NYP Configuration FWG

Follow

Russ Nixon

• January 29, 2024 00:55

I have a high-stability time base running on a host in my network. I would like to point the FWG to that host as its preferred NTP host with the pools as a backup. Am I correct in my understanding that I need to console in and edit “/etc/ntp.config”? I don’t see any way to do it from the app.

0

• 

  Firewalla

  • January 29, 2024 03:03
  • Edited

  NTP likely to be configurable in the future.

  May I know what is the "high stability time base product" you are using?

  0

  Comment actions Permalink
• 

  Russ Nixon

  • January 29, 2024 05:24

  It's a clock module with an oven-controlled crystal oscillator. It uses a stratum 1 NTP server to set itself and it distributes stratum 3 clock into my network. At some point in the future, I want to use a GPS disciplined oscillator as my clock source.

  Why? Because I can! :-)

  0

  Comment actions Permalink
• 

  Firewalla

  • January 29, 2024 05:40

  Do you back up your NTP server? or it fully terminate at it?

  (the reason I am asking is, if your NTP server does NTP, it will likely create a loop ...)

  0

  Comment actions Permalink
• 

  Russ Nixon

  • January 29, 2024 12:53

  I don’t fully understand your question but I think you are asking about the NTP configuration on the NTP server and each of the other hosts on my network. Right now, the FWG independently gets its time from whatever its NTP configuration is set for. My NTP server uses its OCXO for time and that is disciplined a few times per day by a public stratum 1 NTP server. My internal NTP server is thus a stratum 2 source and it distributes clock to my lan. Its configuration has fall back NTP servers as do the other hosts on my network. So, if my wan connection fails, my NTP sever will continue to supply clock from its internal OCXO. If my NTP server fails, the other hosts will use their NTP configuration to sync with fall back public NTP servers.
  Right now I’m seeing sync between 50 and 100 ms, certainly good enough for a home network.

  0

  Comment actions Permalink
• 

  Firewalla

  • January 29, 2024 17:10

  What I mean is, does your current NTP server query other NTP servers to sync time. 

  0

  Comment actions Permalink
• 

  Russ Nixon

  • January 29, 2024 18:44

  Yes, but the fall back servers are different to the fall back servers of the other hosts in my network.

  I see no evidence of a broadcast storm on my LAN.

  0

  Comment actions Permalink
• 

  Firewalla

  • January 29, 2024 19:39

  Once you setup Firewalla Intercept and configure firewalla's NTP server to your LAN based NTP server, and if your LAN NTP server starts using an external NTP server, it will cause a loop that may blow up your network.

   

  -1

  Comment actions Permalink
• 

  Russ Nixon

  • January 30, 2024 01:51

  Aha! A simple test has shown me that FWG is an NTP server by default. I'll have to console in and change "/etc/ntp.conf" to correct that. That should prevent loops, especially if the fall back NTP servers are from a different pool.

  Is there some way to ensure that FWGs new NTP configuration will live across a reboot?

  Configurable NTP would be a great help and (I think) a worthy candidate for an app change.

  0

  Comment actions Permalink
• 

  Russ Nixon

  • January 31, 2024 19:03

  My internal NTP server does go to the internet to initially set the time and date and checks periodically.

  So, if in the FWGs NTP configuration, I disable "broadcast <my network broadcast IP>" and configure my internal NTP server as the preferred NTP host with the regular pools as fall back, there should be no problem as the FWG is no longer acting as an NTP server.

  Can you explain "intercept"?

  0

  Comment actions Permalink
• 

  Firewalla

  • January 31, 2024 19:38

  Intercept: firewalla will take the NTP packet and process it locally. 

  So, in your local NTP server case, the packet will be

  Your NTP server -> Firewalla intercept -> Send to the NTP server (you setup already) -> loop ... 

  0

  Comment actions Permalink
• 

  Russ Nixon

  • February 03, 2024 16:47

  I have solved the looping issue.

  I have commented out all of the pool pool entries in "ntp.conf" and added the line "server <my server IP address> prefer iburst". This completely avoids the possibility of the FWG attempting to cause a loop looking for NTP servers.

  If my internal server fails, the rest of the hosts and the FWG will have to get along on their internal clocks for a while.

  0

  Comment actions Permalink
• 

  Russ Nixon

  • February 19, 2024 23:13

  I have made changes to the file "/etc/ntp.conf", commenting out the pool entries and the distribution of ntp updates to my LAN. I have added a "server" entry pointing to my internal ntp server as a preferred ntp source. I have tested this for some time and all is working correctly. I would like to install "ntpstat", although this is not necessary, and save the changes so that re-booting the firewall will not erase the changes I have made. What is the procedure for saving the changes I have made? Thanks in advance.

  0

  Comment actions Permalink
• 

  Firewalla

  • February 20, 2024 16:31

  Please see this on how to make your configuration stick https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting

   

  0

  Comment actions Permalink

Please sign in to leave a comment.