What's new

NAS NTP with minimum security risk

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Stardust

Regular Contributor
Hey all.

I have a Synology NAS and an AX86U running Merlin's 382_2. I want to run NTP on my NAS with as little security risk as possible.
I can't connect to a NTP for now.
What shall I do?

Regards

John
 
Hey all.

I have a Synology NAS and an AX86U running Merlin's 382_2. I want to run NTP on my NAS with as little security risk as possible.
I can't connect to a NTP for now.
What shall I do?

Regards

John

Your NAS can query either the Asus or any standard NTP server, if it can't you have something blocking it. There is little to no security risk with using NTP.

Or are you saying you want to run an NTP server on your NAS? That also is fine as long as it is only for your LAN, I wouldn't open it to the internet, no reason to anyway. But your asus or public NTP servers are perfectly fine, no need to run your own server. pool.ntp.org is the usual one, you can even use localized versions but usually it does it for you automatically.
 
Point NAS NTP client to AX86U.
Run ntpMerlin chronyd on AX86U.
Do not know about Europe, but from my location the best time is from the Apple and Cloudflare pools.
If you are wealthy, get your own GPS sourced NTP server on your LAN, like the LeoNTP Time Server 1200.
 
Point NAS NTP client to AX86U.
Run ntpMerlin chronyd on AX86U.
Do not know about Europe, but from my location the best time is from the Apple and Cloudflare pools.
If you are wealthy, get your own GPS sourced NTP server on your LAN, like the LeoNTP Time Server 1200.

If you're really concerned with accuracy, why proxy the NTP? Just have your clients point to the pool of your choice (ntp.org, cloudflare, etc). One less offset calculation (and cheap clock crystal) in the path.

In reality if every device on your network is 1 msec off from each other, that is not going to impact anything. Nobody is engaged in high frequency stock trading via an asus router on their home internet, or clocking a WDM/TDM circuit, etc.
 
I can easily live with 1 msec delay. But without any NTP, the NAS was minutes wrong in a matter of days. - No fun.
 
I can easily live with 1 msec delay. But without any NTP, the NAS was minutes wrong in a matter of days. - No fun.
I still don't understand what the point of your thread was. You posted it in the general security thread so I assumed you were concerned about NTP security (of a server running on the NAS?) for some reason. But you also said you "can't connect to a NTP". What does this mean? Do you not have an internet connection? If so how is your router getting it's NTP?

So is this a network security question, a Synology NAS question, an NTP server question or an NTP client question?
 
Last edited:
I can easily live with 1 msec delay. But without any NTP, the NAS was minutes wrong in a matter of days. - No fun.
My NAS has three time server choices loaded in the software: time.google.com, time.nist.gov and pool.ntp.org. One of these should work regardless of where you are locates. You can also add a time server of your choice. I added time.cloudflare.com just as a test. If your time is not getting set right it is likely that the chosen time server is not being resolved. If this is the case you can use an IP address of a time server instead of a URL. However, this could fail if the server is down. Much better to use a time server network URL which will be directed to one of any number of active servers.
 
Thank you for both for info. I forgot to tell that my NAS is set up as a client. I will look into both your info and suggestions :)
 
I can easily live with 1 msec delay. But without any NTP, the NAS was minutes wrong in a matter of days. - No fun.

In which case just point the NAS to pool.ntp.org and you're done.
 
The pool.ntp.org did do the job. Did also try that before I posted this thread - hrm..
But it works now :)
 
The pool.ntp.org did do the job. Did also try that before I posted this thread - hrm..
But it works now :)
pool.ntl.org points to a list of different servers based on you location. It might be possible that you were trying to use a server that was down that first time.
 
pool.ntl.org points to a list of different servers based on you location. It might be possible that you were trying to use a server that was down that first time.

OP said their NAS was off by days, I've found that NTP takes a few tries to fix that, it sees the difference is too much and goes into some safety mode or something. I'm not sure what mechanism in NTP says "if you try once and it is really far off, don't change it, but if you try 2 or 3 times you must really be serious". I've run into devices that simply will not update no matter how many times you try when it is that far off, you have to manually set the time to something close, then it will update fine and continue updating.

I've never had an issue using the main "pool" but if you seem to see a lot of timeouts you can try using a country or region specific one. you can drill down quite a bit, there is a north-america.pool.ntp.org, us.pool.ntp.org, or even 0.us.pool and 1.us.pool etc.

If you need more than one server use 0.pool.ntp.org and 1.pool.ntp.org etc (or the country specific variants). I've found their geo-ip implementation to be pretty good and the regular pool has always worked fine. Even if you end up with a server in another country due to local server being down or Geo IP being off for your ISP, NTP is very good at calculating offset.

Of course windows uses microsoft by default, apple uses apple, some still use nist. Don't think any are unreliable enough to cause an issue for a home user, even if you get 1 out of every 10 updates you'll be fine. Even with the very wide tolerance allowances on the cheap crystals being put on even high end server motherboards.

Several companies sell Time as a Service (TaaS) where you can purchase NTP or much more expensive PTP. They send you a UDP stream from multiple GPS and Atomic sites, and their server or software client (or even hardware addin card for PTP) calculates a very precise offset within 1nS of the source. Uptake has been pretty slow since most of their target customers (telcos and financial companies) already have their own GPS setup or in some cases even a true atomic clock source (cute little "warning, radioactive material inside" sticker on it). It has to be delivered over private point to point circuits as it needs a pretty stable network latency to not mess with the offset calculation. My company resells a couple of them on our network, definitely not a hot item.

/Tangent
 
Unless you host equipment for Space X, just point it at a known working Internet server and call it a day.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top