Chronyd instead of NTP

Hi all - I recently got an alert email from my Truenas Scale (23.10.2) saying “NTP health check failed” and a number of, to me, unknown hostnames / IP addresses.

Doing some digging in the old forum, I see that ntp was replaced with chrony.

What I don’t like about this (at all) is that, on top of the NTP on my pfSense which I added in the config (GUI), chronyd seems be pulling random NTP servers from somewhere each time it restarts - some which, imho, look shady.



Then, after a few restarts, it seems to pull the hosts from the config file (chrony.conf):

(the is my pfsense)

But doing a few more restarts and suddenly it’s back to pulling unknown hosts:


How do I stop this from happening? Is it truly a good idea to use unverified sources as NTP servers? In the end, I just want it to pull the time from my pfSense, that’s it.

I obviously could redirect all NTP (UDP 123) traffic to my pfSense box (as I do for DNS) but why should I have to?


Why does it bother you? I’m not saying it’s fine that your system isn’t behaving as you told it to, but I don’t understand the concern about “unverified/shady” NTP servers. There are thousands of public NTP servers serving the pool, so if your system is using the NTP pool (which it is for reasons unknown), it’s entirely normal that you’d see unknown addresses there.

What’s shown in the GUI under System Settings → General → NTP Servers?

I guess I have an error between keyboard and chair here - I recently installed this box with Scale and I didn’t (as I did with my other one) update the NTP servers…
It’s only after I checked again (d’oh, I know) that I noticed…
I was doing a chronyc comparison with my other box and that’s what caused the confusion…

Appreciate the reply as it triggered me checking the GUI…

If you’d added your pfSense box, but kept all the pool addresses as well, what you’re seeing seems entirely normal. If you’d added the pfSense box and removed all the other addresses, though, that’d be a different story.


If you are concerned about devices reaching out to the internet for time, you can add a pfSense firewall rule to direct all NTP requests to a local NTP server (pfSense). This also makes you a good citizen by not polling public NTP servers with so many requests from individual clients.

You can add a NTP server to pfSense DHCP configuration for clients that retrieve NTP servers via DHCP, which I believe Chrony does.

Also, you can easily add a Stratum 0 GPS+PPS Time Source to pfSense.
Less than 5 usec jitter/offset for <$50.

As a result Chrony sources look like this

root@NAS-3[/etc/chrony]# chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
^* pfSense.[redacted].com        1   8   377   214  -9407ns[  -17us] +/- 1545us

1 Like

Clever. I didn’t go DIY for this; I’m using a commercially-available unit instead:

It’s a nice, compact, PoE-powered box that’s worked well for me for a few years now. But your method is obviously less expensive. I expect it could be made to work with OPNsense as well…

1 Like

This is a result of the pool (or similar) lines that are part of the default config. Querying that hostname with DNS results in a answer from a round-robin list of actual hosts. These are the names you when using chronyc sources.

To have a really robust time system, you either need a local clock that is stratum 0 (e.g., a GPS receiver used as a time source), or multiple peers from outside your network. If your pfSense box has multiple peers for time sources, then you can remove the defaults from your TrueNAS box and only use your pfSense box as a time source.

You would need to edit the default config file and remove these (either /etc/chrony/chrony.conf or a file in /etc/chrony/sources.d).

1 Like

I also tested the Garmin GPS pucks with OPNsense, just in case Netgate abandons pfSense CE.

Sticking with pfSense for now, as OPNsense has a lot more manual package management overhead than pfSense.

Or, much better, make the appropriate edits through the TrueNAS UI.

1 Like

Good to know. I’d have to get to a motherboard header for it, but my “new” (to me, anyway) OPNsense box does have serial ports, which my last two didn’t.


Works connected to a RJ45 COM port as well. Just have to connect the PPS signal to the CTS pin and add the system tunable to switch from DCD to CTS

The only ports exposed on my system are a couple of USB, VGA, and a bunch of network interfaces (6x GbE, 2x SFP+, 1x IPMI). But again, serial is on the motherboard, so it’d be easy enough to bring out to the front panel if I decided to do it. I’m a little surprised it doesn’t bring serial out to the front panel, but it wouldn’t be hard at all to change that.

Looked at your instructions more closely. I like the LCD display you spec, but dang, it’s pricey.

You can ocassionally find them on evilBay for under $50. I bought 2 for $25 each from someone who had 5 total for sale. I don’t think they knew what they had.