ntpMerlin Does ntpMerlin redirect local NTP-queries?

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

MvW

Senior Member
Question: I'd like all NTP-queries handled by my router. I noticed that this option is missing in in the WebUI of ntpMerlin (?), but is available when running ntpMerlin in a SSH-session.

Code:
2.    Toggle redirect of all NTP traffic to ntpMerlin
      (currently Enabled)

Now I made a backup of nvram using nsru this morning and browsing through the values and noticed
Code:
ntpd_server_redir="0"
(which I assume is the setting for Merlins implementation, but I don't know whether @Jack Yaz uses the same nvram variable for this setting).

Does that mean my NTP-queries aren't redirected locally or does ntpMerlin use different way to redirect them? How can I check they're handled locally?
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Question: I'd like all NTP-queries handled by my router. I noticed that this option is missing in in the WebUI of ntpMerlin (?), but is available when running ntpMerlin in a SSH-session.

Code:
2.    Toggle redirect of all NTP traffic to ntpMerlin
      (currently Enabled)

Now I made a backup of nvram using nsru this morning and browsing through the values and noticed
Code:
ntpd_server_redir="0"
(which I assume is the setting for Merlins implementation, but I don't know whether @Jack Yaz uses the same nvram variable for this setting).

Does that mean my NTP-queries aren't redirected locally or does ntpMerlin use different way to redirecting them? How can I check they're handled locally?
One way i tested it was by forcing an NTP update on a windows device. I then loaded the Connection's tab under system log section of the RMerlin UI. I observed that the request from the device was pointed at the Routers local IP address.
If you are on the right page, this is what you will see at the top.
1615618133023.png


Here is how I forced a time sync update.

1615618194701.png


The request is then intercepted by these NAT rules provided by NTPMerlin intercept option.

1615618268556.png



After running the force update, here is an example of what I saw on the connections list. This shows the connection of the windows device on Port 123 was forced to 192.168.1.1 (local NTP service).

1615618030213.png
 
Last edited:

MvW

Senior Member
That seems to work fine. I forced an NTP update here in Windows 10 (in Dutch, sorry). Settings > Time and Date > Synchronize your clock > Synchronize Now.

Schermafbeelding 2021-03-13 100109.png


I have YogaDNS installed for use with NextDNS on my laptop because I use the ProtonVPN Windows app on this laptop (haven't configured ProtonVPN on my router yet, have yet to find how to exclude and re-route clients etc.), but I can see time.windows.com being queried in YogaDNS.

Schermafbeelding 2021-03-13 095311.png


As the VPN is currently disconnected, System Log > Active Connections in the routers WebUI shows how it caught the request and redirected it to the routers IP:

Screenshot_2021-03-13 ASUS Wireless Router RT-AC86U - Connections.png


So, indeed, it works like a charm! Thanks for your guidance @SomeWhereOverTheRainBow. Always nice to check and see if something works indeed as advertised.

Best regards,
Marco
 

Jack Yaz

Part of the Furniture
Question: I'd like all NTP-queries handled by my router. I noticed that this option is missing in in the WebUI of ntpMerlin (?), but is available when running ntpMerlin in a SSH-session.

Code:
2.    Toggle redirect of all NTP traffic to ntpMerlin
      (currently Enabled)
that's an oversight on my part, onto the list it goes!
 

maghuro

Very Senior Member
Option 2 isn't catching ipv6 ntp traffic...

Screenshot from FlexQoS
 

Attachments

  • t.png
    t.png
    3 KB · Views: 62

SomeWhereOverTheRainBow

Part of the Furniture
Option 2 isn't catching ipv6 ntp traffic...

Screenshot from FlexQoS
The only way to catch ipv6 NTP is blocking it, unless asus has updated the ip and nat tables far enough to allow nat handling of IPV6 traffic. (similar to the way it handles ipv4 redirect). @Jack Yaz


Code:
ip6tables -I OUTPUT -p tcp --dport 123 -j DROP
ip6tables -I OUTPUT -p udp --dport 123 -j DROP
 

archiel

Senior Member
I do not really understand this, but for ntpd or chronyd to intercept IPv6 requests, wouldn't their respective .conf settings also need to be set to listen for IPv6?
I am using chrony, but looking at the default chrony.conf the default allow directives are for the standard private IPv4 ranges only.

So get this working (rather than dropping IPv6 requests) wouldn't this require

PREROUTING rules for IPv6, equivalent to those for IPv4, so requests go to ntpd or chronyd
- What would the relevant 'redirect to' address?
Adding the allow directives to chrony.conf (or ntp) - so the requests could be processed?
- e.g. allow ::/0, or would you use the link-local range?

Also how could you test this, other than seeing if the clients show up in chronyc clients?
 

SomeWhereOverTheRainBow

Part of the Furniture
I do not really understand this, but for ntpd or chronyd to intercept IPv6 requests, wouldn't their respective .conf settings also need to be set to listen for IPv6?
I am using chrony, but looking at the default chrony.conf the default allow directives are for the standard private IPv4 ranges only.

So get this working (rather than dropping IPv6 requests) wouldn't this require

PREROUTING rules for IPv6, equivalent to those for IPv4, so requests go to ntpd or chronyd
- What would the relevant 'redirect to' address?
Adding the allow directives to chrony.conf (or ntp) - so the requests could be processed?
- e.g. allow ::/0, or would you use the link-local range?

Also how could you test this, other than seeing if the clients show up in chronyc clients?
The redirect rule for ipv6 would point at the respective Lan ipv6 address associated with the router. Just as the ipv4 redirect points at the ipv4 Lan address. The problem is that the router ip/nat tables does not support redirect as an option for ipv6. The same applies with dns filter redirects, it only supports ipv4. That is why it is suggested to block ipv6 because otherwise it will leak. For devices that prefer ipv6 over ipv4, Your local ntp server may be skipped all together defeating the purpose of using a local ntp server because the request will leak via ipv6.
 

SomeWhereOverTheRainBow

Part of the Furniture
Currently the routers local ntp server and ntpmerlin utilize no method for redirecting ntp request that are passed over ipv6, thus they are allowed to pass to whatever ntp server the device prefers. The fear would be that restricting ipv6 time sync on devices that prefer ipv6 may prevent the device from keeping accurate time. Maybe the device will only attempt to sync the time once, thus preventing the device from maintaining accurate time.
 

archiel

Senior Member
I assume that if I want to understand more about redirects, I should be learning about iptables & ip6tables (somewhere on my v long to-do list).

In the meantime,
From the router I can see my list of connected devices
Using chronyc clients, I can see the list of clients that have updated (since the last time chrony was restarted)
Using tcpdump I should be able to see all requests on port 123.

As I only restarted chrony yesterday I expect it will be a few days before if I can see whether there are any devices are bypassing chrony.
 
Last edited:

archiel

Senior Member
After a brief detour to deal with the DST bug, I have been running tcpdump
Code:
tcpdump -nn port 123 -i any
to see what requests are being made

Mostly it is what I would expect, with requests and responses going to and from the the WAN interface and the servers specified in chrony.conf.

What I have found is that some devices insist on using IPv6, as they are going direct and not routed via any VPN I will leave them be.

However some IPv4 devices are showing up in 'chronyc clients' and also contacting other ntp servers i.e. there is traffic is between the clients and ntp servers and these ntp servers are not those in chronyc.conf.

Given that chrony should be picking up and handling ALL IPv4 traffic on port 123, is there a way I can see how some traffic is managing to bypass it?
 

JaimeZX

Senior Member
Can you solve the IPv6 issue by disabling IPv6 on the WLAN/LAN? I don't see what benefit it provides in a home environment, anyway.
 

CriticJay

Senior Member
Can you solve the IPv6 issue by disabling IPv6 on the WLAN/LAN? I don't see what benefit it provides in a home environment, anyway.

that's precisely one of the reasons why i disabled IPv6 on my home connection ...
 

archiel

Senior Member
that's precisely one of the reasons why i disabled IPv6 on my home connection ...
From my perspective the IPv6 issue is whether there may be a way to persuade those devices that default to it (such as mobile phones, ipads, etc) to use chrony rather than going direct. If they are checking a picking up the time directly and correctly that is also fine - it is more a matter of neatness, and solving by disabling IPv6 (or dropping ntp calls on ipv6) seems to me to be defeatist.

The issues I am more interested are (1) how can i track which devices are making IPv4 ntp calls and (2) why some of these calls are not being caught and are bypassing chrony.
 

archiel

Senior Member
As far as I can see ntpMerlin is working successfully as a client on the router, but it is not acting as a local server for local queries (or at least only doing this occasionally)
As I had been running IPv6 and chrony, I decided to simplify matters to I look at this,
  • I disabled IPv6 on the router
  • I switched to ntp (I had been using chrony)
  • I rebooted the router
I checked the Port Forwarding tab which showed the expected

Code:
Source    Proto   Port range    Redirect to    Local Port    Chain
    ALL    UDP    123           10.01.02.1    123             PREROUTING
    ALL    TCP    123           10.01.02.1    123             PREROUTING

I started tcpdump
Code:
tcpdump port 123 -i any
and left it

After a while I noted

Regular checks between the router and the external servers defined in the ntp.conf
local devices trying to connect with external servers not defined in ntp.conf (some succeeding, some failing)
checks from time to time from and to 127.0.0.1
after a local device had tried to get time, most of the time nothing showing in Connections (on port 123).

If I go to a Windows 10 device to set the time (Control Panel > Date and Time > Internet Time Settings > Synchronise with an internet time server), most of the time the tcpdump output indicates that the device has connected to the specified server (not the router) and there is no entry in Connections. Occasionally (and I have not found any pattern yet) the device will get its time from the router and Connections show the expected result.

I am assuming that if ntp is acting as a local server then I should be seeing regular client / server traffic between the router and the network devices - is this correct and if not, why not?

What can I try next?
 

MvW

Senior Member
What can I try next?

Code:
chronyc clients

should show you more info about which clients connected when since your last reboot:

Code:
[email protected]:/tmp/home/root# chronyc clients
Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last
===============================================================================
xxx.xxx.xxx.50                   75      0   8   -    47       0      0   -     -
xxx.xxx.xxx.47                   12      0   8   -    42       0      0   -     -
xxx.xxx.xxx.33                   13      0   8   -   202       0      0   -     -
xxx.xxx.xxx.2                    16      0   9   -   429       0      0   -     -
xxx.xxx.xxx.49                    6      0   8   -   40m       0      0   -     -
xxx.xxx.xxx.54                    4      0   7   -   52m       0      0   -     -
xxx.xxx.xxx.35                    9      0   8   -     5       0      0   -     -
 

MvW

Senior Member
Code:
[email protected]:/tmp/home/root# chronyc serverstats
NTP packets received       : 161
NTP packets dropped        : 0
Command packets received   : 15
Command packets dropped    : 0
Client log records dropped : 0
NTS-KE connections accepted: 0
NTS-KE connections dropped : 0
Authenticated NTP packets  : 0

shows the total amount of requests since last reboot.[/CODE]
 

archiel

Senior Member
As noted above, i had switched from chrony back to ntp, and I am seeing the same (or similar) issues in both; e.g. I can see clients listed under chronyc clients, but from tcpdump I can see other clients 'going direct'. Under ntp the nearest thing I can find is 'ntpq -c mrulist', and while that includes both internal clients and external servers, again tcpdump output indicates that the clients are also 'going direct' under ntp as well.

Unless I am misinterpreting the tcpdump output, it seems as if the prerouting rules are being bypassed - if they were working I would not expect to see items like
Code:
00:27:42.969962 IP 10.1.2.169.35802 > keratrix.amazing-internet.net.ntp: NTPv4, Client, length 48
00:27:42.970141 IP keratrix.amazing-internet.net.ntp > 10.1.2.169.35802: NTPv4, Server, length 48
As
  1. keratrix.amazing-internet.net is not in ntp.conf
  2. 10.1.2.169 should be sending its requests to 10.1.2.1(the router)
 

SomeWhereOverTheRainBow

Part of the Furniture
Code:
# chronyc serverstats
NTP packets received       : 14579
NTP packets dropped        : 0
Command packets received   : 53
Command packets dropped    : 0
Client log records dropped : 0
NTS-KE connections accepted: 0
NTS-KE connections dropped : 0
Authenticated NTP packets  : 0

when I manually force request using a windows device, the count goes up


Code:
chronyc serverstats
NTP packets received       : 14581
NTP packets dropped        : 0
Command packets received   : 54
Command packets dropped    : 0
Client log records dropped : 0
NTS-KE connections accepted: 0
NTS-KE connections dropped : 0
Authenticated NTP packets  : 0
 

archiel

Senior Member
@MvW , @SomeWhereOverTheRainBow . Thanks for your help on this, I will switch back to chrony for a while and run some further stats. However looking at the ntp data, and from my previous chrony checks I can clearly see the client-server conversations going between local devices and external servers.

Using npt, ntpq -c mrulist may just be registering any port 123 traffic (as the server is sitting on the gateway interface), regardless of whether it is responding to those requests and I suspect that chrony (serverstats and clients) may be showing the same behaviour.

This all started because I was looking at two windows systems side by side. one set to get its time from the router and the other from an external time server, both were showing as recently connected in chronyc clients and yet the two system clocks were over a second apart. Once I updated each device manually, the the time discrepancy vanished, but it set me wondering that if both were showing as having been updated from chrony (i.e. in chronyc clients) how could such a large difference haver arisen.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top