Solved Intercepting NTP traffic Philips Hue Hub

[jj22038]

Why does a light bulb need to know what time it is?

I can think of two reasons besides knowing the time that the NTP requests are being made:
1) They're lazy and didn't turn it off
2) The request exposes the bulb's (or router's) IP address to the Chinese server for their use

 

[SomeWhereOverTheRainBow]

Thank you, I had to wait along time of refreshing to see it but got there in the end.

udp

192.168.1.30

33850

192.168.1.1

123

We have success.

Interestingly it seems that skynet was indeed blocking the ntp requests with the locale block cn anyway. I've checked a load of ntp requests today and they're mostly going out to uk, or google etc.

I've learnt quite a lot as well with this experiement and the help from you guys.

device-dns request- intercept-firewall-internet-time server-firewall-device, something like that anyway.

Happy now that the intercepts are working as expected.

Glad you found peace of mind on the subject. That is all I think you were really seeking.

 

[SomeWhereOverTheRainBow]

Why does a light bulb need to know what time it is?

I can think of two reasons besides knowing the time that the NTP requests are being made:
1) They're lazy and didn't turn it off
2) The request exposes the bulb's (or router's) IP address to the Chinese server for their use

There isn't a better way to keep those lights punctual, than to have them periodically check the clock.

 

[BreakingDad]

Why does a light bulb need to know what time it is?

I can think of two reasons besides knowing the time that the NTP requests are being made:
1) They're lazy and didn't turn it off
2) The request exposes the bulb's (or router's) IP address to the Chinese server for their use

For time scheduling of lights


@SomeWhereOverTheRainBow what i don't understand is that when using intercept (just on the merlin firmware without ntpmerlin) you need to have local ntp server enabled?

 

[bluepoint]

For time scheduling of lights


@SomeWhereOverTheRainBow what i don't understand is that when using intercept (just on the merlin firmware without ntpmerlin) you need to have local ntp server enabled?

That's what it says, local ntp server and that's what it does, it serves time to the local network. If it wasn't enabled, the router only gets its time for himself from an outside NTP server.

 

[BreakingDad]

That's what it says, local ntp server and that's what it does, it serves time to the local network. If it wasn't enabled, the router only gets its time for himself from an outside NTP server

Ahh makes sense, so the router gets its time from the pool, and gives it out to the clients.

Thanks !

 

[bluepoint]

Ahh makes sense, so the router gets its time from the pool, and gives it out to the clients.

Thanks !

Yes, it gets time from WAN NTP servers to keep its time as precise to serve for LAN clients time. NTPMerlin from @Jack Yaz does this too.

 

[XIII]

What does "syslog\connections" refer to?

Where can I find that?

 

[Crimliar]

Err, literally Asus router Left hand menu "System Log", tab "Connections"
System Log > Connections

 

[BreakingDad]

If anyone using jacks ntpmerlin, you can search for ntp.conf with winscp or similar and edit the pool in there to a more local one if you wish.

 

[XIII]

Err, literally Asus router Left hand menu "System Log", tab "Connections"
System Log > Connections

I was (only) looking at the filesystem using SSH...

It did not occur to me to check the GUI...

Thank you for helping me find it!

 

[XIII]

I see 4 connections from the Hue bridge to time[1234].google.com (well, their IP addresses) with status "UNREPLIED".

Turns out I am using ntpmerlin, but did not have redirection of all NTP traffic to ntpmerlin enabled... (yet)

What should "Enable local NTP server" in Basic Config (router web GUI) be set to with this config, when using Chrony (instead of NTPD)?

(It's set to "No" here)

 

[Crimliar]

The WEBUI setting for enable local NTP server should be set to "No" and then enable the setting in NtpMerlin - and it should just work!

 

[BreakingDad]

The WEBUI setting for enable local NTP server should be set to "No" and then enable the setting in NtpMerlin - and it should just work!

I believe if you install jacks it turns off the merlin one during install.

 

[SomeWhereOverTheRainBow]

I believe if you install jacks in turns off the merlin one during install.

yea Jack has clever ways to make sure his scripts remain top priority over the built in "stuffs".

check-it-out. It is there in the code!

ntpMerlin/ntpmerlin.sh at master · jackyaz/ntpMerlin

ntpMerlin implements an NTP time server for AsusWRT Merlin with charts for daily, weekly and monthly summaries of performance. A choice between ntpd and chrony is available. - jackyaz/ntpMerlin

github.com

and here is where to send donations!

Donate to Jack Naisbett

Help support Jack Naisbett by donating or sharing with your friends.

www.paypal.com

 

[drinkingbird]

If you want to be extra safe you could create firewall/iptables rules to only allow NTP traffic to the destination you have configured in the GUI (default is pool.ntp.org and I think there are a couple IPs associated that you would need to whitelist).

If for some reason you found that NTP stops working (i.e. a bug with the intercept) you could create a DNS redirect or just create dns entries for their domains but pointing to ntp.org (alias or A records). This would probably need to be done with a script though.