Overview
The point of doing this is to keep NTP queries on-network and ensures greater security. It’s not a big thing, but I can do it for free so I might as well.
OPNsense
To ensure the NTP server is running, go to Services → Network Time → General. Make sure the green play button is on. When checking the Status, you will see confusing results. Some of the pools will say Unreach/Pending. Ignore these. If you go down further, there will be individual NTP servers with different statuses. This means things are working as they whould be.
Just because the NTP server is running, it doesn’t mean that computers on the network will be using it. We have to set up reflection NAT. To do this, go to Firewall → NAT → Port Forward and add a new entry.
| Option | Value |
|---|---|
| Interface | LAN |
| Protocol | TCP/UDP |
| Source | any |
| Source Port | any |
| Destination / Invert | Checked |
| Destination | LAN net |
| Destination Port | 123 (NTP) |
| Redirect target IP | 127.0.0.1 |
| Redirect target port | 123 (NTP) |
| Description | Redirect external NTP requests to local NTP service |
| Filter rule association | Add associated filter rule (or Pass) |
Do this for every interface you want to use OPNsense as the NTP server (I do for all my homelab networks - like LAN and DMZ)
On Linux Machines
First, you need to install NTP on the linux machine. For example on a Debian VM, you would do
sudo apt-get install ntpThen, configure NTP by editing the /etc/ntp.conf. Add the following line:
server (IP of opnsense on VLAN) prefer iburst
Then restart NTP
systemctl restart ntpTo check the status, run the following command:
ntpq -pIt might also be helpful to set up the correct timezone. Read timezones to accomplish this.