You are here

NTP Sharing

23 posts / 0 new
Last post
KV3T
KV3T's picture
NTP Sharing

I understand that the newest stable has a way to advertise an ntp server to the mesh. My main tunnel node receives its internet / Wan connection via a pfsense server that is already setup as a stratum 1 ntp server. I know i can use that ntp server on the local node it is connected to, but is there a way to broadcast that ntp service to the rest of the mesh? I'm solid on all of the individual concepts involved, but my knowledge breaks down when you start mixing all of these concepts together. I already have an overbuilt ntp server on my home lan.

K6CCC
K6CCC's picture
Here you go

Mine is working fine.  On the Port Forwarding, DHCP, & Services page, add a service with a name of whatever you like, the Link checkbox checked, and link to be ntp://whatever device has or routes to the time server : 123  Mine are:
Name = NTP 10.9.60.82
URL = ntp://K6CCC-Router-1:123
In my case, the router is not the time server, but the router is set up to forward port 123 packets to my NTP server.

 

K6CCC
K6CCC's picture
NTP service link

Chuck said (in part):

I have announced to my local AREDN network neighbors that they
are welcome to use my NTP service.

The NTP service does not need to be advertised, but its host's name does.

Regarding the first part, if people manually enter your DNS server as you screen captures shows, you don't need to do anything.

Regarding the second part, my experience is that is not the case.  I had to go through several iterations in order to get my NTP server to be recognized automatically by AREDN nodes.  It does have to have a link as specified in my previous response.  According to the developers, the nodes is looking for advertised services with a link that starts with ntp://
BTW, I just looked and my NTP server has 186 clients within the last 7 days (it ages out anything not heard from in a week).  About 20 or so are various devices at my house.  The rest are AREDN nodes scattered throuout the southern California network.
I have watched in some detail what the nodes do, and how they are sending and relaying NTP packets.  I can give some rather entertaining detailsif desired.

 

nc8q
nc8q's picture
recognized automatically by AREDN nodes

Hi, Jim:

Thanks.

I thought the NTP 'recognized automatically by AREDN nodes' was a new feature.
I am ignorant of configuring this feature.
I saw Orv's post: https://www.arednmesh.org/content/new-production-release-available but
I have not seen information on how to cobfigure this feature.
If there is public information on this configuration, please share.
Rather entertaining details are desired. ;-)

3s, Chuck
 

AB7PA
see Timezone & NTP in the docs

In the online docs there is a section that describes the new feature.  It's always been possible to enter the URL for an existing NTP server, but the new feature allows your node to discover additional NTP servers on your mesh network if they have a defined service entry.

K6CCC
K6CCC's picture
Advertised link required

Originally someone told me that the new feature to automatically find a NTP server only required the letters NTP (case insensitive) anywhere in a line of text in a mesh status entry (did not have to be an advertised service link).  That was wrong.  I had a line of text that said "NTP 10.9.60.82" for several weeks and NEVER saw anything coming from the AREDN mesh except a camera that was specifically told to use my NTP server.
Later in conversation with one of the developers (Tim), he told me that it actually needed to be an advertised link with ntp://  Made that change and soon I started seeing nodes all over the southern California network getting time from my NTP server.  For nodes that are on continuously, they get a time check every 24 hours, but there are several things that mess up that number (reboots, firmware update, likely others).  I also find it entertaining which port (RF vs Tunnel vs DtD vs LAN) is the one or ones that request time.


 

nc8q
nc8q's picture
Like this?

Like this?
 

Image Attachments: 
K5DLQ
K5DLQ's picture
As Steve said, it's explictly

As Steve said, it's explictly described in the docs....  https://arednmesh.readthedocs.io/en/latest/arednGettingStarted/basic_set...
 

K6CCC
K6CCC's picture
This is mine.

This is mine.


Yes, I stretched out the Name box for the NTP only - hence the other lines look screwed up.

 

KV3T
KV3T's picture
I don't believe my question

I don't believe my question has been answered, or it was, I didn't understand it.  I think this might be related, but I need the next "debug level" of info to get me there:

In my case, the router is not the time server, but the router is set up to forward port 123 packets to my NTP server.

The high quality NTP server is the device connected to the WAN port of the AREDN node.  Can someone help me with the commands to forward ntp traffic (port 123) through AREDN to my NTP server on the WAN side of my node?  I'm guessing this is some sort of custom routing rule in the node?  I'll do some testing now pinging around and seeing what I can see from my node.
 

KV3T
KV3T's picture
Having spent some more time

Having spent some more time on this, I can see my WAN device (ntp server) don't believe the AREDN node is letting NTP traffic through.  I'm guessing port 123 is closed.  I believe I need to put in a custom iptables rule to allow this traffic through.  I know enough to know what that is, and how to change them, but not enough to confidently come up with the proper syntax, and I'm afraid to break something.  I'm wondering if someone with a bit more IP tables experience can help me with a line to add to, I'm assuming, the file /etc/local/mesh-firewall/59-custom-rules

KV3T
KV3T's picture
Just a bit more info on what

Just a bit more info on what I'm seeing.  From a computer over the mesh, I can connect to the ntp server at its WAN address of 192.168.11.1

casey@CD_Dell:~$ ntpq -p 192.168.11.1
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 2.pfsense.pool. .POOL.          16 p    -   64    0    0.000    0.000   0.000
 time.nist.gov   .POOL.          16 p    -   64    0    0.000    0.000   0.000
*192.168.10.200  .PPS.            1 u  230  256  377    0.600    0.022   0.053
+time-a-g.nist.g .NIST.           1 u   91  256  377   28.167    0.030   0.131
+time-b-g.nist.g .NIST.           1 u  229  256  377   27.909    0.024   0.283
+time-c-g.nist.g .NIST.           1 u  254  256  377   27.919    0.161   0.103
+time-d-g.nist.g .NIST.           1 u  204  256  377   27.893    0.339   0.067
+time-e-g.nist.g .NIST.           1 u   97  256  377   28.440    0.216   0.076
+india.colorado. .NIST.           1 u  244  256  377   35.875   -3.339   0.114
+clock.fmt.he.ne .PPS.            1 u  220  256  377   48.435   -0.620   0.146
+any.time.nl     204.9.54.119     2 u  221  256  377    4.695   -0.201   0.193
+time-b-wwv.nist .NIST.           1 u   32  256  377   35.108   -3.663   0.077

That appears to work becuase I have forwarded the port 123 through on the port forwarding page, however I don't know how to advertise a service for this NTP server, because I can only  advertise services that are from the DHCP Address Reservations, and this is the WAN port, so it obviously isn't in the DHCP range.

I also found in the /etc/config/system the options which appear to enable the ntp server, but I'm not quite sure what that does.  Does that make the node an NTP time server?  If so, it doesn't appear to be working for me:

 

casey@CD_Dell:~$ ntpq -p KV3T-2G-M2.local.mesh # DNS entry as served on the mesh
KV3T-2G-M2.local.mesh: timed out, nothing received
***Request timed out
casey@CD_Dell:~$ ntpq -p 10.170.209.113 # AREDN LAN IP Address
10.170.209.113: timed out, nothing received
***Request timed out
casey@CD_Dell:~$ ntpq -p 10.186.173.23 # AREDN Mesh RF IP Address
10.186.173.23: timed out, nothing received
***Request timed out
casey@CD_Dell:~$ ntpq -p 192.168.11.101 # WAN IP Address
192.168.11.101: timed out, nothing received
***Request timed out


Someone... help?

K6CCC
K6CCC's picture
You may be able to get to

You may be able to get to your NTP server via the WAN port, but I am doing it via LAN port.  So my path (more complex than most people) is:  AREDN hAP > hAP LAN port > Family room VLAN switch (AREDN LAN traffic tagged as VLAN 5) > VLAN trunk > Garage VLAN switch > Home router (router has 10.9.60.82 AREDN address on VLAN 5 - port 123 traffic routed to VLAN 123) > Garage VLAN switch > untagged traffic to NTP server.
As far as the AREDN mesh is concerned, the NTP server is on the address for my router (which has an AREDN address).  The mesh knows nothing beyond the router.  See setup screen captures that both Glen and I posted on Friday the 15th.

 

nc8q
nc8q's picture
Is there a way to broadcast a service, on the WAN of a node, to

Hi, Casey:

May I rephrase?

"Is there a way to broadcast a service, that exists on the WAN of a node, to the local AREDN network?"

Without using a host on the LAN of the node, I do not see a way.

73, Chuck

 

KV3T
KV3T's picture
Thanks everyone for the

Thanks everyone for the continued feedback.  Chuck, yes, that is the essence of it.

Since I can seen the NTP server from the Mesh by directly hitting the IP address of the device on the WAN side, it seems like it is almost working already.  I can see it working over the mesh already with that port open, I just need a way to advertise it out to the rest of the mesh.

Is there a way to add a static route for port 123 on that node, so that any traffic that comes to that node "localhost" on port 123 is routed to the WAN IP address?  I know there are ways to do custom firewall and routing rules, but I don't have the personal experience to write them myself.  But if the answer to that question is yes, then I could setup a stndard service link as if it were hosted on the local mesh node, and that node would redirect the traffic to the NTP server.

Perhaps not best practice, but I have already invested a good deal of time and money in this NTP server for my house (why you might ask?  a good answer I could not provide) so I'd prefer to use it here too.  I'm sure NTP over long distance mesh links is very unreliable, but it would be more reliable if you start with a good reliable sources, than if not.

If the answer truly is no, I may have another way to do it, similar to what was K9CCC proposed, but it would require a hardware device in the middle, so that would mean I'm hosting a stratum 2 NTP service on the mesh instead of a stratum 1 service, due to how NTP works.

nc8q
nc8q's picture
Since I can seen the NTP server from the Mesh by directly hittin

"Since I can see the NTP server from the Mesh by directly hitting the IP address of the device on the WAN side..."

I think you can
"see the NTP server from the Mesh node that has WAN access to your (home) LAN directly,
but no other nodes on the local AREDN network can see devices on your (home) LAN."

The AREDN node feature 'Port Forwarding" forwards from WAN to LAN, but nothing forwards
LAN to WAN of another node on the network.

Do you need Stratum 1 (or even Stratum 2) service?
... over long distance?

I use a hardware device (Raspberry Pi) with NTP service on my node's LAN,
that node can 'see' the hardware device (my home LAN server),
that home server can see the internet.

This works for me as I only want time accuracy within about a tenth of a second.

I hope this helps,
Chuck

 

KV3T
KV3T's picture
I can see it (the gateway on

I can see it (the gateway on the WAN side of the aredn nide) from other devices on the mesh as well. Not what I expected to see, but that is what I observed. I was on a remote device (laptop) connect to another node (gl.inet device) which was connected via the mesh to the node connected to the ntp server (rocket m2).

"The AREDN node feature 'Port Forwarding" forwards from WAN to LAN, but nothing forwards LAN to WAN of another node on the network. ". This is what I expected to be true, but does not match my observations.

If this is not supposed to be true, I'm happy to send debug data. I definitely could see an issue with conflicting ip addresses, especially 192.168.0.1 (not what I'm using, but I could see the issue happening elsewhere.

I need high quality ntp time data in the same way that I need it for my home network, or a hexbeam on my roof, or an amp, or a cocktail on a Friday night. I'm not sure need is the right word. If it can't be done, it's fine, but it feels like it is one configuration tweak away.

nc8q
nc8q's picture
I can see it (the gateway on the WAN side of the aredn nide) fro

"I can see it (the gateway on the WAN side of the aredn nide) from other devices on the mesh as well."

Hi, Casey:

This is the first use of the word 'gateway' in this thread, so
I am not understanding what 'it' or 'gateway on the WAN side' means.

I have a NTP service on a host on my home LAN with address 192.168.8.80 which is provided via DHCP from my home router.
3 of of my VLAN/DtD connected home AREDN nodes have access to the 192.168.8.x network and the rest do not.
IOW, 3 of my home nodes have a WAN address in this 192.168.8.x network,
the rest have no WAN address assigned and thus
have no access to my home 192.168.8.x network.

None of the other 50+ AREDN nodes on the local network have access to my home 192.168.8.x network.
Thus, none of the other 50+ AREDN nodes have access to the NTP service on my home network.

I do not understand how you provided access to the WAN network space of a node to other nodes.
I understand how to provide access to hosts on the LAN side of an AREDN node to all linked AREDN network hosts.

73, Chuck

 

KV3T
KV3T's picture
The gateway is the firewall

The gateway is the firewall in my house. Aredn is on its own lan / subnet on that device. It is a dell r210 ii running pf sense. It is on the WAN side of the aredn mesh node (device 1). Given the network inside a network nature of this conversation, the terms WAN and LAN are ambitious.

I can see that device's ntp server on port 123 from a computer plugged into at least two other aredn nodes (on the lan ports of the nodes 2 and 3) on the mesh. From what you are describing, that should not be possible. If it would be helpful, i could make a quick video showing that happening.

What I'm looking for is a way to route ntp traffic to that device, not via an ip address, for obvious reasons. Currently, it is working by ip address directly. However, there is no way for me to advertise that service. And by ip address (in this case, 192.168.11.1) isn't necessarily unique, so I'd be nervous to use it as is.

KV3T
KV3T's picture
Here is a network diagram

Here is a network diagram explaining the layout and the path the traffic is traveling.

http://nextcloud.caseydiers.com/index.php/s/aSaPMeSdDiP6YkY

nc8q
nc8q's picture
Here is a network diagram explaining the layout and the path the

Hi, Casey:
 
 Nice job on the diagram.
I assume that AREDN-Node-1 is a
Mikrotik hAP or GL-iNet AR150 or AR300M16 with
"Advanced WAN Access - Allow others to use my WAN" enabled ?

Otherwise, yes, it seems like that should not be possible.

How close was my guess?

Mine:
PFSense<->home LAN<->VLAN-switch-> VLAN10-in-house-LocoM2, VLAN20-hAP, VLAN30-LHG-XL, VLAN40-PBE-M5-400, VLAN50-garage-LocoM2,...
My computer is on the LAN of the in-house-LocoM2.
I present VLAN1 (internet) to only 3 AREDN devices.

Chuck
 
KV3T
KV3T's picture
AREDN-Node-1 is a rocket m2

AREDN-Node-1 is a rocket m2
AREDN-Node-2 is any of the nodes in my house.  That includes a AR150, NSM5, and I think I tried another rocket M2.  None of those devices have a WAN connection.  The only AREDN device on the 192.168.11.0 network is the Rocket M2, so it must be the device that is providing the NTP data on 192.168.11.1

Sharing WAN is enabled.  I've also forwarded port 123 on that node (without this setting, it doesn't work).  And the node is in "Direct" non-nat mode.  From what I understand, this should allow devices from the WAN side to access things on the Mesh, but not the other way around.

If this behavior is problematic, I'm happy to share logs and/or make a video showing this happening.

If not, I'm still looking for a way to route NTP traffic on port 123 directed to AREDN-Node-1, to the pfsense box located at ip address 192.168.11.1 on the wan connection of AREDN-Node-1.

Obviously not a high priority, but I would like to get it working.

nc8q
nc8q's picture
Sharing WAN is enabled.

Hi, Casey:

If "Sharing WAN is enabled.":
Then the ntpd service on your PFSense router is reachable by IP address.
My router's uname -a is
pfSense.localdomain
which does not resolve at its LAN workstations, nor my shack node's workstation.

This is okay for a home network or workbench, but
maybe not good if other folks have nodes on the same network.
e.g. Someone plugs a Windows box onto a node without internet and the windows box decides to do an on-line update.

73, Chuck

 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer