Tuesday, July 10, 2012

pfSense NTP and network sneakery

Synchronising time on a network can be a real pain. Generally, the way to go about it is to configure one or more servers on your network as the time keeper and then configure all other hosts on the network to sync against these servers. Many networks achieve this with active directory and a time server option set in their DHCP server configuration. Some network administrators configure hosts to sync against the same pool of time servers on the Internet, while others leave hosts to use whatever default time configuration they have out of the box.

"Yeah.. so? Why is this important?" you might say? If you've ever had to reconcile event logs from numerous servers that all have different time then you will know what I'm talking about. Aside from that, so much stuff relies on correct time to function - think of scheduled tasks, backups, visits to your mums..

Yeah ok cool, but configuring all the servers and hosts on your network to use the correct time server doesn't sound like too much fun.. so here's how you can do it using pfSense without having to touch a single server.

First of all, check out the public NTP pool and find out which pool of servers is closest to you geographically. For me its the Australia servers - In your pfSense configuration, navigate to System / General settings and enter your server pool under NTP Time Server, then click Save.

Navigate to Services / OpenNTPD and enable the NTP server on the LAN and localhost interfaces. Select both interfaces by holding down the CTRL key.

Under Firewall / NAT add in a new rule for the LAN interface, protocol UDP with a source address of 'LAN net' destined for any address that is NOT an RFC1918 address (reserved local networks) redirect it to localhost ( port 123.

I configured an Alias under Firewall / Aliases for RFC1918 to apply the above rule to all local networks. You can do the same with the following options if you want, otherwise select any for the destination address.

Navigate to Firewall / Rules and pick the LAN interface. Move the new associated firewall NAT rule to above your default allow all rule.

Now any host on the network trying to do a time lookup will use the firewall’s time server regardless of what server IP they have set. Here’s an example using “ntpdate –d (for diagnostic)” from a Linux host on my LAN.

[root@host ~]# ntpdate -d
10 Jul 03:21:26 ntpdate[12824]: ntpdate [email protected] Fri Nov 18 13:21:21 UTC 2011 (1)
Looking for host and service ntp
host found :
server, port 123
stratum 4, precision -28, leap 00, trust 000
refid [], delay 0.02586, dispersion 0.00009
transmitted 4, in filter 4
reference time: d3a59177.dac687ff Tue, Jul 10 2012 3:20:55.854
originate timestamp: d3a591a0.83383fff Tue, Jul 10 2012 3:21:36.512
transmit timestamp: d3a59196.dc947064 Tue, Jul 10 2012 3:21:26.861
filter delay: 0.02621 0.02611 0.02611 0.02586
0.00000 0.00000 0.00000 0.00000
filter offset: 9.650801 9.650808 9.650818 9.650685
0.000000 0.000000 0.000000 0.000000
delay 0.02586, dispersion 0.00009
offset 9.650685

10 Jul 03:21:26 ntpdate[12824]: step time server offset 9.650685 sec
[root@host ~]#

You can see the server '' (just a random IP I picked) answered the time query just fine.
This is because all outbound NTP queries are being redirected to the NTP server on the pfSense firewall.
It may take a couple of days for all your hosts on the LAN to sync their time, leave it go over a weekend and check it on Monday and you will find that they'll be very close if not exact. The longer you leave your NTP server running without a reboot, the more accurate it will get!

No comments:

Post a Comment