Project

General

Profile

Feature #9661

Increase the number of DHCP/DHCPv6 NTP server options to three (or more)

Added by Paul Moore about 2 months ago. Updated 21 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
DHCP Server
Target version:
Start date:
08/01/2019
Due date:
% Done:

0%

Estimated time:

Description

It is considered a general best practice to use at least three NTP servers to help identify "falsetickers" (bad clock sources). Unfortunately the pfSense DHCP/DHCPv6 web UI (v2.4.4-RELEASE-p3 at the time of writing) doesn't allow you to specify more than two NTP servers in the "Other Options" section; please consider expanding the number of NTP server options to at least three.

As a reference on the need for more than two NTP servers:

Thank you.

History

#1 Updated by Manuel Piovan about 1 month ago

you are talking about NTP servers but the client need only one address, you can configure the server to have as many as you want inside Services / NTP Settings
here we are talking about DHCP Option 042 where the servers SHOULD appear in the list in order of preference.

#2 Updated by Paul Moore about 1 month ago

I am referring to the number of NTP servers that pfSense send to DHCP clients as part of a DHCP exchange; I am not talking about the number of NTP servers configured on services/NTP page.

A general best practice is to use 2n+1 NTP servers on a client system. Currently pfSense only allows two NTP servers to be sent to DHCP clients using DHCP options.

#3 Updated by Manuel Piovan about 1 month ago

The "falsetickers" check is the role of ntpd / ntpdate which must be configured accordingly. however the dhcp client present in windows and mac does not ask for or apply option 42, so it is useless for these operating systems. the only one that accept it is isc-dhcp-client.
if you configure ntpd with the help of /etc/dhcp/dhclient-exit-hooks.d/ntp for example than yes, you need more than 2 servers and your request makes sense if you want to set static ip as ntp servers, but you can put pool address like 0.pool.ntp.org and 1.pool.ntp.org in the meantime

#4 Updated by Paul Moore about 1 month ago

Yes, it is the role of ntpd, ntpdate, chronyd, etc. to make decisions on the quality of the clocks, and yes for most of these daemons you can tweak the clock selection algorithm via configuration knobs, but that is beyond the scope of this request, or even the role of pfsense. Once again, I'm simply asking for pfSense to send 2n+1 NTP servers to DHCP clients as part of the DHCP exchange.

There are other DHCP clients beyond ISCs which support extracting NTP servers information for use on the DHCP client.

Perhaps the current default Mac and Windows clients don't support extracting the NTP server information from the DHCP exchange, but many Linux distributions do so by default.

For those of us who run our own private NTP servers the NTP pool workaround is not sufficient.

#5 Updated by Manuel Piovan about 1 month ago

right i have local ntp stratum 1 servers myself but i configure ntpd manually, i had never thought of it before ... , in any case i'm with you on this

+1

#6 Updated by Manuel Piovan about 1 month ago

pls we ask to add this on services_dhcp.php at least ntp3
line 175 ->

list($pconfig['ntp1'], $pconfig['ntp2'], $pconfig['ntp3']) = $dhcpdconf['ntpserver'];

line 33x ->

if (($_POST['ntp1'] && (!is_ipaddrv4($_POST['ntp1']) && !is_hostname($_POST['ntp1']))) || ($_POST['ntp2'] && (!is_ipaddrv4($_POST['ntp2']) && !is_hostname($_POST['ntp2']))) || ($_POST['ntp3'] && (!is_ipaddrv4($_POST['ntp3']) && !is_hostname($_POST['ntp3'])))) {

line 60x

                if ($_POST['ntp3']) {
                        $dhcpdconf['ntpserver'][] = $_POST['ntp3'];
                }

line 123x

$section->addInput(new Form_IpAddress(
        'ntp3',
        'NTP Server 3',
        $pconfig['ntp3'],
        'HOSTV4'
));

line 164x

<?php
                        if (empty($pconfig['ntp1']) && empty($pconfig['ntp2']) && empty($pconfig['ntp3'])) {
                                $showadv = false;
                        } else {
                                $showadv = true;
                        }
?>
                        showadvntp = <?php if ($showadv) {echo 'true';} else {echo 'false';} ?>;
                } else {
                        // It was a click, swap the state.
                        showadvntp = !showadvntp;
                }

                hideInput('ntp1', !showadvntp);
                hideInput('ntp2', !showadvntp);
                hideInput('ntp3', !showadvntp);

#7 Updated by Jim Pingle about 1 month ago

  • Tracker changed from Bug to Feature
  • Category set to DHCP Server

#8 Updated by Manuel Piovan about 1 month ago

this need to go on services_dhcpv6.php

line 154


list($pconfig['ntp1'], $pconfig['ntp2'], $pconfig['ntp3']) = $config['dhcpdv6'][$if]['ntpserver'];

line 331


if (($_POST['ntp1'] && !is_ipaddrv6($_POST['ntp1'])) || ($_POST['ntp2'] && !is_ipaddrv6($_POST['ntp2'])) || ($_POST['ntp3'] && !is_ipaddrv6($_POST['ntp3']))) {

line 465


                if ($_POST['ntp3']) {
                        $config['dhcpdv6'][$if]['ntpserver'][] = $_POST['ntp3'];
                }

line 87x

$group->add(new Form_Input(
        'ntp3',
        'NTP Server 3',
        'text',
        $pconfig['ntp3'],
        ['placeholder' => 'NTP 3']
));

line 116x

<?php
                        if (empty($pconfig['ntp1']) && empty($pconfig['ntp2']) && empty($pconfig['ntp3'])) {
                                $showadv = false;
                        } else {
                                $showadv = true;
                        }
?>
                        showadvntp = <?php if ($showadv) {echo 'true';} else {echo 'false';} ?>;
                } else {
                        // It was a click, swap the state.
                        showadvntp = !showadvntp;
                }

                hideInput('ntp1', !showadvntp);
                hideInput('ntp2', !showadvntp);
                hideInput('ntp3', !showadvntp);

#9 Updated by Manuel Piovan about 1 month ago

sorry i was still writing, i will do the pr later on

#10 Updated by Jim Pingle about 1 month ago

  • Target version set to 2.5.0

#11 Updated by Jim Pingle 21 days ago

  • Status changed from New to Pull Request Review

Also available in: Atom PDF