Hi all - I recently got an alert email from my Truenas Scale (23.10.2) saying “NTP health check failed” and a number of, to me, unknown hostnames / IP addresses.
Doing some digging in the old forum, I see that ntp was replaced with chrony.
What I don’t like about this (at all) is that, on top of the NTP on my pfSense which I added in the config (GUI), chronyd seems be pulling random NTP servers from somewhere each time it restarts - some which, imho, look shady.
Then, after a few restarts, it seems to pull the hosts from the config file (chrony.conf):
(the 172.16.10.1 is my pfsense)
But doing a few more restarts and suddenly it’s back to pulling unknown hosts:
How do I stop this from happening? Is it truly a good idea to use unverified sources as NTP servers? In the end, I just want it to pull the time from my pfSense, that’s it.
I obviously could redirect all NTP (UDP 123) traffic to my pfSense box (as I do for DNS) but why should I have to?
Why does it bother you? I’m not saying it’s fine that your system isn’t behaving as you told it to, but I don’t understand the concern about “unverified/shady” NTP servers. There are thousands of public NTP servers serving the pool, so if your system is using the NTP pool (which it is for reasons unknown), it’s entirely normal that you’d see unknown addresses there.
What’s shown in the GUI under System Settings → General → NTP Servers?
I guess I have an error between keyboard and chair here - I recently installed this box with Scale and I didn’t (as I did with my other one) update the NTP servers…
It’s only after I checked again (d’oh, I know) that I noticed…
I was doing a chronyc comparison with my other box and that’s what caused the confusion…
Appreciate the reply as it triggered me checking the GUI…
If you’d added your pfSense box, but kept all the pool addresses as well, what you’re seeing seems entirely normal. If you’d added the pfSense box and removed all the other addresses, though, that’d be a different story.
If you are concerned about devices reaching out to the internet for time, you can add a pfSense firewall rule to direct all NTP requests to a local NTP server (pfSense). This also makes you a good citizen by not polling public NTP servers with so many requests from individual clients.
Clever. I didn’t go DIY for this; I’m using a commercially-available unit instead:
It’s a nice, compact, PoE-powered box that’s worked well for me for a few years now. But your method is obviously less expensive. I expect it could be made to work with OPNsense as well…
This is a result of the pool 0.pool.ntp.org (or similar) lines that are part of the default config. Querying that hostname with DNS results in a answer from a round-robin list of actual hosts. These are the names you when using chronyc sources.
To have a really robust time system, you either need a local clock that is stratum 0 (e.g., a GPS receiver used as a time source), or multiple peers from outside your network. If your pfSense box has multiple peers for time sources, then you can remove the defaults from your TrueNAS box and only use your pfSense box as a time source.
You would need to edit the default config file and remove these (either /etc/chrony/chrony.conf or a file in /etc/chrony/sources.d).
Good to know. I’d have to get to a motherboard header for it, but my “new” (to me, anyway) OPNsense box does have serial ports, which my last two didn’t.
The only ports exposed on my system are a couple of USB, VGA, and a bunch of network interfaces (6x GbE, 2x SFP+, 1x IPMI). But again, serial is on the motherboard, so it’d be easy enough to bring out to the front panel if I decided to do it. I’m a little surprised it doesn’t bring serial out to the front panel, but it wouldn’t be hard at all to change that.
You can ocassionally find them on evilBay for under $50. I bought 2 for $25 each from someone who had 5 total for sale. I don’t think they knew what they had.
