What's new

ntpMerlin ntpMerlin - NTP Daemon for AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

i get 0 failures with the current rules, so I suspect something else is in play
Code:
ip6tables -A INPUT -p udp --dport 123 -j DROP
ip6tables -A OUTPUT -p udp --sport 123 -j DROP
ip6tables -A INPUT -p tcp --dport 123 -j DROP
ip6tables -A OUTPUT -p tcp --sport 123 -j DROP

if you are curious for ipv6, though i am not sure which one you would want to use.
 
Router settings should be disabled. Can you share the output of
Code:
iptables -t nat -S PREROUTING
please?
Code:
-P PREROUTING ACCEPT
-A PREROUTING -d <public_IP from ISP>/32 -j VSERVER
-A PREROUTING -s 192.168.5.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.5.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A PREROUTING -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.5.1
-A PREROUTING -p tcp -m tcp --dport 123 -j DNAT --to-destination 192.168.5.1
EDIT: iptables with NTP intercept enabled
My bad, i looked at log with NTP intercept disabled, this is how it is with NTP intercept enabled:
https://drive.google.com/file/d/1eHwyLyK9THczkA-Ns89jIVmVZFgPqpRj/view?usp=sharing
 
Last edited:
Hello?
Should i add some iptable rules like ones were mentioned above?
 
Hi,

I didn't find a conclusive answer, is it better to enable the redirect option or leave it disabled?
i understand some clients might not like it?

thanks
 
@ugandy try it and see how your clients react. :)

It is enabled here since the script was first available. :)
 
@ugandy try it and see how your clients react. :)

It is enabled here since the script was first available. :)
will try. what is the advantage? faster answers?
 
The advantage is that all clients on the network will be using the same 'router time'. :)

Yeah, faster too. :)
 
@Jack Yaz is it possible to implement some kind of log where we can see all the ntp requests that have been intercepted and also the ones which weren't? Separated from router log, just a "list" of everything that was intercepted by this script.

Asking this because I think I have a device that is bypassing this method. How? I don't know, but I see their requests in nextdns online log. And it it was intercepted, it wouldn't go to dns, it would stay on router.

Thanks!
 
@Jack Yaz is it possible to implement some kind of log where we can see all the ntp requests that have been intercepted and also the ones which weren't? Separated from router log, just a "list" of everything that was intercepted by this script.

Asking this because I think I have a device that is bypassing this method. How? I don't know, but I see their requests in nextdns online log. And it it was intercepted, it wouldn't go to dns, it would stay on router.

Thanks!

Could this be achieved by using tcpdump on the ntp port?

Code:
tcpdump dst port 123
or
Code:
tcpdump -vvAs0 port 123
 
Asking this because I think I have a device that is bypassing this method. How? I don't know, but I see their requests in nextdns online log. And it it was intercepted, it wouldn't go to dns, it would stay on router.
A DNS request for the NTP server name would come before an NTP request is initiated.
 
I'm using to direct all ntp queries to ntpMerlin, does it help? Or i should leave this option disabled? Here's my condition after switching it on for all queries
Screenshot_20200421-045651.jpg
Screenshot_20200421-045528.jpg
 
when i restart ntpd i see this in the log.



Apr 20 18:30:30 RT-AX88U-8158 ntpd[20762]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized

is it a problem?

ntptime and ntp -q appear ok.

thanks
 
Last edited:
Does anyone have a screen shot of what should be enabled on the Administration -> System tab?
I assume that "Enable local NTP server" should be on?
thanks,
jts

RT-AC86U w/ 384.16, RT-AC68U Aimesh node w/ same, Diversion, UiDivstats, Skynet, AiProtection, Scribe, UiScribe, Conmon, SpdMerlin, ScMerlin, Nsrum, NtpMerlin, OpenVPN selective clients
 
Apr 20 18:30:30 RT-AX88U-8158 ntpd[20762]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized

anyone else seeing this in their log?
thanks
 
Dropping IPv4 shouldn't be needed if redirecting it. I'll look into ip6tables
so the re direct doesn't intercept ipv6 ntp traffic, if that is the case it would explain the issues that i was having with it.
 
Upgraded to Merlin 384.17, a quick look indicated a potential problem.
ntpMerlin set to intercept, test using manual time sync in Windows Time reported successful sync.
However, in AsusWRT connection log, port 123 connection from the PC is stated as UNREPLIED.
Yesterday with 384.16 it reported ASSURED, any confirmation or idea why..?
How come UNREPLIED = Successful sync..? o_O

Note :
Disabling redirect resulted in ASSURED and successful sync (direct internet).
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top