

Posted on 98 views

If you have pfSense or OPNsense firewall / router in your network environment you can convert it to be an NTP server used by local systems to synchronize time. This removes the need for a dedicated server appliance to handle NTP server operations. In my home lab I had a need to synchronize vSphere time with an NTP, and local server is my preferred preference. Manual time correction of a system can lead to severe problems, e.g a backward leap can cause malfunction of critical applications.

NTP (network time protocol) is a protocol used to synchronize system time over the network. A machine in the network can itself act as a time source for other computers or it can obtain time from a server that is a reliable time source. The goal is twofold – maintaining the absolute time and synchronizing the system time of all machines within a network.

In this article we’re going to configure pfSense / OPNsense as NTP server.

Configure pfSense / OPNsense as NTP server

Upon installation of pfSense / OPNsense NTP is available for configuration. Login to the firewall portal and navigate to Services > NTP

pfsense-opnsense-configure-ntp-001

In the page that opens we’ll consider configuration of the following options:

Set Listening interface

Under Interface you can select the interface(s) to use for NTP service. By default NTP daemon binds to all interfaces and can serve NTP clients from any local source. If this is not a setting you want you can explicitly select interface or multiple interfaces to bind.

I’ll select three interfaces where NTP service is applied.

pfsense-opnsense-configure-ntp-02-768x172

Add Time Servers

Here you’ll set a list of servers to query in order to keep the clock of this firewall synchronized. Click to add additional servers.

pfsense-opnsense-configure-ntp-03-768x88

We’ll set at least three servers by

pfsense-opnsense-configure-ntp-04-768x144
  • Prefer – If checked, this NTP server entry is favored by the NTP daemon over others.
  • No Select – If checked, this NTP server is not used for time synchronization, but only to display statistics.

NTP Graphs / Logging

Checking “NTP Graphs” will enable RRD graphs for NTP server statistics. Enabling logging means NTP logs are written using syslog and are available under Status > System Logs, on the NTP tab.

pfsense-opnsense-configure-ntp-05-768x105

Set other options to your liking then save the changes.

pfsense-opnsense-configure-ntp-06-768x93

Restricting Access to pfSense / OPNsense NTP

You can also configure Access restrictions (ACLs) on the ACL tab. These ACLs are used to control how NTP interacts with clients. These are the default settings.

pfsense-opnsense-configure-ntp-07-768x241

Custom Access Restrictions

Here you can define the behavior for specific client addresses or subnets. Click + to add a new network definition. This is more practical if limiting NTP daemon to specific interfaces was not done.

Configuring Clients to use pfSense / OPNsense as NTP server

We’ll use a Linux machine to configure NTP server. My system is running Rocky Linux 8. I’ll configure NTP server inside the /etc/chrony.conf file

$ sudo vim /etc/chrony.conf
#pool 2.pool.ntp.org iburst
pool 172.20.30.1 iburst

Where 172.20.30.1 is the IP address of pfSense firewall LAN interface. Start chronyd service.

$ sudo systemctl enable --now chronyd
Created symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service.

Verify the status:

$ chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* _gateway                      2   6    17    24  +4391ns[+8559ns] +/-   74ms

We can install NTPStat package

sudo dnf -y install ntpstat

Display time synchronization status using ntpstatcommand:

$ ntpstat
synchronised to NTP server (172.20.30.1) at stratum 3
   time correct to within 74 ms
   polling server every 64 s

Output of timedatectl command:

$ timedatectl
               Local time: Wed 2022-10-05 00:55:24 EAT
           Universal time: Tue 2022-10-04 21:55:24 UTC
                 RTC time: Tue 2022-10-04 21:55:24
                Time zone: Africa/Nairobi (EAT, +0300)
System clock synchronized: yes
              NTP service: active

Conclusion

The NTP service continuously adjusts the system time with reliable time servers in the network. In this article we configured pfSense to enable the management of local reference clocks on other systems. We hope this article was helpful and thank you very much for visiting our website.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.