Hi All,
Question about the new NTP setup in CU169. Is there a way to change the minpoll and maxpoll settings from their default? I built myself a stratum 1 timeserver, and I would like the firewall to poll it more than 1024 seconds.
Thank you PZ
Never mind, I figured it out. PZ
1 Like
Please share!
What did you do?
1 Like
Here is what I did. Awhile ago I built two time servers, one is a gps Master Clock and the other is a gps Slave clock. The Slave clock (Server1 below) gets both a gps signal and a PTP signal from the Master clock (Server2 below), so my goal was to get the firewall to get time from both of these with the Slave clock being the primary time server.
First, there needs to be a time server listed as the primary time server in the WUI. This time server info will be written to /var/ipfire/time/settime.conf. If nothing is listed NTP will not start on boot. If the server listed does not serve time, there will be errors in the “System Logs”, which will be logged every 5 minutes after a while. Every time NTP is started or restarted, the file /etc/ntp/ntpinclude.conf will be overwritten with information from /var/ipfire/time/settime.conf. So no changes can be made in /etc/ntp/ntpinclude.conf.
To get around this, in /etc/ntp.conf place a list of the desired time servers above the line “includefile /etc/ntp/ntpInclude.conf” so that /etc/ntp.conf looks something like:
disable monitor
restrict default nomodify noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /etc/ntp/drift
server server1.of.mine minpoll 3 maxpoll 4 prefer
server server2.of.mine minpoll 3 maxpoll 4 prefer
includefile /etc/ntp/ntpInclude.conf
Apparently if all servers are equal in the NTP algorithm, NTP will pick them in listed order. One thing I have not check out yet is if the server listed in the “Time Server” WUI can be the same as either of the alternative servers listed in /etc/ntp.conf.
I have had this running now for awhile, and cannot find any errors being currently logged. Such an arrangement should be adaptable to your situation. I hope this helps and makes sense.
PZ
2 Likes
keep in mind the /etc/ntp.conf might be changed during a core update.
Since you added your servers to ntp.conf, what is on the NTP Configuration page?
Yes, you are correct about the potential changes to /etc/ntp.conf, so I have backed mine up.
In the NTP Configuration page, I am debating what server is best. One can go with an external server such as time.nist.gov or a spare internal server. I don’t think it matters as it is not used. If I understand how NTP works, it locks onto the best server it finds, it is not like Chrony which will sample multiple sources to determine the proper time.
If I run “ntpq -p” I get
also if I run “ntpq -c association” I get
which shows that clock 2 is the time source being used. The nist time server is 3rd in line and remains a candidate for a time source but is not used.
PZ
By the way, I will point out as this is NTP the units are milliseconds (ms), which are not displayed unlike ntpsec or chrony. I can now determine the time delay throughout my network, which look like about 1/3 of a millisecond with the clocks in my network being synchronized to about 20 microseconds.
PZ,
This thread is really eye opening, never thought there are so many subtle details about the NTP service…
I was recently looking into secure NTP and that was eye opening as well. I learned that there are servers who offer authentication using hash like MD5 or SHA-256.
There is also something newer called NTS using TLS and other encryption AEAD to sync time.
Also , there are servers keeping best practices and than there is Google’s servers that run a “smeared” second wrong.
I also learned that if you use only one NTP server you know what time it is but with two servers you will never be sure, that’s why you need a third server just to keep things more complex 
Could you share your setup for your NTP stratum 1 servers?
I am also thinking building either a Stratum 1 or PTP.
What would you recommend to start with?
Did you use Linux or BSD?
Just for fun I ran ethtool to see if my NIC is capable of PTP
but looks like not really
root@IPFIRE ~] ethtool -T green0
Time stamping parameters for green0:
Capabilities:
hardware-transmit
software-transmit
hardware-receive
software-receive
software-system-clock
hardware-raw-clock
PTP Hardware Clock: 1
Hardware Transmit Timestamp Modes:
off
on
Hardware Receive Filter Modes:
none
all
Peppe Tech
Sorry I did not see you note until today. I hope this response is what you are looking for, here is what I used for my stratum 1 time servers.
I started with 2 raspberry pi CM4 units (which was before the shortage). These were attached to the CM4 IO board. This was to accommodate some intel pcie cards that supported PTP. I can’t remember the exact chip set but they were 1Gb cards. I can find this if necessary.
At the time the RPI-OS did not support PTP on its internal Ethernet chip. I believe is does now, so one may not need the intel chip set. I do know that I had to recompile the RPI-OS kernel for the intel cards to be recognized. ( As an aside, I have rebuilt the clocks a few times since my initial posting back in 2022, and I find the intel chip set keeps better time than the chip set on the CM4, which is why I have stuck with the intel based cards).
To these servers, I then attached the Uptronics RPI GPS RTC board. There are numerous instructions on the web as to how to set this up. I chose those boards as I could set them up over USB to talk to more satellites ( I believe the US, EU and the RU constellations are available).
So time server 1 was step up to be a master clock. Time server 2 was set up to be a boundary clock. The boundary clock picks up time from both the master clock and its own GPS based clock. This all uses the packages linuxptp and linuxphp. Looking through my notes, it looks like the timemaster package can be used to configure both ptp and php services. If memory serves, timemaster service was only enabled on the boundary clock as it did not seem to play well with the master clock.
In the DHCP server portion of IPFire, the primary time server is set to boundary clock (Time server 2). The secondary server is set to the master clock (Time Server 1). That way all dhcp clients pick up the correct time.
The firewall itself is directed to the boundary clock and the master clock via a modification to “/etc/ntp.conf” where the both internal time servers are added as: (this is the contents of ntp.conf)
disable monitor
restrict default nomodify noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
peer 10.10.10.25 minpoll 0 maxpoll 1 prefer
peer 10.10.10.26 minpoll 0 maxpoll 1 prefer
driftfile /etc/ntp/drift
includefile /etc/ntp/ntpInclude.conf
NOTE: The contents of this file (/etc/ntp.conf) need to be backed up some where on the system as it can be overwritten at system update. That way it can easily be recovered.
In the implementation of ntp within IPFire, ntp is used in some sort of odd form, so these time servers will precede the ones specified GUI. But this over-ride also allows for more frequent polling, which you can now set to whatever you want and increase the accuracy of the local network clock.
Hope this helps you out.
PZ
2 Likes
I forgot to mention that all time servers were configured to use chrony at that appeared to be the most versatile and secure time server available.
1 Like
Thank you Private Zimm this is very informative