domschl
commented
4 months ago What you've done looks good to me. My best guesses for looking why this doesn't work are:
- When you try from an external computer via pfsense, are you in a different IP network compared to your other trials? That would hint an
allowproblem. What did you configure forallow? - Any issue with pfsense. Since pfsense (which I haven't used) seem to support it's own NTP-server, are you sure there isn't a conflict somewhere?
Other than that:
Maybe you just give in, and allow pfsense's NTP server to forward the client requests? While that gives you a stratum-2, one could debate, if forwarding via an application firewall actually keeps stratum-level at 1?
michaelschefczyk
Thank you very much for providing this setup! I have been running two Raspberry Pi 4 NTP server for a long time. When upgrading to Raspberry Pi 5, I did switch to Chrony. This does provide stratum 1 time in a reliable manner.
The time server works well in my LAN and even across LANs via VPN.
What strikes me very odd is that I cannot get the Raspberry Pi 5 running the native Chrony version included with Debian Bookworm to respond externally, when forwarding port 123/UDP via my pfSense router.
Running ntpdate -q [IP of Raspberry Pi NTP server] does work without any issues in the LAN and via VPN. When forwarding 123/UDP from WAN to the Raspberry Pi NTP server, it does time out ("no server suitable for synchronization found"). When forwarding 123/UDP to the pfSsense router itself (localhost), which does get its time from the Raspberry Pi NTP server, everything is fine - except for stratum being 2 instead of 1. When forwarding the 123/UDP to the most trivial device within the LAN providing NTP (for example a homematic IP CCU3 - which has a Raspberry Pi 3 inside), everything does work (stratum 3). Thus, it does not seem to be a router/pfSense issue.
My chrony.conf does include allow and cmdallow (tried with and without "all").
Do others make the same observation? Are there any recommendations to cure this? Thanks a lot!