ntpMerlin ntpMerlin - NTP Daemon for AsusWRT Merlin

[joe68000]

well NAT Acceleration is not necessary if you have a slow connection,, but you may suffer if you have a top teir connection and you disable it.

I forgot to mention that I removed "tos maxdist 16" from my ntp.conf after disabling the LAN switches.

I have FIOS 100 Mbps up/down. I've done a bunch of speed tests from various devices on subnets on my network and I haven't seen any degradation in speeds. I also haven't noticed any difference in CPU loads.

 

[Swistheater]

I forgot to mention that I removed "tos maxdist 16" from my ntp.conf after disabling the LAN switches.

I have FIOS 100 Mbps up/down. I've done a bunch of speed tests from various devices on subnets on my network and I haven't seen any degradation in speeds. I also haven't noticed any difference in CPU loads.

Yea you wouldnt notice anything unless you had much higher speeds.

 

[Swistheater]

Ntpmerlin is a great script , I love the ability to be able to customize ntp.conf. And the graphs to show the setup..

 

[EmeraldDeer]

I continued trying to figure out why my network required "tos maxdist 16" to get ntpd to sync. Even with that setting, ntpd would very frequently switch peers - but it least it would stay synced. Finally, I disabled everything in "LAN - Switch Control". Before, I had everything enabled. Now ntpd syncs right up and is quite stable. Not sure why I had enabled all of those features to begin with...

My guess is Jumbo Frames although I cannot explain why, anecdotally, it is so problematic.

 

[Argonaut]

Ntpmerlin is a great script , I love the ability to be able to customize ntp.conf. And the graphs to show the setup..

Yes it is thanks to Jack Yaz for making it so easy to install and kvic for the early development.

The thing I love about it is that you can use ntpq -p to see what's going on and in particular "NTP Time Server Monitor by Meinberg 1.04" which shows at a glance how everything is running.

To my knowledge you can't do that with the stock ntp?

Question regarding the color in the graphs - the offset shows in yellow but the jitter shows in grey. Any way to change the jitter to say red?

 

[joe68000]

I forgot to mention that I removed "tos maxdist 16" from my ntp.conf after disabling the LAN switches.

I have FIOS 100 Mbps up/down. I've done a bunch of speed tests from various devices on subnets on my network and I haven't seen any degradation in speeds. I also haven't noticed any difference in CPU loads.

After a bunch more experimentation, enabling CTF was causing my ntpd problems. Not sure why exactly, but I'm not seeing any performance difference with it off.

 

[Makaveli]

After a bunch more experimentation, enabling CTF was causing my ntpd problems. Not sure why exactly, but I'm not seeing any performance difference with it off.

There is no difference because your wan speed is not fast enough yet.

I believe you need a > 500 Mbps connection before you will notice it.

 

[Jumpstarter]

has anybody figured out what is causing ntp merlin to lose its "redirect option" on the prerouted traffic?

NTP_Redirect(){
    case $1 in
        create)
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
            iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ create 2>/dev/null
        ;;
        delete)
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ delete 2>/dev/null
        ;;
    esac
}

the iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null -----in the create option.
should possibly be coded as a second option or maybe a append only if needed style

 

[Jack Yaz]

has anybody figured out what is causing ntp merlin to lose its "redirect option" on the prerouted traffic?

NTP_Redirect(){
    case $1 in
        create)
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
            iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ create 2>/dev/null
        ;;
        delete)
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ delete 2>/dev/null
        ;;
    esac
}

the iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null -----in the create option.
should possibly be coded as a second option or maybe a append only if needed style

Uptime 12 days 20 hours 1 minute(s) 27 seconds

Rules still intact:

admin@RT-AC86U:/tmp/home/root# iptables -t nat -S | grep 123
-A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 10.14.16.1

-D -A/-I is an accepted practise. While you could -C to see if the rule exists, there is little to no difference.

My advice is to try and check regularly, and catch whatever is in syslog that might be causing it

 

[Jumpstarter]

I saw one guy said it might be related to changes inside miniupnpd wouldn't it be better to place the option inside firewall start -vs nat-start?

 

[Jack Yaz]

I saw one guy said it might be related to changes inside miniupnpd wouldn't it be better to place the option inside firewall start -vs nat-start?

I've just forced miniupnpd to restart (service restart_upnp seems to do it), and no changes. In any case, I've just pushed a hotfix that adds a sleep inside ntpmerlin when called from nat-start, to adopt best practise for nat-start calls

 

[Jumpstarter]

Uptime 12 days 20 hours 1 minute(s) 27 seconds

Rules still intact:

admin@RT-AC86U:/tmp/home/root# iptables -t nat -S | grep 123
-A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 10.14.16.1

-D -A/-I is an accepted practise. While you could -C to see if the rule exists, there is little to no difference.

My advice is to try and check regularly, and catch whatever is in syslog that might be causing it

merlins built in feature uses

when you iptables -t nat -S | grep 123 -with merlins built in server it uses

-A PREROUTING -i br0 -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
-A PREROUTING -i br0 -p tcp -m tcp --dport 123 -j REDIRECT --to-ports 123

what is the main difference???

 

[Jack Yaz]

@RMerlin what is the cleanest way to restart things after setting the below nvram please? By clean, I mean that ntpd from the firmware will be stopped and the redirect iptables rules removed

nvram set ntpd_enable=0
nvram set ntpd_server_redir=0

 

[Jumpstarter]

How about

iptables -t nat -S | grep 123

NTP_Redirect(){
    case $1 in
        create)
          If
            iptables -t nat -S | grep 123 > /dev/null 2>&1
         Then
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
            iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
             Auto_DNSMASQ create 2>/dev/null
         Else
            iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ create 2>/dev/null
          Fi

        ;;
        delete)
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ delete 2>/dev/null
        ;;
    esac
}

 

[Jack Yaz]

How about

iptables -t nat -S | grep 123

NTP_Redirect(){
    case $1 in
        create)
          If
            iptables -t nat -S | grep 123 > /dev/null 2>&1
         Then
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)" 2>/dev/null
            iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
             Auto_DNSMASQ create 2>/dev/null
         Else
            iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ create 2>/dev/null
            Fi

        ;;
        delete)
            iptables -t nat -D PREROUTING -p udp --dport 123 -j DNAT --to "$(nvram get lan_ipaddr)"
            Auto_DNSMASQ delete 2>/dev/null
        ;;
    esac
}

What problem does this solve? It's not a case of -D firing and not the -A (causing the rules to go missing)

 

[Jumpstarter]

It may create flexibility to add a cron job check

 

[Jumpstarter]

I am for the notion that the only reason it would be missing from the iptables is if the script deleted it. And not because it didnt fire up on a reboot.

 

[Jumpstarter]

Maybe a forced up date could cause it.

 

[RMerlin]

@RMerlin what is the cleanest way to restart things after setting the below nvram please? By clean, I mean that ntpd from the firmware will be stopped and the redirect iptables rules removed

nvram set ntpd_enable=0
nvram set ntpd_server_redir=0

service restart_time
service restart_firewall

 

[Jack Yaz]

service restart_time
service restart_firewall

Thanks!