What good would that do? Until the GPS dongle is up and running the router sure has synced with an NTP server.I've been thinking of hacking this together, as the delay of acquiring time-sync drives me nuts. "Raspberry Pi Buster – GPS Dongle as a time source" - talking to, or even taking the place of an RTC module... saw it on a ham radio video...
https://photobyte.org/raspberry-pi-stretch-gps-dongle-as-a-time-source-with-chrony-timedatectl/
I was wondering if, when a lower numbered stratum device becomes available over the network, would it take pref over the gps dongle?...maybe there's a better way...
Read above. And the check is while 0 it is not synced but 1 is OK:Is there a way to implement a watchdog timer for NTP with a variable that scripts could query to insure they only run if NTP is sync'ed? Or, maybe a better solution would be a small appliance on the network that is a battery-backed up NTP server? Maybe a RPi?
nvram get ntp_ready
What good would that do? Until the GPS dongle is up and running the router sure has synced with an NTP server.
If you had NOT rebooted your router for the wrong reason, then none of this would have happened.^^^ I figured from following these forums over the years, the lack of an NTP sync was gumming up what I found/saw.
What you confirmed troubles me b/c that means when my router finally connected hours after it was rebooted with no internet connection, it had none of the AMTM tooling active - Diversion, Skynet, ...
So, didn't that operational state leave my "front door" open WRT firewall defenses? If so, then that troubles me more! That state becomes a high risk and quite possible which could expose users for weeks if you did not catch it like I did. Or do I badly misunderstand how all this is working?
This is also why I deploy a layered router/FW defense using multiple serialized routers -> 1 runs all the all the AMTM goodies and 1 downstream runs just Merlin with NO AMTM goodies - just default Merlin code. That means there are dual FW to jump thru to get to the most vulnerable PCs and other items. Yeah I know "dual NATing" is not optimal, but I'll take that small hit over the increase security against this corner case - or maybe I got the design of how these work wrong? I've used this dual layer approach for 15+ years b/c I did not trust the vendor's FW or their lack of updates on some other branded routers I used before switching to ASUS+Merlin.
So, didn't that operational state leave my "front door" open WRT firewall defenses? If so, then that troubles me more! That state becomes a high risk and quite possible which could expose users for weeks if you did not catch it like I did. Or do I badly misunderstand how all this is working?
^^^ I agree with the statement. However, it does not alter the root cause failure scenario. The fact this failure scenario is quite possible and feasible exposes an issue which maybe should be considered in future designs. I also agree with the prior poster about not running enterprise class devices. But.. my home setup connects to enterprise class work VPNs with PII and other nasty gotchas if exposed - so I can never be too careful.
Sorry, if me not hiking all the way into the basement at 4:00 AM to see if the modem was actually up was not my first choice of actions. Don't shoot the messenger. I admire all the work TLC has done with AMTM for the entire ASUS community. I have also supported Merlin for years. I just want to know how exposed I am with this scenario.
However, I telecommute as well - and the network that goes to the big cities from 'dirtland' where I live had to be qualified for the suits with expensive hardware, service contracts and security audits - I had no choice... In my case, liability insurance without that was unobtanium... am that network never touches my home network with the fantastic-plastic stuff we all use... and yes it is fantastic - I'm not slamming it...
That‘s a surprizing statement and raised my eyebrows by about an inch.You have to keep in mind that they are essentially complicated cronjobs, so there are limitations.
If security needs to be that high, than personal devices (including the Asus router) are a big no-no anyway. Your employer cannot guarantee security on a device they don't control.
amtm, including its disk check and Diversion start and work even if NTP failes to sync. My work has already been done and completed, a long time ago.^^^ I agree with the statement. However, it does not alter the root cause failure scenario. The fact this failure scenario is quite possible and feasible exposes an issue which maybe should be considered in future designs. That is 100% up to @thelonelycoder and the many other developers of AMTM's many aswesome add-ons! Quite often we make the reward/risk ROI assessments on code or product changes at work and sometimes the risk is accepted. That may be fine here too.
I also agree with the prior poster about not running enterprise class devices - never said we were nor do I think ASUS is an enterprise-class device. But, my home setup connects to enterprise class work VPNs with sensitive PII and other nasty gotchas if exposed - so I can never be too careful.
Sorry, if me not hiking all the way into the basement at 4:00 AM to see if the modem was actually up was not my first choice of actions. Please don't shoot the messenger. It helps everyone to understand. I admire all the work TLC has done with AMTM for the entire ASUS community. I have also supported Merlin for years. I just needed to understand how exposed I am with this failure scenario.
Updated: The poster above says the default ASUS FW is remains active and is supplemented by skynet, diversion etc... which lowers the overall security risk substantially on this failure scenario. Thank You.
See this thread about a local network time server. Note posts #4 and #9
https://www.snbforums.com/threads/s...le-using-local-time-server.54461/#post-458759
Better than being reduced to a Windows Scheduled Task!That‘s a surprizing statement and raised my eyebrows by about an inch.
OK, so for the scripts that need NTP to be up in order to function properly, why don't they test this variable?nvram get ntp_ready
OK, so for the scripts that need NTP to be up in order to function properly, why don't they test this variable?
ntptimer="0"
while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ] && ! echo "$1" | grep -qE "(uninstall|disable)"; do
ntptimer="$((ntptimer + 1))"
if [ "$ntptimer" = "60" ]; then echo; logger -st Skynet "[*] Waiting For NTP To Sync"; fi
sleep 1
done
if [ "$ntptimer" -ge "300" ]; then logger -st Skynet "[*] NTP Failed To Start After 5 Minutes - Please Fix Immediately!"; echo; exit 1; fi
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!