Project

General

Profile

Actions

Feature #10323

closed

Allow limiting NTP pool server usage count

Added by David Burns over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
NTPD
Target version:
Start date:
03/09/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Summary: pfSense default NTP configuration using NTP Pool servers appears to result in polling of an excessive number of peers.

Steps to reproduce:
1. Install pfSense
2. Configure WAN & LAN interface
3. During installation, enter in any valid NTP Pool target (e.g. 0.au.pool.ntp.org)
4. Upon restarting pfSense and waiting ~5 minutes - observe number of NTP peers is 10 (including 1 placeholder entry)

Commentary: Based on https://www.pool.ntp.org/en/use.html it appears that the resulting pfSense NTP peer count exceeds the recommendations of NTP Pool maintainers:
Be friendly. Many servers are provided by volunteers, and almost all time servers are really file or mail or webservers which just happen to also run ntp. So don't use more than four time servers in your configuration, and don't play tricks with burst or minpoll - all you will gain is extra load on the volunteer time servers.

This behaviour appears to have originated upstream in NTP base with the ntpd.conf pool directive. The behaviour was subsequently introduced to pfSense in 2.4 release - which introduced specific support for ntpd.conf pool directive - https://redmine.pfsense.org/issues/5985

Possible solution: Based on https://docs.ntpsec.org/latest/discover.html it is possible to set upper limit on pool peers with ntpd.conf tos directive:
Example tos minclock 3 maxclock 4

Ideally maxclock would be a configurable knob...


Files

Immagine4.jpg (105 KB) Immagine4.jpg Manuel Piovan, 03/09/2020 04:33 PM
Actions #1

Updated by Jim Pingle over 4 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from NTP pool peer count excessive to Allow limiting NTP pool server usage count
  • Affected Version deleted (2.4.4-p3)
  • Affected Architecture deleted (All)

I agree, it would be best to allow the user to configure that value rather than limiting it unilaterally.

Actions #3

Updated by David Burns over 4 years ago

Thanks!

Unfortunately I note a small spelling error (Maximun instead of maximum). Also the tos maxclock directive sets the upper limit for candidate peers and not an absolute limit - so technically accurate support text should be something like Maximum candidate NTP peers

Actions #4

Updated by Manuel Piovan over 4 years ago

Thanks for checking and for the feedback!
corrected

Actions #5

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #6

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #7

Updated by Viktor Gurov over 4 years ago

It always require to fill the 'Max Pool Peers' field,

Fix allowing to use empty(default value) 'Max Pool Peers' field:
https://github.com/pfsense/pfsense/pull/4245

Actions #8

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Pull Request Review
Actions #9

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #10

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

works fine on 2.5.0.a.20200404.2224

Actions

Also available in: Atom PDF