Configure NTP (Network Time Protocol) redirection in pfSense

For clients that have hardcoded external NTP servers, and you want to block access to them you need to redirect all NTP requests to pfSense:

To restrict client NTP to only the specific servers configured on a pfSense firewall, a port forward may be used to capture all NTP requests sent to other servers.

In the following example, the LAN interface is used, but it could be used for any local interface. Change the Interface and Destination as needed.

Navigate to Firewall > NAT, Port Forward tab

Click Up-Add to create a new rule

Fill in the following fields on the port forward rule:

 Interface: LAN
 Protocol: TCP/UDP
 Destination: Invert Match checked, LAN Address
 Destination Port Range: 123 (NTP)
 Redirect Target IP: Your Firewall's IP address - usually the same as your Computer's gateway
 Redirect Target Port: 123 (NTP)
 Description: Redirect NTP
 NAT Reflection: Disable

If NTP requests to other NTP servers are blocked, such as in the Blocking NTP queries to external servers entirely, ensure the rule to pass NTP to 127.0.0.1 is above any rule that blocks NTP.

Now any NTP request made by internal clients to any external IP address will result in the query being answered by the firewall itself. Access to other NTP servers on port 123 is impossible.

This could be adapted to allow access to only a specific set of NTP servers by changing the Destination network from “LAN Address” to an alias containing the allowed NTP servers. The Invert match box should remain checked.

Thank you for reading! Be sure to share this post if you found it helpful and don’t hesitate to chat with me about it!

This post was first published on Stathis’ log book by Stathis Athanasiadis aka StatAth