diff --git a/data/templates/ntp/ntpd.conf.tmpl b/data/templates/ntp/ntpd.conf.tmpl
index 2b56b53c3..38e68f24f 100644
--- a/data/templates/ntp/ntpd.conf.tmpl
+++ b/data/templates/ntp/ntpd.conf.tmpl
@@ -1,39 +1,41 @@
 ### Autogenerated by ntp.py ###
 
 #
 # Non-configurable defaults
 #
 driftfile /var/lib/ntp/ntp.drift
 # By default, only allow ntpd to query time sources, ignore any incoming requests
 restrict default noquery nopeer notrap nomodify
+# Allow pool associations
+restrict source nomodify notrap noquery
 # Local users have unrestricted access, allowing reconfiguration via ntpdc
 restrict 127.0.0.1
 restrict -6 ::1
 
 #
 # Configurable section
 #
 {% if server is defined and server is not none %}
 {%   for server, config in server.items() %}
 {%     set association = 'server' %}
 {%     if config.pool is defined %}
 {%       set association = 'pool' %}
 {%     endif %}
 {{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is defined }} {{ 'preempt' if config.preempt is defined }} {{ 'prefer' if config.prefer is defined }}
 {%   endfor %}
 {% endif %}
 
 {% if allow_clients is defined and allow_clients.address is defined %}
 # Allowed clients configuration
 {%   for address in allow_clients.address %}
 restrict {{ address|address_from_cidr }} mask {{ address|netmask_from_cidr }} nomodify notrap nopeer
 {%   endfor %}
 {% endif %}
 
 {% if listen_address %}
 # NTP should listen on configured addresses only
 interface ignore wildcard
 {%   for address in listen_address %}
 interface listen {{ address }}
 {%   endfor %}
 {% endif %}