NAS NTP with minimum security risk
- Thread starter Stardust
- Start date
drinkingbird
Part of the Furniture
Your NAS can query either the Asus or any standard NTP server, if it can't you have something blocking it. There is little to no security risk with using NTP.
Or are you saying you want to run an NTP server on your NAS? That also is fine as long as it is only for your LAN, I wouldn't open it to the internet, no reason to anyway. But your asus or public NTP servers are perfectly fine, no need to run your own server. pool.ntp.org is the usual one, you can even use localized versions but usually it does it for you automatically.
EmeraldDeer
Very Senior Member
Point NAS NTP client to AX86U.
Run ntpMerlin chronyd on AX86U.
Do not know about Europe, but from my location the best time is from the Apple and Cloudflare pools.
If you are wealthy, get your own GPS sourced NTP server on your LAN, like the LeoNTP Time Server 1200.
Run ntpMerlin chronyd on AX86U.
Do not know about Europe, but from my location the best time is from the Apple and Cloudflare pools.
If you are wealthy, get your own GPS sourced NTP server on your LAN, like the LeoNTP Time Server 1200.
drinkingbird
Part of the Furniture
If you're really concerned with accuracy, why proxy the NTP? Just have your clients point to the pool of your choice (ntp.org, cloudflare, etc). One less offset calculation (and cheap clock crystal) in the path.
In reality if every device on your network is 1 msec off from each other, that is not going to impact anything. Nobody is engaged in high frequency stock trading via an asus router on their home internet, or clocking a WDM/TDM circuit, etc.
ColinTaylor
Part of the Furniture
I still don't understand what the point of your thread was. You posted it in the general security thread so I assumed you were concerned about NTP security (of a server running on the NAS?) for some reason. But you also said you "can't connect to a NTP". What does this mean? Do you not have an internet connection? If so how is your router getting it's NTP?
So is this a network security question, a Synology NAS question, an NTP server question or an NTP client question?
Last edited:
bbunge
Part of the Furniture
My NAS has three time server choices loaded in the software: time.google.com, time.nist.gov and pool.ntp.org. One of these should work regardless of where you are locates. You can also add a time server of your choice. I added time.cloudflare.com just as a test. If your time is not getting set right it is likely that the chosen time server is not being resolved. If this is the case you can use an IP address of a time server instead of a URL. However, this could fail if the server is down. Much better to use a time server network URL which will be directed to one of any number of active servers.
drinkingbird
Part of the Furniture
In which case just point the NAS to pool.ntp.org and you're done.
RMerlin
Asuswrt-Merlin dev
pool.ntl.org points to a list of different servers based on you location. It might be possible that you were trying to use a server that was down that first time.The pool.ntp.org did do the job. Did also try that before I posted this thread - hrm..
But it works now
drinkingbird
Part of the Furniture
OP said their NAS was off by days, I've found that NTP takes a few tries to fix that, it sees the difference is too much and goes into some safety mode or something. I'm not sure what mechanism in NTP says "if you try once and it is really far off, don't change it, but if you try 2 or 3 times you must really be serious". I've run into devices that simply will not update no matter how many times you try when it is that far off, you have to manually set the time to something close, then it will update fine and continue updating.
I've never had an issue using the main "pool" but if you seem to see a lot of timeouts you can try using a country or region specific one. you can drill down quite a bit, there is a north-america.pool.ntp.org, us.pool.ntp.org, or even 0.us.pool and 1.us.pool etc.
If you need more than one server use 0.pool.ntp.org and 1.pool.ntp.org etc (or the country specific variants). I've found their geo-ip implementation to be pretty good and the regular pool has always worked fine. Even if you end up with a server in another country due to local server being down or Geo IP being off for your ISP, NTP is very good at calculating offset.
Of course windows uses microsoft by default, apple uses apple, some still use nist. Don't think any are unreliable enough to cause an issue for a home user, even if you get 1 out of every 10 updates you'll be fine. Even with the very wide tolerance allowances on the cheap crystals being put on even high end server motherboards.
Several companies sell Time as a Service (TaaS) where you can purchase NTP or much more expensive PTP. They send you a UDP stream from multiple GPS and Atomic sites, and their server or software client (or even hardware addin card for PTP) calculates a very precise offset within 1nS of the source. Uptake has been pretty slow since most of their target customers (telcos and financial companies) already have their own GPS setup or in some cases even a true atomic clock source (cute little "warning, radioactive material inside" sticker on it). It has to be delivered over private point to point circuits as it needs a pretty stable network latency to not mess with the offset calculation. My company resells a couple of them on our network, definitely not a hot item.
/Tangent
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
Securing a NAS without using a VPN | General Network Security | 5 |
Similar threads
Latest threads
-
-
-
Can't get 2gbps to my unraid server
- Started by zekesdad
- Replies: 2
-
changed AC68U to AX86U Pro, same guest network setting but all devices gone?
- Started by Heronimos
- Replies: 4
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!