Networking → Use pfSense as a NTP Server
(2.19.12 – This post has been amended to provide better methods for using cron, to provide a slightly modified version of ntp.conf, and to reflect minor changes in recent versions software — iceflatline)
In a previous post, I described how to install and setup pfSense in a home network. In this post I will describe how to configure pfSense to act as an Network Time Protocol (“NTP”) server and how to configure various hosts in your network to synchronize their local clock to this server.
pfSense (i.e., “making sense of packet filtering”) is a customized version of FreeBSD tailored specifically for use as a perimeter firewall and router, and managed almost entirely from a web-based GUI. In addition to being a firewall and routing platform, pfSense includes a long list of other features, as well as a package system allowing its capabilities to be expanded even further. pfSense is free, open source software distributed under the BSD license.
Originally designed by David L. Mills of the University of Delaware circa 1985, NTP is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks, and one of the oldest Internet protocols still in use. NTP uses User Datagram Protocol (UDP) port number 123. pfSense uses OpenNTPD, a free, easy to use implementation of NTP.
The versions for the software used in this post were as follows:
Configure OpenNTPD in pfSense
Before configuring the OpenNTP server, it’s a good idea to ensure that pfSense itself is keeping accurate time. The best way to do that is to have it synchronize its clock with one or more remote NTP servers. First though, you should make sure that the clock in the machine hosting pfSense is set to something close to accurate – if the difference is too great, pfSense will not synchronize properly with the remote NTP server.
Login to the pfSense machine using its “webConfigurator” (webGUI) interface. Navigate to System->General Setup and select the timezone that matches the physical location of the pfSense machine from among the options under “Time zone.” Next, enter the host name or IP address for the remote NTP server under “NTP time server.” Remember to add at least one DNS server under System->General Setup->DNS servers if you decide to use a host name instead of an IP address. Most likely you’ll find this field is already populated with one or more default remote NTP server(s) such as 0.pfsense.pool.ntp.org, 1.pfsense.pool.ntp.org, etc. These servers will work just fine in most cases, however you may get more accurate results if you use one of the continental zone servers (e.g., europe., north-america., oceania., or asia.pool.ntp.org), and even more accurate time if you choose to use one of the country zone servers (e.g., us.pool.ntp.org in the United States). For all of these zones, you can use the 0, 1 or 2 prefix, like 0.us.pool.ntp.org, to distinguish between servers from a particular region or country. (See the NTP Pool Project web site for more information on how to use pool.ntp.org servers). Like 0.pfsense.pool.ntp.org, these server entries will pick random NTP servers from a pool of known good ones. Also, while one NTP server is sufficient, you can improve reliability by adding more. Just make sure their host names or IP addresses are separated by a space.
Now that the pfSense machine is on its way to keeping accurate time, let’s configure its OpenNTPD server. Navigate to Services->OpenNTPD and check the “Enable” box. Pick which interface OpenNTPD should listen on. You can select multiple interfaces simultaneously by holding down the CTRL key while you select them. Now select “Save.” The OpenNTPD server will start immediately, however there may a delay of several minutes before it is ready to service NTP requests as it must first ensure that its own time is accurate. That’s all there is to it. Remember that if you select “WAN” as one of the interfaces that the OpenNTP will listen on, you must also configure an incoming firewall rule for UDP port 123. You’ll find the OpenNTPD logs under Status->System Logs->OpenNTPD, however don’t expect to see much there – unless unless there is a problem, OpenNTPD will likely not generate log entries.
Configure Hosts
- Windows
After configuring the OpenNTPD server in pfSense, let’s configure a Windows host to synchronize its local clock to this server. Right-click on the time (usually located in the lower right corner of the desktop) and select “Adjust date/time.” Select the “Internet Time” tab, then select “Change settings.” Check the “Synchronize with an Internet time server” box, enter the host name or IP address of the pfSense machine, then select “Update now.” It’s not uncommon to get error message the first time you attempt to update. Wait a few seconds and try again; you should receive a “The clock was successfully synchronized…” message.
- Linux
Most Linux distributions feature two utilities to help the local clock maintain its accuracy: ntpdate and/or ntpd. The older ntpdate utility is typically included in Linux distributions as a default package, but its functionality is now also available in the ntpd utility. However, you can easily install the stand-alone version using your distribution’s package manager:
sudo apt-get install ntpdate
ntpdate typically runs once at boot time and will synchronize the local clock with a default NTP server defined by the distribution (In Ubuntu, for example, this default NTP server is ntp.ubuntu.com). However what if this machine doesn’t get rebooted often, say in the case of a server for example? And what about using the OpenNTPD server in the pfSense machine? We can address both of those issues by occasionally running ntpdate using the following command. For this and subsequent examples we’ll assume the IP address assigned to the LAN interface in the pfSense machine is 192.168.1.1:
sudo ntpdate 192.168.1.1
Perhaps a more effective approach though is to use cron, a *nix utility that allows tasks to be automatically run in the background at regular intervals by the cron daemon. These tasks are typically referred to as “cron jobs.” A “crontab” is a file which contains one or more cron job entries to be run at specified times. You can create a new crontab (or edit an exiting one) using the system’s default command line editor by using the command crontab -e under your user account. Because ntpdate needs to be run by the system’s root user we’ll create the crontab using the command sudo crontab -e. Here’s some example cron job entries using the ntpdate command. You could add one or many ntpdate cron job entries to your crontab depending on your needs, then simply uncomment the one you want to use. Also, cron will attempt to email to the user the output of the commands it runs. To silence this, we’ll redirect the command output to /dev/null:
#Run ntpdate every 15 minutes #*/15 * * * * /usr/sbin/ntpdate 192.168.1.1 >> /dev/null 2>&1 #Run ntpdate every 30 minutes #*/30 * * * * /usr/sbin/ntpdate 192.168.1.1 >> /dev/null 2>&1 #Run ntpdate at the top of every hour # 0 * * * * /usr/sbin/ntpdate 192.168.1.1 >> /dev/null 2>&1 #Run ntpdate every three hours at the top of each hour 0 */3 * * * /usr/sbin/ntpdate 192.168.1.1 >> /dev/null 2>&1 #Run ntpdate every six hours at the top of each hour #0 */6 * * * /usr/sbin/ntpdate 192.168.1.1 >> /dev/null 2>&1
You can add additional NTP servers to the command if desired, just make sure they are listed on the same line after the address for the pfSense machine and that there is a space separating all entries.
While using ntpdate in this way will certainly work well, the utility ntpd on the other hand is considerably more sophisticated. It continually runs, calculating the drift of the local clock and then adjusting its time on an ongoing basis by synchronizing with one or more NTP servers. By default ntpd acts as a NTP client, querying NTP servers to set the local clock, however it also can act as a NTP server, providing time service to other clients. Alas though, nothing is free, and using ntpd will result in yet one more system process that may not otherwise be running in your system, consuming both CPU and memory resources.
Like ntpupdate many Linux distributions include ntpd by default. If yours does not you can install it using your distribution’s package manager:
sudo apt-get install ntp
The installation process should add ntpd to the requisite run levels and start its daemon automatically. Now we need to configure it so that it acts as a NTP client only and not as a NTP server. After all, that’s what we’re going to use the pfSense machine for right? ntpd is configured using the /etc/ntp.conf file. Rather than modifying the default file however, let’s back it up and create a new one:
sudo mv /etc/ntp.conf /etc/ntp.conf.ORIGINAL sudo touch /etc/ntp.conf
Now open the new /etc/ntp.conf file with an editor and add the following lines:
#### NTP CLIENT CONFIGURATION ### START OF FILE ## Specify a drift file. driftfile /etc/ntp.drift ## The NTP server(s) we'll use to keep local clock accurate # This server is the pfSense machine server 192.168.1.1 # Use one of the country zone servers as a fallback server 0.us.pool.ntp.org ## Restrictions # Prohibit general access to the ntpd server in this machine. restrict default ignore # Allow the pfSense machine to access ntpd synchronize the local clock, # but do not allow it to modify the ntpd configuration. restrict 192.168.1.1 nomodify notrap noquery # Make sure that this machine has full access to ntpd via IPv4 and IPv6. restrict 127.0.0.1 restrict ::1 ### END OF FILE
The driftfile option specifies a file to be used to store the local clock’s frequency offset. ntpd uses this file to automatically compensate for the local clock’s natural time drift, allowing it to maintain reasonably accurate time even if it cannot communicate with the pfSense machine for some period of time. The server option specifies which NTP servers are to be used for synchronization, with one server listed per line.
While not required, you can run the ntpdate command one time to fully synchronize the local clock with the OpenNTPD server in pfSense, then restart ntpd.
sudo /etc/init.d/ntp stop sudo ntpdate 192.168.1.1 sudo /etc/init.d/ntp start
Allow ntpd to run for awhile then you can use the ntpq -p command to see the NTP server(s) that the client is synchronizing with. The output of this command provides a list of configured NTP servers and the delay, offset and jitter that ntpd is experiencing with them. When ntpd is correctly synchronizing with a NTP server, the delay and offset values should be non-zero and the jitter value should be under 100. An asterisk by a server address means that ntpd is currently synchronizing with that particular NTP server.
sudo ntpq -p
Sample output:
remote refid st t when poll reach delay offset jitter
==============================================================================
*pfsense.home 50.127.241.148 3 u 27 64 377 1.325 1269.50 607.565
- FreeBSD
ntpdate and ntpd are installed in FreeBSD by default, however ntpd is not configured to start by default.
Similar to Linux, we can run ntpdate manually as root to synchronize with the OpenNTP server running in the pfSense machine. Again, we’ll assume 192.168.1.1 is the IP address assigned to the LAN interface on the pfSense machine.
ntpdate 192.168.1.1
ntpdate can also be made to run at boot time in FreeBSD by adding the following lines in the file /etc/rc.conf:
ntpdate_enable="YES" ntpdate_hosts="192.168.1.1"
We can also use cron under FreeBSD to run ntpdate. You can create a new crontab (or edit an exiting one) using the system’s default command line editor by using the command crontab -e as root. The example cron job entries provided above under Linux will also work under FreeBSD.
To configure ntpd under FreeBSD open /etc/rc.conf in an editor as root and add the following line:
ntpd_enable="YES"
Then follow the instructions above under Linux to backup the existing /etc/ntp.conf file and create a new one. If desired, you can run the ntpdate command one time to fully synchronize the local clock with the OpenNTPD server in pfSense, then start ntpd. You can use the ntpq -p command to check the status of the NTP server(s) the client is synchronizing to.
ntpdate 192.168.1.1 /etc/rc.d/ntpd start
Conclusion
This concludes the post on how to how to configure your pfSense machine to also act as a NTP server. The OpenNTPD service in pfSense will listen for requests from FreeBSD, Linux and Windows hosts and allow them to synchronize their local clock with that of the OpenNTPD server in pfsense. Using pfSense as a NTP server in your network ensures that your hosts always have consistent accurate time and reduces the load on the Internet’s NTP servers. Configuring Windows hosts to utilize this server is straightforward, while configuration under FreeBSD and Linux involves the use of ntpdate and/or ntpd and requires a bit more work.
References
Buechler, C.M. & Pingle, J. (2009). pfSense: The definitive guide. USA: Reed Media
http://www.ntp.org/documentation.html
http://support.ntp.org/bin/view/Support/WebHome
http://www.marksanborn.net/linux/learning-cron-by-example/
https://help.ubuntu.com/community/CronHowto
Tags: freebsd, Linux, Networking, pfSense, server, Unix, Windows
September 24th, 2011 at 12:51 am
Ultra great page…….THANKS……..