Unable to syncronize NTP hour on network devices.

Started by LorneMalvo, October 24, 2025, 12:52:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 24, 2025, 12:52:40 PM
Hi,
I didn't notice, but for a long time ago my devices can't communicate with NTP servers.

I've checked OPNSense NTP service status and is working fine with multiple external NTP servers.

I've tried to config my OPNSense as main NTP Servers on my network device but again, can't communicate with NTP Server.

I've checked 123 traffic on Firewall live log but i can't see nothing. What I'm missing?

My Firewall does have NTP connection outside my net, but my network not. Clearly is firewall rules issue, how to address it with safe aproach in mind?

Thank you very much.

October 24, 2025, 03:49:39 PM #1
The firewall itself has an automatic outbound rule that (unless masked) allows it to communicate... on any port, actually. For inbound, you need an appropriate inbound pass rule that covers NTP.

To check logs, logging must be enabled for the rules you wish to observe. Logging for the automatic rules is located in "Firewall: Settings: Advanced" -> "Logging".
October 24, 2025, 04:59:51 PM #2
These are my autom. LAN rules:



These are my autom. WAN rules:



Is there anything suspicius?

Thanks.
October 24, 2025, 06:06:22 PM #3
You need a manual LAN rule:

Source: LAN net
Destination LAN address or This Firewall
UDP/123
Allow
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 01, 2025, 06:27:23 PM #4
Hi Patrick.
Thank you very much for your answer.

I've tried the following rule in LAN, but isn't working:



What I'm doing wrong? I've checked live logs and I can see WAN NTP logs working, but nothing about LAN.. Enable Logging on rule is marked.
December 01, 2025, 06:35:51 PM #5
I cannot see anything. If you posted a picture please attach to the forum post. I block so called image hosting sites.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 01, 2025, 06:48:08 PM #6
Here you have.
December 01, 2025, 06:50:06 PM #7
Change the source port to any/* for client devices. 123 is for ntpd to ntpd communication.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:44:10 PM #8
Hello,
Changes done. But problem persist, opnsense itself is getting NTP hour, but not LAN clients.

See attached rule, I think it's OK.



Today at 12:49:53 PM #9 Last Edit: Today at 02:02:48 PM by Patrick M. Hausen
What OS are your clients? Do you have a Linux system? If yes, try

Code Select
ntpdate -q <ip of opnsense>
please.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 01:19:14 PM #10
My OS are Windows 11. Network time services running, checked on 2 different computers. Checked logs, and they say problems related to network connection.

For trying something different, just downloaded open source NTP client compatible with windows and boom, working fine.. With non native Windows NTP client everything is working perfectly. Even with Firewall rule disabled. It must be a Windows 11 bug.

I'll use this open source client for now. Trully don't trust Windwos 11 stability.

Thank you very much for your kind assistance and all your advice. I'm sorry you lost time on this.
Print
Go Up Pages1
User actions