If you have pfSense or OPNsense firewall / router in your network environment you can convert it to be an NTP server used by local systems to synchronize time. This removes the need for a dedicated server appliance to handle NTP server operations. In my home lab I had a need to synchronize vSphere time with an NTP, and local server is my preferred preference. Manual time correction of a system can lead to severe problems, e.g a backward leap can cause malfunction of critical applications.
NTP (network time protocol) is a protocol used to synchronize system time over the network. A machine in the network can itself act as a time source for other computers or it can obtain time from a server that is a reliable time source. The goal is twofold – maintaining the absolute time and synchronizing the system time of all machines within a network.
In this article we’re going to configure pfSense / OPNsense as NTP server.
Configure pfSense / OPNsense as NTP server
Upon installation of pfSense / OPNsense NTP is available for configuration. Login to the firewall portal and navigate to Services > NTP
In the page that opens we’ll consider configuration of the following options:
Set Listening interface
Under Interface you can select the interface(s) to use for NTP service. By default NTP daemon binds to all interfaces and can serve NTP clients from any local source. If this is not a setting you want you can explicitly select interface or multiple interfaces to bind.
I’ll select three interfaces where NTP service is applied.
Add Time Servers
Here you’ll set a list of servers to query in order to keep the clock of this firewall synchronized. Click + to add additional servers.
We’ll set at least three servers by
- Prefer – If checked, this NTP server entry is favored by the NTP daemon over others.
- No Select – If checked, this NTP server is not used for time synchronization, but only to display statistics.
NTP Graphs / Logging
Checking “NTP Graphs” will enable RRD graphs for NTP server statistics. Enabling logging means NTP logs are written using syslog and are available under Status > System Logs, on the NTP tab.
Set other options to your liking then save the changes.
Restricting Access to pfSense / OPNsense NTP
You can also configure Access restrictions (ACLs) on the ACL tab. These ACLs are used to control how NTP interacts with clients. These are the default settings.
Custom Access Restrictions
Here you can define the behavior for specific client addresses or subnets. Click + to add a new network definition. This is more practical if limiting NTP daemon to specific interfaces was not done.
Configuring Clients to use pfSense / OPNsense as NTP server
We’ll use a Linux machine to configure NTP server. My system is running Rocky Linux 8. I’ll configure NTP server inside the
$ sudo vim /etc/chrony.conf #pool 2.pool.ntp.org iburst pool 172.20.30.1 iburst
Where 172.20.30.1 is the IP address of pfSense firewall LAN interface. Start chronyd service.
$ sudo systemctl enable --now chronyd Created symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service.
Verify the status:
$ chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* _gateway 2 6 17 24 +4391ns[+8559ns] +/- 74ms
We can install NTPStat package
sudo dnf -y install ntpstat
Display time synchronization status using
$ ntpstat synchronised to NTP server (172.20.30.1) at stratum 3 time correct to within 74 ms polling server every 64 s
Output of timedatectl command:
$ timedatectl Local time: Wed 2022-10-05 00:55:24 EAT Universal time: Tue 2022-10-04 21:55:24 UTC RTC time: Tue 2022-10-04 21:55:24 Time zone: Africa/Nairobi (EAT, +0300) System clock synchronized: yes NTP service: active
The NTP service continuously adjusts the system time with reliable time servers in the network. In this article we configured pfSense to enable the management of local reference clocks on other systems. We hope this article was helpful and thank you very much for visiting our website.