On pfSense, you have the possibility to synchronize the clock from a time server (NTP).

1. Why use NTP?
2. Configure the pfSense time server (NTP)
3. Send the address of a time server (NTP) via DHCP
4. Specify a time server on Windows
5. Automatic clock synchronization via NTP on Windows (Server) in an AD domain

1. Why use NTP?

As said previously, NTP allows you to synchronize the clock from a time server.
But, this also allows you to synchronize the clock of all servers and all client machines from the same time server (which will be run under pfSense, in this case).
This makes it possible to obtain a correct date/time for recording logs and to avoid numerous problems, particularly in terms of authentication (e.g. Kerberos) and verification of digital certificates (SSL/TLS).

This is even more important if pfSense is installed on a device that does not have a battery and where the BIOS time will therefore no longer be up to date when pfSense is restarted.

Source : NTPD | pfSense Documentation.

2. Configure the pfSense time server (NTP)

To configure the pfSense time server (NTP), go to: Services -> NTP.

In the "NTP Server Configuration" section, you can configure the settings:

• Enable: the "Enable NTP Server" box is checked by default. Which means that the pfSense time server (NTP) is activated.
• Interface: select the interfaces that the pfSense time server (NTP) should use to contact remote NTP servers AND to respond to NTP messages from client machines.
  In other words, it is best to select all available interfaces.
• Time Servers: allows you to specify one or more time servers (NTP) which will be used by pfSense to synchronize its own clock.
  Note that by default an address "x.pfsense.pool.ntp.org" (where "x" represents a number) is specified and actually corresponds to a pool of time servers.
  Hence the fact that the "Pool" type is selected by default (right).
  • Prefer: allows you to prefer the specified NTP server over others.
  • No Select: the specified NTP server will not be used for clock synchronization, but only for displaying statistics
  • Type: Pool. Indicates that the specified address corresponds to a pool (set) of time servers (NTPs) and not a single time server (NTP).
• Add: allows you to add a single time server or a pool of time servers (depending on the type you choose to the right).
• Max candidate pool peers: number of NTP servers that the pfSense NTP service can contact simultaneously in the pool specified previously to benefit from sufficient alternative sources.
  However, it is advisable to keep the number fairly low (default: 5) to avoid adding unnecessary load on remote NTP servers and to prevent the NTP service from consuming too many resources unnecessarily.
• Orphan Mode: orphan mode allows the pfSense NTP server to use the system clock time to be able to respond to a client's NTP message when remote NTP servers are not available.
  However, it is recommended to specify a higher value than remote NTP servers to favor the NTP servers' time over the system clock, when possible.
  The default value is: 12.
• Minimum Poll Interval: minimum poll interval for NTP messages.
• Maximum Poll Interval: maximum poll interval for NTP messages.
• NTP Graphs: check the box "Enable RRD graphs of NTP statistics" if you want to enable the creation of statistics in the form of graphs for NTP.
• Logging:
  • Log peer messages: allows you to log messages regarding peer status, events, and information.
  • Log system messages: same, but concerning the system.
• Statistics Logging: allows you to create daily logs regarding statistics for the reference clock, clock discipline and/or NTP peers.
• Leap seconds: allows you to define the contents of the Leap Seconds file that NTP uses to announce leap seconds to clients.
  However, this is generally only used on root NTP servers (whose stratum (priority level) is 1).
• DNS Resolution: allows you to force the IP protocol to be used for NTP peer resolution.
  Note: this does not apply to NTP server pools.
• Enable NTP Server Authentication: checking the "Enable NTPv3 authentication (RFC 1305)" box enables authentication so that the client can ensure that it is contacting the correct server and not a false NTP server.
• Authentication key: if the previous option, this allows you to specify the desired NTP authentication key and choose the algorithm to use (eg: MD5, SHA1 or SHA256).

Sources :

• NTP Server Configuration | pfSense Documentation
• NTP Daemon Status | pfSense Documentation

3. Send the address of a time server (NTP) via DHCP

So that your client machines are aware of your time server (NTP), you can send them its IP address using the pfSense DHCP server.
To do this, go to: Services -> DHCP Server.

Make sure your DHCP server is enabled (by checking the "Enable DHCP server on LAN interface") box if you want to use this method.

At the bottom of the page, click the "Display Advanced" button next to NTP and specify the pfSense IP address for the appropriate interface (usually: the LAN interface) in the "NTP Server 1" box.

4. Specify a time server on Windows

On Windows computers, open the Control Panel and go to: Clock and Region.

Note: this is only possible when a Windows computer is in a workgroup (which is the case by default).

Click on: Date and time.

In the "Date and Time" window that appears, go to the "Internet Time" tab and click on: Change settings.

As you can see, by default, Windows computers are configured to automatically synchronize their clock from the "time.windows.com" time server.

5. Automatic clock synchronization via NTP on Windows (Server) in an AD domain

As you can see, when a Windows computer is in an Active Directory domain, the message "Some of these settings are hidden or managed by your organization" appears in the "Date and time" section of Windows.
Additionally, you can see that the time server (=NTP server) used by default corresponds to your Active Directory domain controller.

For more information about clock synchronization in an Active Directory infrastructure, refer to step "3.2.2. PDC emulator (Primary Domain Controller emulator)" of our article "The basics of Active Directory".

If a Windows computer or server (Server) is linked to an Active Directory domain, you can't modify the time server (NTP) that will be used.
The "Internet Time" tab is therefore hidden.