What's new

Setting NTP server options

  • Thread starter Deleted member 62525
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Deleted member 62525

Guest
Some packages and services running on the router require NTP services. There are many options to configure NTP services on local LAN.
1. Configure your Asus router and provide primary/secondary location eg: ca.pool.ntp.org. This makes the router NTP server.
2. Same as option 1 but provide NTP outside server actual IP addresses
3. Configure your ISP modem to be NTP server
4. Install ntpMerlin package. Your router becomes NTP server.

Which one do you use and which is the most reliable or better than others?
From the first look it makes sense to use ISP modem NTP server, since it is up and available when Asus router is rebooting.
 
ISP gateway is the technically proper place, but if you're rebooting your router, attached devices are relying on their internal clocks anyway, or the time reference from their cellular connection.
If you've bridged the ISP equipment and do the ISP authentication on your router (This Is The Way rather than potential double NAT, especially if you've Native IPv6 available from your provider), your router should be the timeserver for your network

I've chosen option 4 using chrony

If I can infer correctly from your post that you're Canadian, use the NRC timeservers: time.nrc.ca and time.chu.nrc.ca - "fact check" the CBC lol
if you're "near" U of T - tick and tock.utoronto.ca USask has a set of servers too iirc (if there's a nuclear engineering dept at any Uni, I'd bet on them having atomic clocks)
Also - https://www.torix.ca/community-projects/ could be of interest <- this is usually the preferred source on my ntpMerlin (probably because my ISP's servers are colocated at one of their locations as I understand it; I am 6-7ms ping-time away)
I also reference apple's timeservers and cloudflare
 
In my case, yes I have mu ISP (Telus) router bridged. Since I am using Unbound DNS and need NTP before it starts I was wondering which is the best way. Technically as you pointed out providing NTP services with ISP modem would be the best way since it is running at all times. If my asus router is rebooting it does not have to wait for NTP sync too long since it will get the current time from my local ISP modem. Unbound DNS is very sensitive to this.
 
Some packages and services running on the router require NTP services.
What packages and services are you thinking of? There are certain applications that require the router's date and time to be set correctly but that is not the same as those applications requiring access to an NTP server.
 
What packages and services are you thinking of? There are certain applications that require the router's date and time to be set correctly but that is not the same as requiring access to an NTP server.
Unbound DNS. Unbound will not start unless NTP has started and unbound is able to obtain proper date/time.
 
Unbound DNS. Unbound will not start unless NTP has started and unbound is able to obtain proper date/time.
That was my point. I don't use Unbound so I don't know how it works, but I would assume that it just needs the router's date and time to be set correctly. I'd guess that Unbound does not need to query an NTP server directly itself, or are you saying that it does?
 
That was my point. I don't use Unbound so I don't know how it works, but I would assume that it just needs the router's date and time to be set correctly. I'd guess that Unbound does not need to query an NTP server directly itself, or are you saying that it does?
I don't think it does but it needs current date/time. I currently use my router as NTP server which takes some time to sync when router is rebooted. In some cases when its late Unbound does not start. Not a big deal or anything but I was just wondering if I were to use ISP modem NTP server this condition would be eliminated. I have to try it out when wife goes to work and I do these experiment. I posted the question to see if that makes sense and if others are configuring the LAN this way. Any cons and pros for using ISP NTP vs Asus router (bridged) behind the ISP modem?
 
I don't think it does but it needs current date/time.
OK, that's what I thought. Same as the DoT server (stubby) needing the router's date and time to be set correctly so that it can create the TLS connection.

The problem, as you highlight, with the router using an internet time source is the inevitable delay before the connection to the internet can be established.

Side note: I also experienced a secondary problem when using pool.ntp.org as the time source. In my location (UK) the servers returned by pool.ntp.org are frequently unreliable which causes the router's NTP client to wait an additional 11 minutes before trying them again.:mad: Switching to time.cloudflare.com and time.windows.com immediately fixed that problem.:)

UPDATE: I've noticed that time.cloudflare.com is now often not responding. I've replaced cloudflare with time.google.com. As the cloudflare server is often included in pool.ntp.org that may become a problem (guess).

As you surmised if you have access to a reliable always-on local time source that would be better for the router. I don't know how much quicker your ISP modem's NTP server would be at becoming accessible. It might still be dependent on the delay in the WAN interface coming up. In a business environment you would use a server (usually a cluster of servers) on the LAN to provide time services, typically a domain controller. The router's access to the LAN after a reboot is pretty quick compared to access through the WAN interface. But not everybody runs a server on their LAN.
 
Last edited:
OK, that's what I thought. Same as the DoT server (stubby) needing the router's date and time to be set correctly so that it can create the TLS connection.

The problem, as you highlight, with the router using an internet time source is the inevitable delay before the connection to the internet can be established. Side note: I also experienced a secondary problem when using pool.ntp.org as the time source. In my location (UK) the servers returned by pool.ntp.org are frequently unreliable which causes the router's NTP client to wait an additional 11 minutes before trying them again.:mad: Switching to time.cloudflare.com and time.windows.com immediately fixed that problem.:)

As you surmised if you have access to a reliable always-on local time source that would be better for the router. I don't know how much quicker your ISP modem's NTP server would be at becoming accessible. It might still be dependent on the delay in the WAN interface coming up. In a business environment you would use a server (usually a cluster of servers) on the LAN to provide time services, typically a domain controller. The router's access to the LAN after a reboot is pretty quick compared to access through the WAN interface. But not everybody runs a server on their LAN.
Thanks @ColinTaylor for the suggestion. The easiest thing for me to try is to switch the router to different time source and do few reboots to see. Since I am in western Canada I will try NRC time sources and go from there.
 
If you dig into the ntpMerlin master thread, I believe you will be able to find directions on how to get the server/addon synced sooner (to prevent the issues you're mentioning) by moving it into a different place in the boot sequence of the router...where the script is called from and when in the process.
Is there a specific reason you reboot the router often?

NTP sources:
from https://gist.github.com/mutin-sa/eea1c396b1e610a2da1e5550d94b0453 I was right about USask: tick and/or/ tock.usask.ca
also in Sask is clock.uregina.ca
there's also yycix.ntp.ca in Calgary
 
If you dig into the ntpMerlin master thread, I believe you will be able to find directions on how to get the server/addon synced sooner (to prevent the issues you're mentioning) by moving it into a different place in the boot sequence of the router...where the script is called from and when in the process.
Is there a specific reason you reboot the router often?

NTP sources:
from https://gist.github.com/mutin-sa/eea1c396b1e610a2da1e5550d94b0453 I was right about USask: tick and/or/ tock.usask.ca
also in Sask is clock.uregina.ca
there's also yycix.ntp.ca in Calgary
I don't reboot the router often. Only after firmware or package updates in some cases. But when it does reboot many times Unbound DNS would not start. I will try different time source and we will see if that fixes the issue. Thanks for your suggestion.
 
I find that when I'm forced to reboot, rebooting the gateway/modem first, letting it settle and then rebooting my AC86 makes the process much smoother/more reliable/faster, especially with unbound. YMMV.
the router needs to authenticate with your ISP, but until the modem is able to pass data, the router is freewheeling, and the scripts launching during that process confuzzles things.
IOW and IIRC, while ntpMerlin is syncing, the router defaults to looking for time/date from a backup source, and then Jack's script cuts in on the dance, so to speak.
the process mightve been a bit speedier when I was using DDNS...maybe, MAYBE.
 
I have been using chronyc from ntpmerlin for some time before started to use unbound. So far I have not face this issue. My WAN is PPPoE connection. If I am not mistaken unbound is started from post-mount script. Before post-mount script is run, the router should have run pre-mount script first. In pre-mount script, there is amtm disk check. amtm disk check itself has a timer of 100 seconds waiting for NTP to sync. I find the timer value in amtm disk check is adequate as I seldom see the 100s timer runs out before NTP is sync.
 
In my location (UK) the servers returned by pool.ntp.org are frequently unreliable which causes the router's NTP client to wait an additional 11 minutes before trying them again.:mad: Switching to time.cloudflare.com and time.windows.com immediately fixed that problem.:)
Frequently unreliable ? Ouch. I've just taken a look at my UK-based ntp pool server and it looks fine, low ping to elsewhere, small offsets to the big ntp boys, seriously low jitter... for all the last 24 hours. The pool monitoring system gives me the max score for the last month. OK, I am but just one server in a pool of volunteers of variable quality. As a matter of interest, and perhaps something else for me to routinely check, how do you notice the unreliability - no ntp response to DNS query ? dodgy time ?
 
Frequently unreliable ? Ouch. I've just taken a look at my UK-based ntp pool server and it looks fine, low ping to elsewhere, small offsets to the big ntp boys, seriously low jitter... for all the last 24 hours. The pool monitoring system gives me the max score for the last month. OK, I am but just one server in a pool of volunteers of variable quality. As a matter of interest, and perhaps something else for me to routinely check, how do you notice the unreliability - no ntp response to DNS query ? dodgy time ?
When I started experiencing problems I ran tcpdump on the NTP activity from the router. IIRC the problem was that while pool.ntp.org resolves to four different IP addresses the router only attempts to connect to one of them. Of those four addresses quite often some of them simply wouldn't reply the first time they were queried. The router didn't bother trying to use any of the other addresses but simply decided to wait for 11 minutes*** before trying again.

So the "blame" isn't so much that pool.ntp.org returns addresses of servers that don't respond but that the router's NTP client doesn't react to that in a sensible way (IMHO).

*** EDIT: I have to correct that 11 minute statement. Going back and testing this again it looks like the retry period is ~85 seconds. The main problem is still the way that the NTP client only uses one single IP address that it initially resolves from pool.ntp.org and keeps trying to use that even when it's not responding. It never seems to "re-resolve" the IP address even if a particular server isn't part of the pool any more. So I think in my initial test it just took ~11 minutes for a particularly bad server to reply.
 
Last edited:
Fair enough - not really an ntp pool issue then. Perhaps not even an ntp pool server issue, as not receiving a reply doesn't necessarily mean one was not sent. A router 11 minute retry interval does sound slow, although rather more friendly than those who twiddle burst/minpoll to hammer ntp servers.

To be a good netizen, I'd agree with the OP's thought to "use ISP modem NTP server" or at least something that is local in network terms. Extra friendly netizens could use their Merlinized router as their network's ntp server and point everything else to it.
 
I don't know if it is just me, but for a day now I have switched from ca.pool.ntp.org to time.nrc.ca time source and I am experiencing much faster page loads. I will try rebooting the router over the weekend and find out if that make a difference with Unbound. Default Unbound startup script has a 300 sec delay waiting for NTP. Even with that delay sometimes it would not start. We will see if changing time sources made the difference.
 
I don't know if it is just me, but for a day now I have switched from ca.pool.ntp.org to time.nrc.ca time source and I am experiencing much faster page loads.
You may have faster page loads but there’s no scenario where it would be caused by changing NTP servers.
 
You may have faster page loads but there’s no scenario where it would be caused by changing NTP servers.
@dave14305 re. my post #6. Looking at the unbound_manager script it says that a local NTP server is a prerequisite. Is this really the case? A cursory scan of the official Unbound documentation only mentions that the machine running Unbound must have the correct date and time set for DNSSEC and that an NTP client is one way to do that. So I can't see why an NTP server is required. What am I missing?
 
@dave14305 re. my post #6. Looking at the unbound_manager script it says that a local NTP server is a prerequisite. Is this really the case? A cursory scan of the official Unbound documentation only mentions that the machine running Unbound must have the correct date and time set for DNSSEC and that an NTP client is one way to do that. So I can't see why an NTP server is required. What am I missing?
That NTP server nonsense was a recommendation by rgnldo that morphed into a prerequisite by Martineau. I fondly think of that time as the storming clown years.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top