Feature #10323
closed
Allow limiting NTP pool server usage count
100%
Description
Summary: pfSense default NTP configuration using NTP Pool servers appears to result in polling of an excessive number of peers.
Steps to reproduce:
1. Install pfSense
2. Configure WAN & LAN interface
3. During installation, enter in any valid NTP Pool target (e.g. 0.au.pool.ntp.org)
4. Upon restarting pfSense and waiting ~5 minutes - observe number of NTP peers is 10 (including 1 placeholder entry)
Commentary: Based on https://www.pool.ntp.org/en/use.html it appears that the resulting pfSense NTP peer count exceeds the recommendations of NTP Pool maintainers:
Be friendly. Many servers are provided by volunteers, and almost all time servers are really file or mail or webservers which just happen to also run ntp. So don't use more than four time servers in your configuration, and don't play tricks with burst or minpoll - all you will gain is extra load on the volunteer time servers.
This behaviour appears to have originated upstream in NTP base with the ntpd.conf pool directive. The behaviour was subsequently introduced to pfSense in 2.4 release - which introduced specific support for ntpd.conf pool directive - https://redmine.pfsense.org/issues/5985
Possible solution: Based on https://docs.ntpsec.org/latest/discover.html it is possible to set upper limit on pool peers with ntpd.conf tos directive:
Example tos minclock 3 maxclock 4
Ideally maxclock would be a configurable knob...
Files
Updated by Jim Pingle over 4 years ago
- Tracker changed from Bug to Feature
- Subject changed from NTP pool peer count excessive to Allow limiting NTP pool server usage count
- Affected Version deleted (
2.4.4-p3) - Affected Architecture deleted (
All)
I agree, it would be best to allow the user to configure that value rather than limiting it unilaterally.
Updated by David Burns over 4 years ago
Thanks!
Unfortunately I note a small spelling error (Maximun instead of maximum). Also the tos maxclock directive sets the upper limit for candidate peers and not an absolute limit - so technically accurate support text should be something like Maximum candidate NTP peers
Updated by Manuel Piovan over 4 years ago
Thanks for checking and for the feedback!
corrected
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- Target version set to 2.5.0
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov over 4 years ago
It always require to fill the 'Max Pool Peers' field,
Fix allowing to use empty(default value) 'Max Pool Peers' field:
https://github.com/pfsense/pfsense/pull/4245
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov over 4 years ago
- Status changed from Feedback to Resolved
works fine on 2.5.0.a.20200404.2224