How to Set Up an NTP Server Using pfSense and OpenNTPD

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

Have you ever wondered why the clock on your computer tends to gain or lose several minutes over the course of a year? Unfortunately the accuracy of modern hardware clocks tends to vary greatly.

Most clocks including the ones found on the motherboard of your computer use a cheap crystal oscillator to keep track of time. Changes in temperature and other factors can cause the oscillation frequency to change over time which causes clock drift. Eventually those lost seconds can add up to minutes.

The easiest way to solve this problem is to use NTP (Network Time Protocol) to synchronize the clocks across all of the computers, IP phones, and other network devices.

Why use pfSense as an NTP server?

PfSense makes a great NTP server because it's easy to configure and manage. If you're already using pfSense on your network then there is no reason to setup a separate server just to handle NTP.

PfSense 2.X includes an installation of OpenNTPD which is a free implementation of the Network Time Protocol, it's simply a matter of configuring the server and client settings.

Why use a local time server?

  1. Save Bandwidth - NTP doesn't send a lot of packets but imagine if you had a network with 500+ clients all reaching out to public time servers.
  2. High Availability - Running a local time source will allow clients to maintain clock synchronization in the event that the Internet is unavailable.
  3. Better Accuracy - The NTP protocol provides much better accuracy when the latency to the time server is as low as possible. Forming a hierarchy ensures that the clocks on all local machines on the network with be very closely within sync of each other.

FEI-Zyfer NTPSync XL GPS clock
FEI-Zyfer NTPSync XL GPS clock

Upstream Servers

The first step to configure pfSense as a time server is to add one or more upstream servers in the general setup configuration page.

By using public time servers you can distribute accurate time to the systems on your local network, otherwise you would simply be distributing inaccurate time based on the hardware clock in the pfSense server.

The other alternative is to purchase a highly accurate stratum 1 clock that syncs to UTC time using GPS, or CDMA.

Adding the Server Addresses

To configure the NTP servers log into the web interface and access the general setup page found under the system menu.

Enter the server DNS names or IP addresses of the NTP servers in the time server field, separate multiple servers with a space.

In order for NTP to work properly you should add at least 3 different servers. Using less than three servers prevents NTPD from properly detecting a falseticker, which is basically an untrustworthy time source.

The pfSense vendor pool consists of 4 different server addresses and I recommend adding all four of them.

You can also use any other publicity available time servers as long as you have permission from the owner, in most cases the pool servers are the best choice.

pfSense NTP Pool Server Addresses
Addresses of servers in the pfSense NTP Pool vendor zone.
Enter the NTP server addresses on the general setup page of the web interface.
Enter the NTP server addresses on the general setup page of the web interface.

Additional Settings

The settings below can also be configured on the general settings page.

DNS Servers

While you're on the general setup page make sure that you have added at least one DNS server, without DNS OpenNTP will not be able to resolve the addresses of the pool servers.

I use OpenDNS servers because they are faster and more reliable than Roadrunner's name servers. You can use Google Public DNS, or the DNS servers provided by your ISP.

Time Zone

It's also a good idea to go ahead and select the proper time zone from the drop down box on the same settings page. If the time zone is not set correctly the log time stamps will not be accurate which tends to make the logs more difficult to read through.

Enabling The OpenNTPD Service

Before pfSense will begin serving time to clients on the network OpenNTPD must be enabled. To turn the service on click on OpenNTPD in the services menu of the web interface.

Click the first check box on the page to enable the service.

Next you'll need to select the interface that OpenNTPD should listen on which will generally be the LAN interface.

Selecting the WAN interface will bind the service to the outside IP address allowing public clients to connect to the local system for NTP requests.

After clicking save the settings will be applied and the NTP daemon will be automatically started.

To enable OpenNTPD access the configuration page in the services menu.
To enable OpenNTPD access the configuration page in the services menu.

Configuring DHCP Settings

If pfSense serves as the DHCP server for the local network then it's a good idea to go ahead and enter the NTP server address in the DHCP server configuration.

This will provide DHCP clients with the address of the NTP server (DHCP option 42) when they request an IP address.

Not all clients will support this option though and will simply ignore it, Windows falls into this category and will need the address to be configured manually or via group policy.

Configuration Steps

  • Access the settings page by clicking on 'DHCP Server' in the services menu.
  • Click on the NTP servers button.
  • Enter the LAN IP of the pfSense server and click save. (Do not enter the public time server addresses here)

Configuring the Windows Time Service

The easiest way to configure Windows computers to sync with an NTP server is to use the built in Windows Time Service.

  1. Click on the clock in the system tray and select 'change date and time settings'.
  2. Click on the Internet time tab, then click the change settings button.
  3. Make sure the box is checked which says 'synchronize with an Internet time server'.
  4. Enter the LAN IP address or internal DNS name of the pfSense system in server box.
  5. Click 'Update now' to test if it is working properly.


The Windows time service does not provide a high level of accuracy, and Microsoft recognizes this fact.

The service was designed to make sure the system clock remains within 1-2 seconds of the reference server.

For more accurate time keeping with millisecond precision it's recommended to install a third party client.

On the internet time tab click the change settings button to enter the address of your local NTP server.
On the internet time tab click the change settings button to enter the address of your local NTP server.
After clicking 'update now' you should see a message indicating a successful sync.
After clicking 'update now' you should see a message indicating a successful sync.

Meinberg NTP Client for Windows

Meinberg develops an open source NTP client for Windows that is much more accurate than the Windows time service. In addition to the client they also provide a monitoring program called NTP Time Server Monitor.

The monitoring application can provide detailed statistics that display the offset of the local clock, and frequency in PPM. has a great guide that walks through the process of installing and configuring the Meinberg NTP client.

The Meinberg NTP client provides much more accuracy than the built in Windows Time Service.
The Meinberg NTP client provides much more accuracy than the built in Windows Time Service.

Configuring Linux Clients

Most Linux distributions include the NTP daemon by default. Before the client can be started you'll need to edit the ntp.conf file typically located in /etc.

Since the steps to configure and activate the client vary from one distirbution to another I recommend consulting the documentation for your specific version of Linux for instructions on configuring the client.

NTP Support on Other Devices

You might be surprised that there are many other devices on your network that support the network time protocol as a method for synchronizing their clock.

  • IP Phones
  • Managed Switches
  • Routers
  • Firewalls
  • IP Cameras
  • Network Capable TV's , Blu-ray players, and Receivers
  • Digital / Analog NTP Wall Clocks

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2012 Sam Kear


    0 of 8192 characters used
    Post Comment
    • profile image


      3 years ago

      Cool Tutorial

    • seigfried23 profile image


      7 years ago

      Yet another comprehensive hub on technical stuff. You must be an engineer lol.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)