NTP Daemon for ASUSWRT/Merlin

[TonyK132]

Short answer: Use this instead

#
logfile /opt/var/spool/ntp/ntp.log
driftfile /opt/var/spool/ntp/ntp.drift
leapfile /opt/var/spool/ntp/leap-seconds.list # https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list
#
restrict default limited kod nomodify notrap nopeer noquery # restrictive default IPv4
restrict -6 default limited kod nomodify notrap nopeer noquery # restrictive default IPv6
restrict source nomodify notrap noquery # required for pool directive if using restrictive default permissions
restrict 127.0.0.1 # permissive localhost IPv4
restrict -6 ::1 # permissive localhost IPv6
#
interface ignore wildcard
interface listen br0
#
disable auth
#
pool pool.ntp.org iburst
#

Long answer:

• The ntp.conf that ntpdMerlin provides if fine. This is a slightly different alternative.
• Using "pool" instead of "server" only requires the slightly relaxed permissions of the "restrict source" line above
• The iburst argument is generally recommend. It allows for quicker time synchronization at startup.
• Using pool instead of server enables extra algorithms in NTPD which are considered to be good but I do not know the details
• The DNS for pool.ntp.org is configured to return geographically close NTP servers. However, I have noticed that I sometimes get servers as far as 120 msec of delay away.
• The default restrict permissions are intended to come into play if you provide NTP to the public, but will be in effect on your LAN as well
• The localhost restrict permissions enable you to run all of the NTP commands without restriction
• You may notice that, since I have a "server" at 192.168.50.200, it is on my LAN. I have another computer with an NTP daemon which has a GPS connected to it in order to provide better time. This ntp.conf line allows my router to take advantage of this as an NTP client. You would not include this line in your ntp.conf
• The interface commands determine which networks you can provide NTP time to. The first line sets a default to not provide NTP time. The second line enables your router to provide NTP time on the LAN interface. Do you need "interface listen br0" for the router to have NTP time? No, it is only necessary if you want to provide NTP time to the computers on your LAN.
• You do not need the stats. The router GUI graph data is collected another way. But if you are troubleshooting, it is nice for them to be available even if looking back and forth at the refererence documentation to decode is frustrating.
• In order to validate NTP daemon startup, you need to first look at /tmp/syslog.log and then /opt/var/spool/ntp/ntp.log because it switches over
• The leapfile can be considered esoteric but when they do happen it is nice to avoid the clock being instantaneously wrong by a second. You can wget the file at the URL in the comment.
• Do not use minpoll or maxpoll below 6 (64 seconds) unless the target is your computer. If not your computer, do not set them at all.

Thanks. I updated the ntp.conf file, then rebooted, then looked at the ntp.log file. The only thing I saw that stuck out was:

20 Mar 16:28:40 ntpd[1705]: leapsecond file ('/opt/var/spool/ntp/leap-seconds.list'): stat failed: No such file or directory

Will that file get auto-created when there are leap-seconds?

Also now that I'm using the pool, it looks there are a number of servers that will be used. I am not currently causing any of them to use the WAN in my OpenVPN config, so I presume all of these ntp transactions are through the VPN? Is that an issue for the accuracy of any of the data? Or, is there a way to configure the VPN client to cause all pool.ntp.org requests to use the WAN? Or, maybe that is a question better asked of the OpenVPN guys?

I just recalled that all requests from my router (192.168.2.1) are going to the WAN, so maybe the VPN issue is a non-issue?

Thanks for your help.

 

[EmeraldDeer]

Thanks. I updated the ntp.conf file, then rebooted, then looked at the ntp.log file. The only thing I saw that stuck out was:

20 Mar 16:28:40 ntpd[1705]: leapsecond file ('/opt/var/spool/ntp/leap-seconds.list'): stat failed: No such file or directory

Will that file get auto-created when there are leap-seconds?

You will need to download the file

# cd /opt/var/spool/ntp
# wget https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list

Also now that I'm using the pool, it looks there are a number of servers that will be used. I am not currently causing any of them to use the WAN in my OpenVPN config, so I presume all of these ntp transactions are through the VPN? Is that an issue for the accuracy of any of the data? Or, is there a way to configure the VPN client to cause all pool.ntp.org requests to use the WAN? Or, maybe that is a question better asked of the OpenVPN guys?

I just recalled that all requests from my router (192.168.2.1) are going to the WAN, so maybe the VPN issue is a non-issue?

Thanks for your help.

I do not know because I would never configure an OpenVPN client for an entire router's traffic. In general, the greater the delay and especially the greater the asymmetry between send and return to/from an NTP server, the less accurate an NTP client can be. Since you do not know which NTP servers the pool will return your DNS request with, I do not see a way to make a rule concerning them. All that being said, it is entirely possible that NTP can remain synchronized even through a VPN.

 

[EmeraldDeer]

It appears that Comcast rebooted my cable modem. Part of the router's response is to start the "ntp" client. All I have done is what ntpdMerlin startup script does: "killall ntp".

If you look through this thread for ntp client disable ideas, they are not subtle. So I will drop this for now.

 

[Marin]

@Jack Yaz,

I installed ntpd-Merlin in my AX88U and now waiting for graphs to generate. Great job and thank you for making this happen in a such a short amount of time!

Had a suggestion regarding the appearance of the options in the menu. Would you consider rearranging and numbering the available options as displayed below?

1.  Generate updated ntpdMerlin graphs now

2.  Toggle redirect of all NTP traffic to ntpdMerlin
      (current status = Enabled)

3.  Update ntpdMerlin
  
4.  Exit ntpdMerlin

Also, when bringing up the menu, I caught myself typing several times "ntpdMerlin" and couldn't understand at first why the menu wasn't coming up and then realized that I should have typed "ntpMerlin" instead. I guess you get so used at seeing ntpd... in the men and you automatially assume that the the shortcut should be the same everywhere.

If this makes sense to you and others, would you also consider using the following to bring up the menu:

ntpd

to make it similar to AMTM's:

amtm

:

It would help to not have to type as much....Alright, maybe I am being too picky now.

Thanks for all you do!

 

[TonyK132]

You will need to download the file

# cd /opt/var/spool/ntp
# wget https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list

I do not know because I would never configure an OpenVPN client for an entire router's traffic. In general, the greater the delay and especially the greater the asymmetry between send and return to/from an NTP server, the less accurate an NTP client can be. Since you do not know which NTP servers the pool will return your DNS request with, I do not see a way to make a rule concerning them. All that being said, it is entirely possible that NTP can remain synchronized even through a VPN.

Thanks - I will manually do that.

Jack - Is that download something that should be in your script?

Also, as another suggestion, for the horizontal axis for the graphs with dates, any chance you could display them in the US way when the location is the US, ie, mm/dd vs dd/mm as is common elsewhere?

 

[Jack Yaz]

@Jack Yaz,

I installed ntpd-Merlin in my AX88U and now waiting for graphs to generate. Great job and thank you for making this happen in a such a short amount of time!

Had a suggestion regarding the appearance of the options in the menu. Would you consider rearranging and numbering the available options as displayed below?

1.  Generate updated ntpdMerlin graphs now

2.  Toggle redirect of all NTP traffic to ntpdMerlin
      (current status = Enabled)

3.  Update ntpdMerlin
 
4.  Exit ntpdMerlin

Also, when bringing up the menu, I caught myself typing several times "ntpdMerlin" and couldn't understand at first why the menu wasn't coming up and then realized that I should have typed "ntpMerlin" instead. I guess you get so used at seeing ntpd... in the men and you automatially assume that the the shortcut should be the same everywhere.

If this makes sense to you and others, would you also consider using the following to bring up the menu:

ntpd

to make it similar to AMTM's:

amtm

:

It would help to not have to type as much....Alright, maybe I am being too picky now.

Thanks for all you do!

Re. Menu, i chose letters to free up numbers for future features, so i don't have to juggle the menu code each time

I went with ntpmerlin for the script name to make autocomplete easier. ntpd tab won't automatically prefill ntpdmerlin since ntpd is added to bin by entware, so you would have to type ntpdm and then press tab. I shortened it so ntpm and then tab will do the trick. I might rename the script to match to clear up the mismatch currently

 

[Jack Yaz]

Thanks - I will manually do that.

Jack - Is that download something that should be in your script?

Also, as another suggestion, for the horizontal axis for the graphs with dates, any chance you could display them in the US way when the location is the US, ie, mm/dd vs dd/mm as is common elsewhere?

I considered it but I don't think we're due a leap year for a couple of years so i left it out for the time being

I'll see if i can understand the graph generating code, that's currently untouched by me and is kvics original code

 

[JDB]

I considered it but I don't think we're due a leap year for a couple of years so i left it out for the time being

I'll see if i can understand the graph generating code, that's currently untouched by me and is kvics original code

I’d stick with the universal ISO date format - yyyy-mm-dd
It can’t be confused and is sortable (not that sorting is important in this case!). I work with customers all over the world and adopting this format a few years ago has saved a lot of time for me!


Sent from my iPhone using Tapatalk

 

[Marin]

Re. Menu, i chose letters to free up numbers for future features, so i don't have to juggle the menu code each time

I went with ntpmerlin for the script name to make autocomplete easier. ntpd tab won't automatically prefill ntpdmerlin since ntpd is added to bin by entware, so you would have to type ntpdm and then press tab. I shortened it so ntpm and then tab will do the trick. I might rename the script to match to clear up the mismatch currently

Thank you!!


Sent from my iPhone using Tapatalk

 

[L&LD]

I’d stick with the universal ISO date format - yyyy-mm-dd
It can’t be confused and is sortable (not that sorting is important in this case!). I work with customers all over the world and adopting this format a few years ago has saved a lot of time for me!


Sent from my iPhone using Tapatalk

I would second this suggestion!

 

[Beherit]

I installed this over my previous manual installation of the kvic version. It works, but the graphs all say 0. Even after choosing to manually generate a graph using ntpmerlin.

I also tried ntpstats.sh and the output is:

ERROR: Opening '/www/stats-ntp-offset.png' for write: Read-only file system
ERROR: Opening '/www/stats-week-ntp-offset.png' for write: Read-only file system
ERROR: Opening '/www/stats-week-ntp-sysjit.png' for write: Read-only file system
ERROR: Opening '/www/stats-ntp-sysjit.png' for write: Read-only file system
ERROR: Opening '/www/stats-week-ntp-freq.png' for write: Read-only file system

 

[Jack Yaz]

I installed this over my previous manual installation of the kvic version. It works, but the graphs all say 0. Even after choosing to manually generate a graph using ntpmerlin.

I also tried ntpstats.sh and the output is:

ERROR: Opening '/www/stats-ntp-offset.png' for write: Read-only file system
ERROR: Opening '/www/stats-week-ntp-offset.png' for write: Read-only file system
ERROR: Opening '/www/stats-week-ntp-sysjit.png' for write: Read-only file system
ERROR: Opening '/www/stats-ntp-sysjit.png' for write: Read-only file system
ERROR: Opening '/www/stats-week-ntp-freq.png' for write: Read-only file system

Could you send the output of

 df -h

please?

 

[Beherit]

Could you send the output of

 df -h

please?

Filesystem                Size      Used Available Use% Mounted on 
/dev/root                37.1M     37.1M         0 100% / 
devtmpfs                124.8M         0    124.8M   0% /dev 
tmpfs                   124.9M      6.6M    118.3M   5% /tmp 
/dev/mtdblock4           62.8M      3.2M     59.5M   5% /jffs 
/dev/sda                234.7G     41.6G    181.2G  19% /tmp/mnt/USB256 
/dev/mtdblock4           62.8M      3.2M     59.5M   5% /www/Feedback_Info.asp 
/dev/mtdblock4           62.8M      3.2M     59.5M   5% /www/require/modules/menuT
ree.js

 

[Beherit]

Weird, it started working now without me doing anything at all. The graphs are updated even though ntpstats.sh still produces the exact same error.

Though now I noticed a new error about every 2nd hour:

ntpd[17382]: frequency file /opt/var/lib/ntp/ntp.drift.TEMP: No such file or directory

 

[Vexira]

@Jack Yaz so your ntp server still needs a flash drive and entware to work?

 

[Marin]

Dirty flashed the beta 3 on my AX88U and my NTP Daemon tab under Tools is gone. Rebooted a couple of times but no luck. Guess, I will reinstall ntpdMerlin again. This is the first script that has disappeared during a dirty upgrade. Everything else I have installed is still there (amtm, Skynet, Diversion, etc).

Has anyone else observed this?


Sent from my iPhone using Tapatalk

 

[Jack Yaz]

@Jack Yaz so your ntp server still needs a flash drive and entware to work?

Yes

 

[EmeraldDeer]

Dirty flashed the beta 3 on my AX88U and my NTP Daemon tab under Tools is gone. Rebooted a couple of times but no luck. Guess, I will reinstall ntpdMerlin again. This is the first script that has disappeared during a dirty upgrade. Everything else I have installed is still there (amtm, Skynet, Diversion, etc).

Has anyone else observed this?


Sent from my iPhone using Tapatalk

When I dirty flashed beta 3 the /jffs filesystem would not mount.

I tried a factory reset with the reset button and the router would not boot. One LED was flashing suggesting it was in recovery mode. I had to use the Rescue app to force load beta 3 and start over.

 

[Marin]

and this:https://www.snbforums.com/threads/b...ta-is-now-available.55520/page-14#post-474137
in addition to above....

 

[EmeraldDeer]

It appears that Comcast rebooted my cable modem. Part of the router's response is to start the "ntp" client. All I have done is what ntpdMerlin startup script does: "killall ntp".

If you look through this thread for ntp client disable ideas, they are not subtle. So I will drop this for now.

When working with Skynet today, the ntp client was started again, throwing my time off by 25 msec. Looking through /tmp/syslog.log, it appears that the last script to run from the changes is dnsmasq.postconf. I have decided to try putting a "killall ntp" at the end. The idea is that dnsmasq.postconf runs too late after a reboot for this to be a problem yet still inhibits ntp client from running after minor changes.

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "dhcp-option=dnsf5" $CONFIG
pc_delete "dhcp-option=dnsf6" $CONFIG
pc_replace "dhcp-script=/sbin/dhcpc_lease" "dhcp-script=/jffs/scripts/log-dhcp.sh" $CONFIG
pc_append "neg-ttl=3600" $CONFIG
pc_delete "no-negcache" $CONFIG
pc_delete "servers-file=/tmp/resolv.dnsmasq" $CONFIG
#
killall ntp
#
. /opt/share/diversion/file/post-conf.div # Added by Diversion