What's new

ntpMerlin ntpMerlin v3.x

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

No...

I did not recognize we had to run that... (because of the “Jack be like”)
Sorry for the distraction :p

Don't forget to restart chronyd after every change you make to chronyd.conf

FWIW, my list is growing by the minute, but for some separate certificates need to be imported, and I need to find out how.

Also, as far as the glypnod servers: ntp1.glypnod.com is based in San Francisco, ntp2.glypnod.com is London based, I just found out.
 
Sorry for the distraction :p

Don't forget to restart chronyd after every change you make to chronyd.conf

FWIW, my list is growing by the minute, but for some separate certificates need to be imported, and I need to find out how.

Also, as far as the glypnod servers: ntp1.glypnod.com is based in San Francisco, ntp2.glypnod.com is London based, I just found out.
edit the conf file through option 3 of ntpmerlin and restarts are done automatically :)
 
edit the conf file through option 3 of ntpmerlin and restarts are done automatically :)
You think of everything, don't you...

List expanded with new servers! As for my previous question, it looks like all the ports have already been changed to 4460, so you can ignore that question.
 
Updated list:

Code:
pool time.cloudflare.com iburst nts
server netmon2.dcs1.biz:123  iburst nts
server ntp1.glypnod.com iburst nts
server ntp2.glypnod.com  iburst nts
server ntpmon.dcs1.biz iburst nts
server ntpmon.dcs1.biz iburst nts
server nts.ntp.se iburst nts
server nts.ntp.se iburst nts
server nts.sth1.ntp.se iburst nts
server nts.sth2.ntp.se iburst nts
server nts.time.nl iburst nts
server ptbnts2.ptb.de iburst nts
server ptbnts3.ptb.de iburst nts
server ptbtime1.ptb.de iburst nts
server ptbtime2.ptb.de iburst nts
! server ptbtime3.ptb.de iburst nts (not yet operational)
server timemaster.evangineer.net iburst nts
Some duplicates in that list. ptbtime2.ptb.de isn't operational yet. Does the time master server work for you? I get a time out so deleted it from my list.
 
Some duplicates in that list. ptbtime2.ptb.de isn't operational yet. Does the time master server work for you? I get a time out so deleted it from my list.

Sorry, thought I filtered out the duplicates. ptbtime2.ptb.de should be operational, but isn't and the timemaster server doesn't work here either, it times out. I'll modify the list.

Edit: Done and locations added
 
Last edited:
A little confused as to ports 123 & 4460.
I have run ntpmerlin develop and I have added the following NTS servers (in addtion to my current non-NTS) servers
Code:
server ntp2.glypnod.com nts
server ptbnts2.ptb.de nts
server ptbnts3.ptb.de nts
server ptbtime1.ptb.de nts
server ntpmon.dcs1.biz nts
and when I run chronyc -N authdata I see
Code:
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ntp2.glypnod.com             NTS     1   15  256  38m    0    0    8  104
ptbnts2.ptb.de               NTS     1   15  256  38m    0    0    8  100
ptbnts3.ptb.de               NTS     1   15  256  38m    0    0    8  100
ptbtime1.ptb.de              NTS     1   15  256  38m    0    0    8  100
ntpmon.dcs1.biz              NTS     1   15  256  38m    0    0    8  104
for the NTS servers

If NTS requests are over port 4460, then I would expect to see the connections if I run conntrack -E | grep "dport=4460" but I do not. But I do see connections for the NTS servers if I run conntrack -E | grep "dport=123"

What am I missing?
 
What am I missing?

Not sure, but maybe the fact that only chronyd is communicating over port 4460 to sync with NTS-compatible servers, and your local clients are not? They communicate only with chronyd with destitination port 123. I'm not sure whether conntrack captures the communication between chronyd and the upstream NTP-NTS servers. If running
Code:
chronyc -N authdata
you can see they're actually syncing with upstream servers, so apparently conntrack fails to intercept that part of traffic for some reason.
 
Not sure, but maybe the fact that only chronyd is communicating over port 4460 to sync with NTS-compatible servers, and your local clients are not? They communicate only with chronyd with destitination port 123. I'm not sure whether conntrack captures the communication between chronyd and the upstream NTP-NTS servers. If running
Code:
chronyc -N authdata
you can see they're actually syncing with upstream servers, so apparently conntrack fails to intercept that part of traffic for some reason.
conntrack captures both - local and upstream - also I can see from the IP addresses in the output whether I am looking at local traffic or upstream (i.e. between and NTS server and the Router)

Similarly, if I run tcpdump on port 4460, nothing and on 123 I see the traffic.

Edit

If I edit the servers to
Code:
server ntp2.glypnod.com:4460 nts
server ptbnts2.ptb.de:4460 nts
server ptbnts3.ptb.de:4460 nts
server ptbtime1.ptb.de:4460 nts
server ntpmon.dcs1.biz:4460 nts
the nts servers do not load at all
 
Last edited:
conntrack captures both - local and upstream - also I can see from the IP addresses in the output whether I am looking at local traffic or upstream (i.e. between and NTS server and the Router)

Similarly, if I run tcpdump on port 4460, nothing and on 123 I see the traffic.

Edit

If I edit the servers to
Code:
server ntp2.glypnod.com:4460 nts
server ptbnts2.ptb.de:4460 nts
server ptbnts3.ptb.de:4460 nts
server ptbtime1.ptb.de:4460 nts
server ntpmon.dcs1.biz:4460 nts
the nts servers do not load at all

The port numbers shouldn't be added.

I don't know why you don't see the traffic with conntrack or tcpdump, my knowledge is too limited.
Fact is, when you run the command in my previous message, you see the stats go up. So, I don't really see the point to this discussion. A key exchange takes places at port 4460, time is synced (I have replaced all server with NTS servers, so there's no non-NTS server left in my config to sync) and the numbers of succesful syncs are increasing. And for some reason, it even seems to me, it's more accurate then ever. So, we can discuss al evening why you don't see the traffic, but I really don't see the point in that, as chronyd seems to work as supposed, but now through encrypted traffic.
 
Last edited:
Solved(ish). While the time checking (123 over udp) is carried out regularly, the key exchange (4460 over tcp) takes place immediately after the chronyd is started (or restarted). I had initially missed this by only tracking after I had done a restart. I don't know the time interval for repeating the key exchange, so I will leave tracking on to find this.

The point, apart from curiosity, is that I was that I was trying to understand how (if) chrony could work as a local server if IPv6 is enabled on the network, as such I have disabled it for now until I have a basic understanding of what happens under IPv4 and once I think I do, will re-enable ipv6
 
may I make a request?
I really like the logarithmic scale in spdMerlin - can we get that for ntpMerlin at some point as well please? I'll really smooth out the wee variations over time that don't matter in the big picture
it didn't work so well given most of the values were so low, so the logarithmic scaling didn't really kick in
 
I don't know the time interval for repeating the key exchange, so I will leave tracking on to find this.
According to RFC8915 key exchange shall take place every 24 hours.
 
it didn't work so well given most of the values were so low, so the logarithmic scaling didn't really kick in
ah, right, yes that makes sense.
 
v3.3.0 is now available
Changelog

  • NEW: Support for NTS. If your router supports the NTS version of chrony it will be installed automatically. To use an NTS server, you can uncomment (delete the ! at the start of the line) the below lines in chrony.conf (menu option 3 on the command line):
    Code:
    pool time.cloudflare.com iburst nts
    
    ntsdumpdir /opt/var/lib/chrony
 
v3.3.0 is now available
Changelog

  • NEW: Support for NTS. If your router supports the NTS version of chrony it will be installed automatically. To use an NTS server, you can uncomment (delete the ! at the start of the line) the below lines in chrony.conf (menu option 3 on the command line):
    Code:
    pool time.cloudflare.com iburst nts
    
    ntsdumpdir /opt/var/lib/chrony
Awesome! Will the update overwrite my own chrony.conf?
 
v3.3.0 is now available
Changelog

  • NEW: Support for NTS. If your router supports the NTS version of chrony it will be installed automatically. To use an NTS server, you can uncomment (delete the ! at the start of the line) the below lines in chrony.conf (menu option 3 on the command line):
    Code:
    pool time.cloudflare.com iburst nts
    
    ntsdumpdir /opt/var/lib/chrony
To those interested in NTS: See the post below for a list of other NTS-capable NTP-servers, possibly closer to home:


The post keeps being updated as a I find new servers and I will also add whether it's a Stratum 1, 2 etc. server in the upcoming days.
 
no, if/when the "default" copy of chrony.conf from Github is updated, it will be downloaded as chrony.conf.default and (in the CLI) you'll see a prompt to compare the changes.
Great, thanks for your hard work and the sacrifice of your weekend. Really appreciated.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top