Feature #9661
closedIncrease the number of DHCP/DHCPv6 NTP server options to three (or more)
Added by Paul Moore over 5 years ago. Updated almost 5 years ago.
100%
Description
It is considered a general best practice to use at least three NTP servers to help identify "falsetickers" (bad clock sources). Unfortunately the pfSense DHCP/DHCPv6 web UI (v2.4.4-RELEASE-p3 at the time of writing) doesn't allow you to specify more than two NTP servers in the "Other Options" section; please consider expanding the number of NTP server options to at least three.
As a reference on the need for more than two NTP servers:Thank you.
Updated by Manuel Piovan over 5 years ago
you are talking about NTP servers but the client need only one address, you can configure the server to have as many as you want inside Services / NTP Settings
here we are talking about DHCP Option 042 where the servers SHOULD appear in the list in order of preference.
Updated by Paul Moore over 5 years ago
I am referring to the number of NTP servers that pfSense send to DHCP clients as part of a DHCP exchange; I am not talking about the number of NTP servers configured on services/NTP page.
A general best practice is to use 2n+1 NTP servers on a client system. Currently pfSense only allows two NTP servers to be sent to DHCP clients using DHCP options.
Updated by Manuel Piovan over 5 years ago
The "falsetickers" check is the role of ntpd / ntpdate which must be configured accordingly. however the dhcp client present in windows and mac does not ask for or apply option 42, so it is useless for these operating systems. the only one that accept it is isc-dhcp-client.
if you configure ntpd with the help of /etc/dhcp/dhclient-exit-hooks.d/ntp for example than yes, you need more than 2 servers and your request makes sense if you want to set static ip as ntp servers, but you can put pool address like 0.pool.ntp.org and 1.pool.ntp.org in the meantime
Updated by Paul Moore over 5 years ago
Yes, it is the role of ntpd, ntpdate, chronyd, etc. to make decisions on the quality of the clocks, and yes for most of these daemons you can tweak the clock selection algorithm via configuration knobs, but that is beyond the scope of this request, or even the role of pfsense. Once again, I'm simply asking for pfSense to send 2n+1 NTP servers to DHCP clients as part of the DHCP exchange.
There are other DHCP clients beyond ISCs which support extracting NTP servers information for use on the DHCP client.
Perhaps the current default Mac and Windows clients don't support extracting the NTP server information from the DHCP exchange, but many Linux distributions do so by default.
For those of us who run our own private NTP servers the NTP pool workaround is not sufficient.
Updated by Manuel Piovan over 5 years ago
right i have local ntp stratum 1 servers myself but i configure ntpd manually, i had never thought of it before ... , in any case i'm with you on this
+1
Updated by Manuel Piovan over 5 years ago
pls we ask to add this on services_dhcp.php at least ntp3
line 175 ->
list($pconfig['ntp1'], $pconfig['ntp2'], $pconfig['ntp3']) = $dhcpdconf['ntpserver'];
line 33x ->
if (($_POST['ntp1'] && (!is_ipaddrv4($_POST['ntp1']) && !is_hostname($_POST['ntp1']))) || ($_POST['ntp2'] && (!is_ipaddrv4($_POST['ntp2']) && !is_hostname($_POST['ntp2']))) || ($_POST['ntp3'] && (!is_ipaddrv4($_POST['ntp3']) && !is_hostname($_POST['ntp3'])))) {
line 60x
if ($_POST['ntp3']) {
$dhcpdconf['ntpserver'][] = $_POST['ntp3'];
}
line 123x
$section->addInput(new Form_IpAddress(
'ntp3',
'NTP Server 3',
$pconfig['ntp3'],
'HOSTV4'
));
line 164x
<?php
if (empty($pconfig['ntp1']) && empty($pconfig['ntp2']) && empty($pconfig['ntp3'])) {
$showadv = false;
} else {
$showadv = true;
}
?>
showadvntp = <?php if ($showadv) {echo 'true';} else {echo 'false';} ?>;
} else {
// It was a click, swap the state.
showadvntp = !showadvntp;
}
hideInput('ntp1', !showadvntp);
hideInput('ntp2', !showadvntp);
hideInput('ntp3', !showadvntp);
Updated by Jim Pingle over 5 years ago
- Tracker changed from Bug to Feature
- Category set to DHCP (IPv4)
Submit that as a PR and we can test/merge it much easier.
https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html
Updated by Manuel Piovan over 5 years ago
this need to go on services_dhcpv6.php
line 154
list($pconfig['ntp1'], $pconfig['ntp2'], $pconfig['ntp3']) = $config['dhcpdv6'][$if]['ntpserver'];
line 331
if (($_POST['ntp1'] && !is_ipaddrv6($_POST['ntp1'])) || ($_POST['ntp2'] && !is_ipaddrv6($_POST['ntp2'])) || ($_POST['ntp3'] && !is_ipaddrv6($_POST['ntp3']))) {
line 465
if ($_POST['ntp3']) {
$config['dhcpdv6'][$if]['ntpserver'][] = $_POST['ntp3'];
}
line 87x
$group->add(new Form_Input(
'ntp3',
'NTP Server 3',
'text',
$pconfig['ntp3'],
['placeholder' => 'NTP 3']
));
line 116x
<?php
if (empty($pconfig['ntp1']) && empty($pconfig['ntp2']) && empty($pconfig['ntp3'])) {
$showadv = false;
} else {
$showadv = true;
}
?>
showadvntp = <?php if ($showadv) {echo 'true';} else {echo 'false';} ?>;
} else {
// It was a click, swap the state.
showadvntp = !showadvntp;
}
hideInput('ntp1', !showadvntp);
hideInput('ntp2', !showadvntp);
hideInput('ntp3', !showadvntp);
Updated by Manuel Piovan over 5 years ago
sorry i was still writing, i will do the pr later on
Updated by Jim Pingle over 5 years ago
- Target version set to 2.5.0
Updated by Jim Pingle over 5 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho almost 5 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov almost 5 years ago
- Status changed from Feedback to Resolved
tested on 2.5.0.a.20200213.1525
works as expected, I can see three NTP servers in DHCP Offer:
09:30:33.761802 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 10.123.123.4.67 > 10.123.123.103.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0xfdd00d3d, Flags [none] (0x0000) Your-IP 10.123.123.103 Client-Ethernet-Address 00:50:79:66:68:01 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Offer Server-ID Option 54, length 4: 10.123.123.4 Lease-Time Option 51, length 4: 7159 Subnet-Mask Option 1, length 4: 255.255.255.0 Default-Gateway Option 3, length 4: 10.123.123.4 Domain-Name-Server Option 6, length 4: 10.123.123.4 NTP Option 42, length 12: 1.1.1.1,2.2.2.2,3.3.3.3 Domain-Name Option 15, length 10: "mydom.int"
DHCP6:
Frame 9619: 234 bytes on wire (1872 bits), 234 bytes captured (1872 bits) on interface 0 Ethernet II, Src: 0c:0d:52:73:83:02 (0c:0d:52:73:83:02), Dst: 0c:0d:52:15:ef:00 (0c:0d:52:15:ef:00) Internet Protocol Version 6, Src: fe80::e0d:52ff:fe73:8302, Dst: fe80::e0d:52ff:fe15:ef00 User Datagram Protocol, Src Port: 547, Dst Port: 546 DHCPv6 Message type: Advertise (2) Transaction ID: 0xef802e Identity Association for Non-temporary Address Client Identifier Server Identifier DNS recursive name server Simple Network Time Protocol Server Option: Simple Network Time Protocol Server (31) Length: 48 Value: fc000123000000000000000000000001fc00012300000000... 1 SNTP server address: fc00:123::1 2 SNTP server address: fc00:123::2 3 SNTP server address: fc00:123::3