How set ntp location in AI Mesh Node

[TonyK132]

Hello - I have an AI Mesh node running stock Asus firmware that is hard-wire connected to a Merlin AC86U. If I try to access the node using its IP address, I get redirected to the router, so I cannot access any networking settings in the node, including changing its ntp address to point at the router. How can I access the settings of the node?

 

[bbunge]

Hello - I have an AI Mesh node running stock Asus firmware that is hard-wire connected to a Merlin AC86U. If I try to access the node using its IP address, I get redirected to the router, so I cannot access any networking settings in the node, including changing its ntp address to point at the router. How can I access the settings of the node?

Node settings mirror the AiMesh router settings. If you have SSH enabled on the router you can SSH log into the node with its IP address. There is no need to do GUI access of nodes.

 

[TonyK132]

I'm not sure the mirroring is totally working. I'm using ntpMerlin with a config of:

server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst

But I can see that the node is going beyond just those servers:

2021-12-26 12:52	1.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	3.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	time.google.com	192.168.2.104	A	Allowed
2021-12-26 12:52	pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	0.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	2.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	time.nist.gov	192.168.2.104	A	Allowed
2021-12-26 12:52	time.nist.gov	192.168.2.104	A	Allowed
2021-12-26 12:52	time.google.com	192.168.2.104	A	Allowed
2021-12-26 12:52	2.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	0.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	3.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	1.pool.ntp.org	192.168.2.104	A	Allowed
2021-12-26 12:52	pool.ntp.org	192.168.2.104	A	Allowed

I currently have no clients attached to the node, so all this activity is from the node itself.

 

[TonyK132]

I also have the setting in ntpMerlin to redirect all ntp traffic to ntpMerlin, but I cannot be sure that is working. The list above is from Diversion. I do not know if that display is what is actually going on the wire, or if that is before ntpMerlin gets it and redirects it.

 

[bbunge]

The main router controls time and DHCP. Think of the node as a fancy access point that lets the router control it.

 

[Tech9]

so I cannot access any networking settings in the node

You don't need to change anything on the node.

 

[TonyK132]

The main router controls time and DHCP. Think of the node as a fancy access point that lets the router control it.

Then why is the node trying to get its time from time.google.com and time.nist.gov and pool.ntp.org, and not getting it from the router?

 

[sfx2000]

Then why is the node trying to get its time from time.google.com and time.nist.gov and pool.ntp.org, and not getting it from the router?

Quick tip - don't mix Google Public NTP with other NTP pools - one might consider Cloudflare's NTP hosts, but generally one can just use the appropriate NTP pools...

one can use Google time alone...

server time1.google.com iburst
server time2.google.com iburst
server time3.google.com iburst
server time4.google.com iburst

And if one uses Google's DNS, one gets good regional diversity just in case something goes wrong...

(and if google NTP is offline, then the world is truly in a bad spot - but NTP can deal with this if a server goes down for a bit, it will recover)

 

[Tech9]

Then why is the node trying to get its time from time.google.com and time.nist.gov and pool.ntp.org, and not getting it from the router?

What difference does it make for you?

 

[Jack Yaz]

Then why is the node trying to get its time from time.google.com and time.nist.gov and pool.ntp.org, and not getting it from the router?

It's trying, but the redirect will be pushing the packets to the router itself. The node thinks its sending the requests to time.google.com but its not.
You can use the below to see if the redirect rule is working, by looking at the counters in the left 2 columns

iptables -t nat -nvL | grep 123

 

[TonyK132]

Looks like all the 123s are going to the router.


0 0 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123 to:192.168.2.1
10336 786K DNAT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 to:192.168.2.1

So, in spite of Diversion to the contrary, all ntp inquiries are going to the router?

 

[Tech9]

all ntp inquiries are going to the router?

I would guess so, if you have intercept NTP in Asuswrt-Merlin enabled. It's easy to redirect single port.

 

[Jack Yaz]

Looks like all the 123s are going to the router.


0 0 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123 to:192.168.2.1
10336 786K DNAT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 to:192.168.2.1

So, in spite of Diversion to the contrary, all ntp inquiries are going to the router?

Diversion shows the DNS lookups made by the client, which is correct. When the client tries to reach time.google.com (for example) the router intercepts and redirects the packets to itself. The client thinks its talking to time.google.com as it is unaware of the redirect.

Note that this sort of simple redirect works for a protocol like NTP and DNS (DNS Filter), but can't be used for something like redirecting secure web traffic - the client would error.

 

[TonyK132]

I think I got it now, thanks for helping me understand what's going on.