OPNSENSE NTP Server

[tong2x]

Can anyone help, NTP just does not work when setting conencting to the opnsense server. there is internet. the logs in NTP look ok. but setting windows to the opnsense server failes to get the time.

how do I trouble shoot? ad fix the issue, restarting the server does not fix the issue

OPNsense 22.1.4_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

[chemlud]

Do you have a FW rule allowing access to LANaddress (or alike) on port 123 UDP?

[opnnewbie]

Do you have a FW rule allowing access to LANaddress (or alike) on port 123 UDP?

Probably not and probably he has a point.
I was about to reply this post stating that here it works as expected since last week I configured and I checked it many times over, but, when I went to the NTP status page today to copy my status on this post I found:

Services: Network Time: Status
Network Time Protocol Status
Status    Server    Ref ID    Stratum    Type    When    Poll    Reach    Delay    Offset    Jitter
No peers found, is the ntp service running?

A couple of days ago I udated to 22.1.3 from 22.1.1 (or 22.1.2 -I don't remember correctly since I updated a couple of times).

Needless to say I do not have any firewall rule added for NTP going outside and, of course, I have network connectivity since I am replying to this post through openSense.

[lilsense]

have you tried using Chrony plugin? it's a much better NTP, imho.

[gpb]

have you tried using Chrony plugin? it's a much better NTP, imho.

I was just going to post this.  Chrony generally seems more robust and supports NTS (on time.cloudflare.com and ntp1.glypnod.com in the US).  There is no widget for it though...if that's important.  Have been using it for more than a year with zero issues.  Also using it as a local ntp server.

[opnnewbie]

have you tried using Chrony plugin? it's a much better NTP, imho.

I din't know it ever existed.
I just did read the whole FAQ @ https://chrony.tuxfamily.org/faq.html
Pretty interesting overall: in particular the many common scenarios/situations that we often have at present vs the one considered when the original NTP implementation was coded.

Will try it; sure.

Thanks for pointing that :)

[Vesalius]

have you tried using Chrony plugin? it's a much better NTP, imho.

I was just going to post this.  Chrony generally seems more robust and supports NTS (on time.cloudflare.com and ntp1.glypnod.com in the US).  There is no widget for it though...if that's important.  Have been using it for more than a year with zero issues.  Also using it as a local ntp server.

How dis you set this up? I just deleted the other servers and tried the 2 servers you mentioned and ticking NTS in the chrony setting GUI, but no connection to either was established. Unticking NTS and both servers work fine over NTP. Tried restarting chrony and opnsense. No joy.

[gpb]

How dis you set this up? I just deleted the other servers and tried the 2 servers you mentioned and ticking NTS in the chrony setting GUI, but no connection to either was established. Unticking NTS and both servers work fine over NTP. Tried restarting chrony and opnsense. No joy.

Use the servers I included in the post, or choose from the list in the link below.  Most public NTP servers do not support NTS.  Cloudflare works fine, but here are some others (about half-way down the page).

https://netfuture.ch/2021/12/transparent-trustworthy-time-with-ntp-and-nts/

Edit: If you're running this as a local NTP server, you can use "chronyc clients" on the command line to get a list of clients requesting time, how frequently, last and other stats.

[Vesalius]

Ok thats what i was using. the authdata looks like an NTS connection is established, but tracking never updates and Ref time (UTC)  : Thu Jan 01 00:00:00 1970 remain frozen there. I wonder if I have an issue with my computer battery/RTC as described here.

https://chrony.tuxfamily.org/faq.html#_using_nts

[gpb]

Not sure about that, never experienced any issues.  Here are my settings, just added the third server, which actually seems to provide lower latency.

[IsaacFL]

Can anyone help, NTP just does not work when setting conencting to the opnsense server. there is internet. the logs in NTP look ok. but setting windows to the opnsense server failes to get the time.

how do I trouble shoot? ad fix the issue, restarting the server does not fix the issue

OPNsense 22.1.4_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

I am running the same configuration and I have a windows 10 PC syncing its time. You do need to a FW rule allowing access to the firewall at 123 udp. Turn on logging to see that the pc is making the connection.

Be aware that Windows sometimes goes days without syncing its time. So manually update to troubleshoot.

I saw the talk about chrony but Windows doesn't have a chrony client so don't go down that rabbit hole.

[gpb]

Curious, why would windows need a client?  I just use a NAT rule to route all port 123 to 127.0.0.1 and ::1 for ipv6 (two rules).  And confirmed, NAT-generated rules as well.  :)

[IsaacFL]

Curious, why would windows need a client?  I just use a NAT rule to route all port 123 to 127.0.0.1 and ::1 for ipv6 (two rules).  And confirmed, NAT-generated rules as well.  :)

I guess the other question is how is the chrony plugin is going to help OP troubleshoot his problem with Windows not time syncing with his opnsense time service which according to his logs is working?

[gpb]

Ah...missed that.  Thx.

[tong2x]

Do you have a FW rule allowing access to LANaddress (or alike) on port 123 UDP?

No idont, should I even have to? it is a local access so I though the basic rule to access all or access the firewall was sufficient. it was working before without the rule and just notice some of my old ipcams not syching time correctly then notice that it is timing out.
Ill try to add a rule to test if that solves the issue

EDIT: ok it is a firewall issue, it now working with the added firewall rule. thank you all. I dont remember adding a rule for NTP before, will also try the chrony plugin if it is better.