CU169 NTP Polling Question

Hi All,
Question about the new NTP setup in CU169. Is there a way to change the minpoll and maxpoll settings from their default? I built myself a stratum 1 timeserver, and I would like the firewall to poll it more than 1024 seconds.
Thank you PZ

Never mind, I figured it out. PZ

1 Like

Please share!

What did you do?

1 Like

Here is what I did. Awhile ago I built two time servers, one is a gps Master Clock and the other is a gps Slave clock. The Slave clock (Server1 below) gets both a gps signal and a PTP signal from the Master clock (Server2 below), so my goal was to get the firewall to get time from both of these with the Slave clock being the primary time server.

First, there needs to be a time server listed as the primary time server in the WUI. This time server info will be written to /var/ipfire/time/settime.conf. If nothing is listed NTP will not start on boot. If the server listed does not serve time, there will be errors in the “System Logs”, which will be logged every 5 minutes after a while. Every time NTP is started or restarted, the file /etc/ntp/ntpinclude.conf will be overwritten with information from /var/ipfire/time/settime.conf. So no changes can be made in /etc/ntp/ntpinclude.conf.

To get around this, in /etc/ntp.conf place a list of the desired time servers above the line “includefile /etc/ntp/ntpInclude.conf” so that /etc/ntp.conf looks something like:

disable monitor
restrict default nomodify noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /etc/ntp/drift
server server1.of.mine minpoll 3 maxpoll 4 prefer
server server2.of.mine minpoll 3 maxpoll 4 prefer
includefile /etc/ntp/ntpInclude.conf

Apparently if all servers are equal in the NTP algorithm, NTP will pick them in listed order. One thing I have not check out yet is if the server listed in the “Time Server” WUI can be the same as either of the alternative servers listed in /etc/ntp.conf.

I have had this running now for awhile, and cannot find any errors being currently logged. Such an arrangement should be adaptable to your situation. I hope this helps and makes sense.

PZ

1 Like

keep in mind the /etc/ntp.conf might be changed during a core update.

Since you added your servers to ntp.conf, what is on the NTP Configuration page?

Yes, you are correct about the potential changes to /etc/ntp.conf, so I have backed mine up.

In the NTP Configuration page, I am debating what server is best. One can go with an external server such as time.nist.gov or a spare internal server. I don’t think it matters as it is not used. If I understand how NTP works, it locks onto the best server it finds, it is not like Chrony which will sample multiple sources to determine the proper time.

If I run “ntpq -p” I get
image

also if I run “ntpq -c association” I get
image

which shows that clock 2 is the time source being used. The nist time server is 3rd in line and remains a candidate for a time source but is not used.

PZ

By the way, I will point out as this is NTP the units are milliseconds (ms), which are not displayed unlike ntpsec or chrony. I can now determine the time delay throughout my network, which look like about 1/3 of a millisecond with the clocks in my network being synchronized to about 20 microseconds.

PZ,
This thread is really eye opening, never thought there are so many subtle details about the NTP service…

I was recently looking into secure NTP and that was eye opening as well. I learned that there are servers who offer authentication using hash like MD5 or SHA-256.
There is also something newer called NTS using TLS and other encryption AEAD to sync time.
Also , there are servers keeping best practices and than there is Google’s servers that run a “smeared” second wrong.

I also learned that if you use only one NTP server you know what time it is but with two servers you will never be sure, that’s why you need a third server just to keep things more complex :zipper_mouth_face: