To begin NTP configuration, navigate to Services | NTP, as shown in the following screenshot. The NTP page has three tabs and the first (and default) tab is Settings. The first option on this page is the Interfaces list box, in which you can select the interfaces on which the NTP service will listen. The default setting is to listen on all interfaces, but since the NTP server is probably upstream, you can select WAN as the only interface on which to listen (or multiple WAN interfaces, if you have them).

The next option is Time Servers. The time server you specified when you initially configured the system will be listed here, but you can also specify additional servers by clicking on the Add button. You need to specify the hostname. You can optionally check either the Prefer or No Select option. Prefer indicates that the NTP services should favor this server over all others. No Select indicates that NTP should not use this server for time, but it will collect and display stats from the server. You can check more than one Prefer checkbox, but when you save the settings, only the first Prefer checkbox on the list that you checked will remain checked.

The Orphan Mode option allows pfSense to use the system clock when no other clocks are available. The number entered in this edit box specifies the stratum reported during orphan mode. You might recall that stratum indicates how close the computer is to a high-precision time device; higher numbers indicate that the device is further away from such a device and thus has a lower priority. Whatever number you set here, it should be high enough to ensure that all other servers are preferred over this server. The default is 12.

The NTP Graphs checkbox, if enabled, generates round-robin database (RRD) graphs of NTP data. You can view these graphs by navigating to Status | RRD Graphs and clicking on the NTP  tab. The next two subsections involve logging options. Log peer messages, if enabled, logs messages between the NTP client and server, while Log system messages logs other messages generated by the NTP service. Log reference clock statistics logs statistics generated by reference clocks, which are generally radio-time code receivers synchronized to standard time (for example, a GPS or PPS device). Log clock discipline statistics logs statistics related to the clock synchronization process, while Log NTP peer statistics logs statistics related to NTP client/server communication.

The next subsection is Access Restrictions, and it contains a number of important options. The first option is Enable Kiss-o'death packets. When checked, this enables the client to receive kiss-of-death packets, which are packets sent by the NTP server to tell the client to stop sending packets that violate server access controls. This, in turn, will cause the client to stop sending data to the server. The next option is Deny state modifications by ntpq and ntpdc. The ntpdc daemon queries the ntpd daemon about its current state and then requests changes to that state. If this option is checked (the default), ntpdc's change requests will be denied. The next two options are inverses of each other: Disable ntpq and ntpdc queries and Disable all except ntpq and ntpdc queries. Deny packets that attempt a peer association, if checked, will block any peer associations that are not explicitly configured. Finally, Deny mode 6 control message/trap service, if enabled, will decline to provide a mode-6 control-message trap service to hosts. This service is a subsystem of mode 6, which is intended for use for remote event-logging.

The final option on this page is Leap seconds. Leap seconds have been implemented to keep UTC close to mean solar time, and are added to UTC on an average of 1 per 18 months. This option allows the NTP service to advertise an upcoming leap second addition or subtraction. You must add a leap-second configuration routine in order to do this; it can be pasted into an available edit box or uploaded in a file. Configuring this option is only important if your NTP server is a strata 1 server, in which case it likely has other NTP servers making queries to it. When you are done configuring these options, you can press the Save button at the bottom of the page.

If configuring all these options doesn't provide enough accuracy for you, you can always connect either a GPS or a PPS device to the serial port and use it as a reference clock. Also, if the GPS device supports PPS, it may be used as a PPS clock reference. Using a USB GPS is not recommended owing to USB bus-timing issues; however, a USB GPS device may work.

You can configure a GPS device by clicking on the GPS tab. The first option is the GPS Type drop-down box, which lets you select a predefined configuration. If your GPS type is listed in the box, you should select that type. If it is not listed, you should select Generic. Selecting Default is not recommended.

The next option is the NMEA Sentences list box. NMEA defines an electrical and data specification for communication between marine electronics; GPS is but one of the types of devices that utilize it. There are different NMEA sentence types, and they are listed in this list box. If you know what sentence type your device uses, you can select it here; otherwise, you can leave it set to All.

The Fudge Time 1 edit box allows you to specify a GPS PPS signal offset, while Fudge Time 2 allows you to specify the GPS time offset. The Stratum edit box allows you to set the GPS clock stratum. Normally you would probably want to set it to 0 (and that is the default value), but you can change it here if you want ntpd to prefer a different clock.

There are several flags you can set. Prefer this clock, as the name implies, causes the GPS clock to be preferred over all other clocks. If you went to the trouble of setting up a GPS clock, you probably want to use it, but if you don't, you can check the Do not use this clock, display for reference only checkbox. The Enable PPS signal processing checkbox, if enabled, treats the GPS as a PPS device. By default, PPS processing occurs on the rising edge of the pulse, but checking Enable falling edge PPS signal processing will cause processing to occur on the falling edge. The Enable kernel PPS clock discipline checkbox, if checked, will result in NTP using the ppsu driver, which reduces the incidental jitter sometimes associated with PPS clocks. Normally, the GPS will send location data to ntpd, but if you check the Obscure location in timestamp checkbox, it won't. Finally, if you need to fine-tune the GPS time offset (Fudge Time 2), you may want to check the Log the sub-second fraction of the received timestamp checkbox.

In the Clock ID edit box, you can enter a GPS clock ID. If the Advanced button in the GPS Initialization subsection is clicked, you will see the GPS initialization commands, and you will also be able to edit them. Finally, NMEA Checksum allows you to calculate an NMEA checksum by entering an NMEA command string and pressing the Calculate button. The result will appear in the box to the right of the Calculate button. When you are done making changes, press the Save button at the bottom of the page.

If you have a serial PPS device, such as a radio that receives WWV (time) signals, you can configure it by clicking on the PPS tab. The first option on this page is the Fudge Time edit box, which is used to specify the PPS signal offset. In the Stratum edit box, you can enter the PPS clock stratum. As with GPS devices, you probably want to leave it at 0 (the default), but you can change it here.

The first two flags, Enable falling edge PPS signal processing and Enable kernel PPS clock discipline, are identical to the flags available on the GPS tab. The only unique flag on this tab is the Record a timestamp once for each second option, which is useful in constructing frequency-deviation plots.

The last option is the Clock ID edit box, which is identical to the same option on the GPS tab and simply allows you to change the PPS clock ID. When you are done making changes, click on the Save button at the bottom of the page.