Menu
What's new
By:
Filters Better Search

ntpMerlin Redirect all NTP queries to chrony - except one client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

N

nephilim

Regular Contributor
Hi,

I have an AiMesh setup with an AX-86U Pro as main router running chrony. One of the network clients is a Raspberry Pi with attached Adafruit GPS/PPS module. This client runs a chrony instance, which is using the GPS as refclock and a handful of public NTP servers with the "noselect" option for monitoring purposes. The chrony instance on the AX-86U uses the Raspberry as single source (and the same "noselect"ed public servers for monitoring) and acts as time server for my local network. Apart from a few glitches (which I will request your advice for in a separate thread) this is running fine.

As I have several network clients with hard-coded NTP-servers I would like to redirect all NTP traffic through the AX-86U - except the Raspi as this would trigger the loop detection in the Raspi's chrony instance. For that reason I am not using the redirect option in the ntpMerlin script. How can I set up the redirection for all but one IP of my local network?
 
The GUI redirection option adds this line to the end of NAT table:
Code: 
-A PREROUTING -i br0 -p udp -m udp --dport 123 -j REDIRECT --to-ports 123

You need to create a nat-start script which inserts an exception before that rule:
Code: 
iptables -t nat -I PREROUTING -s 192.168.1.99 -p udp --dport 123 -j ACCEPT
Change 192.168.1.99 as required.
 
Thank you - that works!
 
Apologies, I was too quick. I added the line to the (empty) /jffs/script/nat-start file and enabled ntp redirection in ntpMerlin. This appended the invocation of the ntpmerlin script to that file. After reboot I see that the ntp redirection was on top of the iptables rules, hence I slightly changed the exception and added tcp (because ntpmerlin also creates a rule for tcp) such that the nat-start file looks like this

Code: 
#!/bin/sh
/jffs/scripts/ntpmerlin ntpredirect # ntpMerlin
iptables -t nat -I PREROUTING 1 -s 192.168.1.105 -p udp --dport 123 -j ACCEPT
iptables -t nat -I PREROUTING 2 -s 192.168.1.105 -p tcp --dport 123 -j ACCEPT

And this is the prerouting chain

Code: 
# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  192.168.1.105        0.0.0.0/0            udp dpt:123
ACCEPT     tcp  --  192.168.1.105        0.0.0.0/0            tcp dpt:123
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:123 to:192.168.1.1
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:123 to:192.168.1.1
GAME_VSERVER  all  --  0.0.0.0/0            91.64.48.100
VSERVER    all  --  0.0.0.0/0            91.64.48.100
DNSFILTER  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
DNSFILTER  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53

Still the chrony instance on the raspi (192.168.1.105) is unable to poll the public servers. What have I missed?
 
What I forgot to add... when redirection is enabled via ntpMerlin the following rule is showing up in iptables -S

Code: 
-A FORWARD -i br0 -p udp -m udp --dport 123 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -p tcp -m tcp --dport 123 -j REJECT --reject-with icmp-port-unreachable
 
Sorry, you said you weren't using the ntpMerlin redirect. I don't know anything about how that works. I was only referring to what the standard GUI option does.
 
No, that was my mistake! I was wrongly assuming that I could combine your exception advice with activating redirection via ntpMerlin. I have again switched off ntpMerlin and use the following nat-start file:

Code: 
#!/bin/sh
iptables -t nat -I PREROUTING -i br0 -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
iptables -t nat -I PREROUTING  -s 192.168.1.105 -p udp --dport 123 -j ACCEPT
iptables -t nat -I PREROUTING  -s 192.168.1.105 -p tcp --dport 123 -j ACCEPT

which results in

Code: 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.1.105        0.0.0.0/0            tcp dpt:123
ACCEPT     udp  --  192.168.1.105        0.0.0.0/0            udp dpt:123
REDIRECT   udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:123 redir ports 123

which I guess is what I was attempting to achieve.

Thanks for your patience.
 
nephilim said:
Hi,

I have an AiMesh setup with an AX-86U Pro as main router running chrony. One of the network clients is a Raspberry Pi with attached Adafruit GPS/PPS module. This client runs a chrony instance, which is using the GPS as refclock and a handful of public NTP servers with the "noselect" option for monitoring purposes. The chrony instance on the AX-86U uses the Raspberry as single source (and the same "noselect"ed public servers for monitoring) and acts as time server for my local network. Apart from a few glitches (which I will request your advice for in a separate thread) this is running fine.

As I have several network clients with hard-coded NTP-servers I would like to redirect all NTP traffic through the AX-86U - except the Raspi as this would trigger the loop detection in the Raspi's chrony instance. For that reason I am not using the redirect option in the ntpMerlin script. How can I set up the redirection for all but one IP of my local network?
Click to expand...
Alternatively, If you do not have that client saved to your static list, you could use the known source MAC addr of the client.

e.g.

Code: 
-A PREROUTING -i br+ -p udp -m udp --dport 123 -j NTPREDIR
-A PREROUTING -i br+ -p tcp -m tcp --dport 123 -j NTPREDIR
-A NTPREDIR -m mac --mac-source XX:XX:XX:XX:XX:XX -j RETURN
-A NTPREDIR -j DNAT --to-destination 192.168.1.1

I setup my own custom chain called NTPREDIR. (Similar to how DNS Directors client filter list works.)
 
Last edited:
Here is what this looks like in my firewall script.


Code: 
{ /usr/sbin/iptables -t nat -F NTPREDIR && /usr/sbin/iptables -t nat -X NTPREDIR; } 2>/dev/null
/usr/sbin/iptables -t nat -N NTPREDIR 2>/dev/null
for i in -D -A; do
/usr/sbin/iptables -t nat $i PREROUTING -i br+ -p udp -m udp --dport 123 -j NTPREDIR 2>/dev/null
/usr/sbin/iptables -t nat $i PREROUTING -i br+ -p tcp -m tcp --dport 123 -j NTPREDIR 2>/dev/null
/usr/sbin/iptables -t nat $i NTPREDIR -m mac --mac-source XX:XX:XX:XX:XX:XX -j RETURN 2>/dev/null
/usr/sbin/iptables -t nat $i NTPREDIR -j DNAT --to-destination 192.168.1.1 2>/dev/null
done


Adapt 192.168.1.1 to be the address of the NTP service. Adapt XX:XX:XX:XX:XX:XX to be the mac addr you want to not redirect NTP for.
 
adapting your current script.


Code: 
#!/bin/sh
/jffs/scripts/ntpmerlin ntpredirect # ntpMerlin
iptables -t nat -I PREROUTING 1 -m mac --mac-source XX:XX:XX:XX:XX:XX -p udp --dport 123 -j ACCEPT
iptables -t nat -I PREROUTING 2 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp --dport 123 -j ACCEPT

Although I am not sure if --mac-source will work for this instance.

Edit, Good news it does!
 
You must log in or register to reply here.

Similar threads

N
Chrony - spikes in offset
Replies
8
Views
2K
sfx2000
sfx2000
Q
New user questions
2
Replies
30
Views
983
Tech9
Tech9
morphine
ntpmerlin / chrony with GPS
Replies
12
Views
2K
heysoundude
heysoundude
M
ntpMerlin Chrony clients fail to syncronize
Replies
3
Views
2K
JGrana
JGrana
P
OpenVPN Client will use VPN to access...
Replies
2
Views
1K
elorimer
E

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 908 (members: 29, guests: 879)
Top