ntpMerlin ntpMerlin - NTP Daemon for AsusWRT Merlin

[Jack Yaz]

I think it helps, as i am getting more successful NTP updates. might be a fluke, but it doesn't hurt to test to see if NTP interception improves.

i get 0 failures with the current rules, so I suspect something else is in play

 

[SomeWhereOverTheRainBow]

i get 0 failures with the current rules, so I suspect something else is in play

ip6tables -A INPUT -p udp --dport 123 -j DROP
ip6tables -A OUTPUT -p udp --sport 123 -j DROP
ip6tables -A INPUT -p tcp --dport 123 -j DROP
ip6tables -A OUTPUT -p tcp --sport 123 -j DROP

if you are curious for ipv6, though i am not sure which one you would want to use.

 

[pirx73]

Router settings should be disabled. Can you share the output of

iptables -t nat -S PREROUTING

please?

-P PREROUTING ACCEPT
-A PREROUTING -d <public_IP from ISP>/32 -j VSERVER
-A PREROUTING -s 192.168.5.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.5.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.5.1
-A PREROUTING -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.5.1

EDIT: iptables with NTP intercept enabled
My bad, i looked at log with NTP intercept disabled, this is how it is with NTP intercept enabled:
https://drive.google.com/file/d/1eHwyLyK9THczkA-Ns89jIVmVZFgPqpRj/view?usp=sharing

 

[pirx73]

Hello?
Should i add some iptable rules like ones were mentioned above?

 

[ugandy]

Hi,

I didn't find a conclusive answer, is it better to enable the redirect option or leave it disabled?
i understand some clients might not like it?

thanks

 

[L&LD]

@ugandy try it and see how your clients react.

It is enabled here since the script was first available.

 

[ugandy]

@ugandy try it and see how your clients react.

It is enabled here since the script was first available.

will try. what is the advantage? faster answers?

 

[L&LD]

The advantage is that all clients on the network will be using the same 'router time'.

Yeah, faster too.

 

[maghuro]

@Jack Yaz is it possible to implement some kind of log where we can see all the ntp requests that have been intercepted and also the ones which weren't? Separated from router log, just a "list" of everything that was intercepted by this script.

Asking this because I think I have a device that is bypassing this method. How? I don't know, but I see their requests in nextdns online log. And it it was intercepted, it wouldn't go to dns, it would stay on router.

Thanks!

 

[bluzfanmr1]

@Jack Yaz is it possible to implement some kind of log where we can see all the ntp requests that have been intercepted and also the ones which weren't? Separated from router log, just a "list" of everything that was intercepted by this script.

Asking this because I think I have a device that is bypassing this method. How? I don't know, but I see their requests in nextdns online log. And it it was intercepted, it wouldn't go to dns, it would stay on router.

Thanks!

Could this be achieved by using tcpdump on the ntp port?

tcpdump dst port 123

or

tcpdump -vvAs0 port 123

 

[dave14305]

Asking this because I think I have a device that is bypassing this method. How? I don't know, but I see their requests in nextdns online log. And it it was intercepted, it wouldn't go to dns, it would stay on router.

A DNS request for the NTP server name would come before an NTP request is initiated.

 

[immi803]

I'm using to direct all ntp queries to ntpMerlin, does it help? Or i should leave this option disabled? Here's my condition after switching it on for all queries

 

[ugandy]

when i restart ntpd i see this in the log.



Apr 20 18:30:30 RT-AX88U-8158 ntpd[20762]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized

is it a problem?

ntptime and ntp -q appear ok.

thanks

 

[JT Strickland]

Does anyone have a screen shot of what should be enabled on the Administration -> System tab?
I assume that "Enable local NTP server" should be on?
thanks,
jts

RT-AC86U w/ 384.16, RT-AC68U Aimesh node w/ same, Diversion, UiDivstats, Skynet, AiProtection, Scribe, UiScribe, Conmon, SpdMerlin, ScMerlin, Nsrum, NtpMerlin, OpenVPN selective clients

 

[juched]

Does anyone have a screen shot of what should be enabled on the Administration -> System tab?
I assume that "Enable local NTP server" should be on?
thanks,
jts

Not if you are using ntpmerlin. That is separate and should turn off that feature built into the firmware.

 

[dave14305]

I assume that "Enable local NTP server" should be on?
thanks,
jts

No, the script will disable it because it provides its own ntpd daemon via Entware.

 

[ugandy]

Apr 20 18:30:30 RT-AX88U-8158 ntpd[20762]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized

anyone else seeing this in their log?
thanks

 

[EmeraldDeer]

anyone else seeing this in their log?
thanks

Yes, I see that every restart

 

[Vexira]

Dropping IPv4 shouldn't be needed if redirecting it. I'll look into ip6tables

so the re direct doesn't intercept ipv6 ntp traffic, if that is the case it would explain the issues that i was having with it.

 

[NeoEpsilon]

Upgraded to Merlin 384.17, a quick look indicated a potential problem.
ntpMerlin set to intercept, test using manual time sync in Windows Time reported successful sync.
However, in AsusWRT connection log, port 123 connection from the PC is stated as UNREPLIED.
Yesterday with 384.16 it reported ASSURED, any confirmation or idea why..?
How come UNREPLIED = Successful sync..?

Note :
Disabling redirect resulted in ASSURED and successful sync (direct internet).