Then suddenly Netgear access points started to drift like 2-3 years off. It’s possible that Netgear expect SNTP or something more sophisticated than NTP.
Now I started to use smart plugs / switches and they just drift 55 years back all day long and never sync the time. There are ESP8285 devices with 1024 KB Flash ROM, so no way they expect TLS or anything sophisticated
Again Windows and Linux Machines have no issues using IPFire as their NTP.
I even hardcode the IPFire IP as ntpserver, or use NIST external IP’s etc so DNS is not an issue here
Smart switches and Netgear AP wouldn’t sync ever, although Firewall log shows that the they are trying every 2-3 minutes.
Need to be able specify pool vs server.
Currently we are using server and can only add 2 servers.
This is the worst case you can have.
ntp will never know which is correct.
The easy option is just to edit /etc/ntp.conf and add your pool servers…
Before
[root@wr-fw ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) .LOCL. 10 l 6d 64 0 0.000 +0.000 0.000
*159.196.3.239 ( 192.168.0.92 2 u 524 1024 377 77.326 -0.506 1.922
+pauseq4vntp1.da 14.202.65.230 2 u 412 1024 377 57.391 +1.958 0.760
after
root@wr-fw ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
0.au.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.au.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.au.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.au.pool.ntp.o .POOL. 16 p - 64 0 0.000 +0.000 0.000
LOCAL(0) .LOCL. 10 l 58 64 17 0.000 +0.000 0.000
*syd.clearnet.pw 194.195.249.28 3 u 51 64 17 57.460 -4.486 0.179
+220.158.215.20 126.11.196.147 2 u 53 64 17 57.971 -1.264 0.076
+time.cloudflare 10.84.8.25 3 u 51 64 17 7.795 -0.072 0.184
my.blockbluemed 52.64.168.208 5 u 51 64 17 63.495 -1.422 0.737
-y.ns.gin.ntt.ne 129.250.35.222 2 u 52 64 17 282.156 -65.951 0.132
+toc.ntp.telstra 202.6.131.118 2 u 53 64 17 9.093 -0.641 0.054
mansfield.id.au 203.36.227.3 2 u 50 64 17 55.437 -0.789 0.132
-159.196.3.239 ( 192.168.0.92 2 u 53 64 17 75.825 -4.758 0.696
+ec2-13-55-50-68 203.206.205.83 3 u 51 64 17 52.847 -3.026 0.110
ap-southeast-2. 203.35.83.242 2 u 47 64 17 59.257 -0.033 1.406
pauseq4vntp2.da 203.36.227.3 2 u 47 64 17 57.276 +1.385 0.949
time.tfmcloud.a 203.35.83.242 2 u 44 64 17 54.868 -0.713 1.567
bitburger.simon .GPS. 1 u 48 64 17 66.527 -3.391 1.424
220.158.215.21 8.145.32.135 2 u 45 64 17 59.038 -0.088 1.430
14-202-65-230.t .GPS. 1 u 41 64 17 62.259 +1.846 1.679
time.cloudflare 10.84.8.25 3 u 40 64 17 9.241 +1.929 1.952
pool 0.pool.ntp.org
pool 1.pool.ntp.org
pool 2.pool.ntp.org
pool 3.pool.ntp.org
to /etc/ntp.conf
IE:
[root@wr-fw ~]# cat /etc/ntp.conf
disable monitor
restrict default nomodify noquery
restrict 127.0.0.1
pool 0.pool.ntp.org
pool 1.pool.ntp.org
pool 2.pool.ntp.org
pool 3.pool.ntp.org
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /etc/ntp/drift
includefile /etc/ntp/ntpInclude.conf
and let ntp sort itsself out.
With that I get
[root@wr-fw ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
0.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
LOCAL(0) .LOCL. 10 l 17 64 7 0.000 +0.000 0.000
time.cloudflare 10.84.8.25 3 u 15 64 7 9.735 +4.921 0.251
ntp1.ds.network 162.159.200.123 4 u 9 64 7 58.894 +4.863 0.134
159.196.3.239 ( 192.168.0.92 2 u 18 64 7 83.777 -3.282 2.992
ec2-13-55-50-68 203.206.205.83 3 u 14 64 7 54.326 +1.728 0.235
vps-b7eaeed7.vp 119.18.6.37 2 u 13 64 7 58.533 +4.457 0.074
ap-southeast-2. 203.35.83.242 2 u 14 64 7 59.381 +3.245 0.167
smtp.juneks.com .PPS. 1 u 10 64 7 59.417 +3.649 0.143
14-202-65-230.t .GPS. 1 u 8 64 7 62.118 +4.702 0.140
mel.clearnet.pw 110.142.180.39 2 u 8 64 7 50.028 +4.988 0.097
203.206.205.83 110.142.180.39 2 u 5 64 7 60.349 +5.700 0.910
lancelot.empty. 103.160.116.13 3 u 5 64 7 59.104 +2.455 0.268
time.cloudflare 10.84.8.25 3 u 6 64 7 9.296 +4.766 0.189
pauseq4vntp2.da 203.36.227.3 2 u 5 64 7 57.202 +5.211 0.135
bitburger.simon .GPS. 1 u 6 64 7 69.841 -1.144 1.674
toc.ntp.telstra 202.6.131.118 2 u 4 64 7 10.169 +4.289 0.282
pauseq4vntp1.da 14.202.65.230 2 u 8 64 3 57.146 +3.604 0.105
Later…
After a bit we end up with
[root@wr-fw ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
0.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
1.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
2.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
3.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
LOCAL(0) .LOCL. 10 l 1457 64 0 0.000 +0.000 0.000
*time.cloudflare 10.84.8.25 3 u 6 64 377 8.755 +0.103 0.119
+ntp1.ds.network 162.159.200.123 4 u 13 64 377 58.422 +0.012 0.100
-14-202-65-230.t .GPS. 1 u 9 64 377 62.087 -0.131 0.958
-mel.clearnet.pw 110.142.180.39 2 u 56 64 377 49.725 +0.346 0.107
+time.cloudflare 10.84.8.25 3 u 10 64 377 8.971 +0.084 0.098
The *+- at the start indicate fings about what ntpq is doing!
* This symbol indicates the currently selected system peer, the one the local machine is actively using for time synchronization.
+ These peers are considered good candidates for synchronization and are used in the clock selection and clustering algorithms to determine the system peer.
- These peers are deemed unreliable or inaccurate and are excluded from the synchronization process.
Further I suppose the TO has problems to publish the time to some devices.
To investigate this, it would help to log the data traffic for NTP query and response.
Possibly some devices don’t like to send queries to a NTP server outside the local network and to receive the response from IPFire.
I believe pool is better, whilst pool and server are similar they are not the same.
Also only having 2 servers is sub-optimal.
I believe (very basic understanding) server is fixed to the server you specify (round robin) whilst pool allows dynamic changes to the servers being queried
For most maybe server is OK, I have a use case (FM radio transmission) where the time requires accuracy.
I think I found a workaround for my NTP issues.
Setup another NTP server on a Raspberry Pi inside the Green network.
Then changed the IPFire DHCP configuration to use the Pi as a primary NTP server and also pointing all devices that have issues to the Pi. IPFire Firewall log still shows that the query was DNATed and forwarded to the IPFire’s IP address. This works with all modern devices like smart switches and AP’s that have the option to customize NTP.
I still have 2 older access points that wouldn’t update time, but I can totally live without the correct time on these AP’s.
But for the sake of our project, it would be nice what the reason was and how the NTP service in Pi differs from IPFire. This would allow to assure that the IPFire systems is gateway for all local devices: for internet access, name resultion, time service, …
Any side applications in the local network complicate the local configuration, IMO.