How to Set Up an NTP Server Using pfSense and OpenNTPD
Have you ever wondered why the clock on your computer tends to gain or lose several minutes over the course of a year? Unfortunately the accuracy of modern hardware clocks tends to vary greatly.
Most clocks including the ones found on the motherboard of your computer use a cheap crystal oscillator to keep track of time. Changes in temperature and other factors can cause the oscillation frequency to change over time which causes clock drift. Eventually those lost seconds can add up to minutes.
The easiest way to solve this problem is to use NTP (Network Time Protocol) to synchronize the clocks across all of the computers, IP phones, and other network devices.
Why use pfSense as an NTP server?
PfSense makes a great NTP server because it's easy to configure and manage. If you're already using pfSense on your network then there is no reason to setup a separate server just to handle NTP.
PfSense 2.X includes an installation of OpenNTPD which is a free implementation of the Network Time Protocol, it's simply a matter of configuring the server and client settings.
Why use a local time server?
- Save Bandwidth - NTP doesn't send a lot of packets but imagine if you had a network with 500+ clients all reaching out to public time servers.
- High Availability - Running a local time source will allow clients to maintain clock synchronization in the event that the Internet is unavailable.
- Better Accuracy - The NTP protocol provides much better accuracy when the latency to the time server is as low as possible. Forming a hierarchy ensures that the clocks on all local machines on the network with be very closely within sync of each other.
The first step to configure pfSense as a time server is to add one or more upstream servers in the general setup configuration page.
By using public time servers you can distribute accurate time to the systems on your local network, otherwise you would simply be distributing inaccurate time based on the hardware clock in the pfSense server.
The other alternative is to purchase a highly accurate stratum 1 clock that syncs to UTC time using GPS, or CDMA.
Adding the Server Addresses
To configure the NTP servers log into the web interface and access the general setup page found under the system menu.
Enter the server DNS names or IP addresses of the NTP servers in the time server field, separate multiple servers with a space.
In order for NTP to work properly you should add at least 3 different servers. Using less than three servers prevents NTPD from properly detecting a falseticker, which is basically an untrustworthy time source.
The pfSense vendor pool consists of 4 different server addresses and I recommend adding all four of them.
You can also use any other publicity available time servers as long as you have permission from the owner, in most cases the pool servers are the best choice.
pfSense NTP Pool Server Addresses
The settings below can also be configured on the general settings page.
While you're on the general setup page make sure that you have added at least one DNS server, without DNS OpenNTP will not be able to resolve the addresses of the pool servers.
I use OpenDNS servers because they are faster and more reliable than Roadrunner's name servers. You can use Google Public DNS, or the DNS servers provided by your ISP.
It's also a good idea to go ahead and select the proper time zone from the drop down box on the same settings page. If the time zone is not set correctly the log time stamps will not be accurate which tends to make the logs more difficult to read through.
Enabling The OpenNTPD Service
Before pfSense will begin serving time to clients on the network OpenNTPD must be enabled. To turn the service on click on OpenNTPD in the services menu of the web interface.
Click the first check box on the page to enable the service.
Next you'll need to select the interface that OpenNTPD should listen on which will generally be the LAN interface.
Selecting the WAN interface will bind the service to the outside IP address allowing public clients to connect to the local system for NTP requests.
After clicking save the settings will be applied and the NTP daemon will be automatically started.
Configuring DHCP Settings
If pfSense serves as the DHCP server for the local network then it's a good idea to go ahead and enter the NTP server address in the DHCP server configuration.
This will provide DHCP clients with the address of the NTP server (DHCP option 42) when they request an IP address.
Not all clients will support this option though and will simply ignore it, Windows falls into this category and will need the address to be configured manually or via group policy.
- Access the settings page by clicking on 'DHCP Server' in the services menu.
- Click on the NTP servers button.
- Enter the LAN IP of the pfSense server and click save. (Do not enter the public time server addresses here)
Configuring the Windows Time Service
The easiest way to configure Windows computers to sync with an NTP server is to use the built in Windows Time Service.
- Click on the clock in the system tray and select 'change date and time settings'.
- Click on the Internet time tab, then click the change settings button.
- Make sure the box is checked which says 'synchronize with an Internet time server'.
- Enter the LAN IP address or internal DNS name of the pfSense system in server box.
- Click 'Update now' to test if it is working properly.
The Windows time service does not provide a high level of accuracy, and Microsoft recognizes this fact.
The service was designed to make sure the system clock remains within 1-2 seconds of the reference server.
For more accurate time keeping with millisecond precision it's recommended to install a third party client.
Meinberg NTP Client for Windows
Meinberg develops an open source NTP client for Windows that is much more accurate than the Windows time service. In addition to the client they also provide a monitoring program called NTP Time Server Monitor.
The monitoring application can provide detailed statistics that display the offset of the local clock, and frequency in PPM.
Satsignal.eu has a great guide that walks through the process of installing and configuring the Meinberg NTP client.
Configuring Linux Clients
Most Linux distributions include the NTP daemon by default. Before the client can be started you'll need to edit the ntp.conf file typically located in /etc.
Since the steps to configure and activate the client vary from one distirbution to another I recommend consulting the documentation for your specific version of Linux for instructions on configuring the client.
NTP Support on Other Devices
You might be surprised that there are many other devices on your network that support the network time protocol as a method for synchronizing their clock.
- IP Phones
- Managed Switches
- IP Cameras
- Network Capable TV's , Blu-ray players, and Receivers
- Digital / Analog NTP Wall Clocks
© 2012 Sam Kear