New Build - 11/09/2022 - r50841

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Nov 10, 2022 3:15    Post subject: Reply with quote
portsup wrote:
mwchang wrote:

The clock must be set for all encryption to work properly, with or without ntp_server's value!

But I can't set the clock with the default ntp_server value

Punch an IP address instead of domain name into that field, hit <Apply>. Then execute "ntpclient" to test it and use "grep ntpclient /var/log/messages" to see results.

Read: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333285&start=7

Maybe you should just leave it blank to use factory default. Press <CTRL+A> in that field, then press <Delete>, then hit <Apply>.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Sponsor
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Nov 10, 2022 5:21    Post subject: Reply with quote
HOME Wired Multicast ISP 4K TV Network
Router/Version: R7000
File/Kernel: DD-WRT v3.0-r50841 std (11/08/22)
Kernel Version: Linux 4.4.302-st25 #8205 SMP Tue Nov 8 23:53:52 -00 2022 armv7l
Previous/Reset: r50814 / No Reset, CLI Update
Mode/Status: GW / Working Well
Issues/Errors: none / none
Services Used: Multicast,IGMP,CTF,SSH,Syslog
Services Disabled: FA,WiFi,QoS,ttraff,Telnet,NAS,Samba

Running for over 14 hours.

OffSite #1
Router/Version: R7000
File/Kernel: DD-WRT v3.0-r50841 std (11/08/22)
Kernel Version: Linux 4.4.302-st25 #8205 SMP Tue Nov 8 23:53:52 -00 2022 armv7l
Previous/Reset: r50814 / No Reset, Remote CLI Update
Mode/Status: GW & AP / Working Well
Issues/Errors: none / none
Services Used: CTF,DHCP WAN,IPv6-6to4,NTP,WG Client,VLANx,BRx,SSH,Syslog,Cron,USB Storage,Entware DNSCrypt v2.1.1
Services Disabled: QoS,ttraff,Telnet,NAS.Samba,YAMon3.4.6

Running for over 14 hours.


Thank-you BrianSlyer for your Great Work and everyone else who makes DD-WRT Great on the Forum!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Thu Nov 10, 2022 5:49    Post subject: Reply with quote
mwchang wrote:

Punch an IP address instead of domain name into that field, hit <Apply>. Then execute "ntpclient" to test it and use "grep ntpclient /var/log/messages" to see results.

Read: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333285&start=7

Maybe you should just leave it blank to use factory default. Press <CTRL+A> in that field, then press <Delete>, then hit <Apply>.


You are not understanding the problem which is inspite of anything set in ntp_server ddwrt won't use it if DNScrypt is enabled.

Anyway I seem to have fixed it using iptables to redirect running in the startup script.
Code:
iptables -t nat -I PREROUTING -d 2.pool.ntp.org -j DNAT --to [replace with redirected ntp pool domain]
iptables -t nat -I PREROUTING -d 212.18.3.19 -j DNAT --to [replace with redirected ntp server]
iptables -t nat -I PREROUTING -d 88.99.174.22 -j DNAT --to [replace with redirected ntp server]


interesting iptables seems to work with domains
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Thu Nov 10, 2022 6:48    Post subject: Reply with quote
Interesting iptables also agree egc's Additional DNSMasq options. Should remove || nvram_matchi("dns_crypt", 1).
I agree with ho1Aetoo we do not need any exceptions at all so user specified servers are always used unless blank.

About blank default 2.pool.ntp.org 212.18.3.19 88.99.174.22 in the beginning order was three IPv4 then one pool.
Over passage of time order was inverted so pool became first, not last, and reduced to two IP addresses not good.

So maybe we should reconsider this order, also some testing to make new choices for the hardcoded IP addresses.
Some online tools I use, additions to local tests. https://servertest.online/ntp and https://www.ntppool.org/scores/

Lastly, there are five global pool.ntp.org 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org (2 is for IPv6).
All different IPs which are periodically rotated, so I can see why portsup needed to specify 2.pool.ntp.org to work.


Last edited by blkt on Thu Nov 10, 2022 7:16; edited 2 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Nov 10, 2022 7:01    Post subject: Reply with quote
@portsup, yes iptables can work with hostnames:
Quote:
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address.


But how do you think those are resolved?
Indeed by DNS so what you are doing makes no sense unless the IP addresses 212.18.3.19 and 88.99.174.22 are no longer functional.

I just checked 212.18.3.19 and 88.99.174.22, they are both working so the question remains why is the default not working for you. That is the real problem

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Thu Nov 10, 2022 7:06    Post subject: Reply with quote
88.99.174.22 fails on my machine when attempting to time sync, also https://servertest.online/ntp regional limit?
https://www.ntppool.org/scores/212.18.3.19 this IP address is reliable, offset a little scattered, but I can use this.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Nov 10, 2022 7:21    Post subject: Reply with quote
blkt wrote:
88.99.174.22 fails on my machine when attempting to time sync, also https://servertest.online/ntp regional limit?
https://www.ntppool.org/scores/212.18.3.19 this IP address is reliable, offset a little scattered, but I can use this.


Could be a regional limit, ISP block or just went out of order?

Using IP addresses as time server is not the best idea as they can be down or out of order or whatever.

Using an URL and make sure that URL can be resolved by insecure DNS would be my first choice, and use IP addresses as backup

I think I saw @ho1Aetoo testing dnscrypt maybe he can see what is going on?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Thu Nov 10, 2022 7:29    Post subject: Reply with quote
Additional dnsmasq options solution with 2.pool.ntp.org is perfect so long as the specified DNS servers are reliable.
Otherwise, prioritize two or three globally reliable hardcoded IP addresses guarantees no issue just as it was day 1.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Nov 10, 2022 8:30    Post subject: Reply with quote
egc wrote:
blkt wrote:
88.99.174.22 fails on my machine when attempting to time sync, also https://servertest.online/ntp regional limit?
https://www.ntppool.org/scores/212.18.3.19 this IP address is reliable, offset a little scattered, but I can use this.


Could be a regional limit, ISP block or just went out of order?

Using IP addresses as time server is not the best idea as they can be down or out of order or whatever.

Using an URL and make sure that URL can be resolved by insecure DNS would be my first choice, and use IP addresses as backup

I think I saw @ho1Aetoo testing dnscrypt maybe he can see what is going on?



currently no reachable NTP server is running on IP 88.99.174.22

212.18.3.19 is online and working
Code:
Jan 1 01:01:14 DD-WRT daemon.err ntpclient[2032]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Jan 1 01:01:14 DD-WRT daemon.err ntpclient[2032]: Failed resolving server 2.pool.ntp.org: Network is down
Jan 1 01:01:14 DD-WRT daemon.debug ntpclient[2032]: Connecting to 212.18.3.19 [212.18.3.19] ...
Nov 10 09:20:07 DD-WRT daemon.info ntpclient[2032]: Time set from 212.18.3.19 [212.18.3.19].
Nov 10 09:20:07 DD-WRT daemon.info process_monitor[2026]: Cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
Nov 10 09:20:07 DD-WRT daemon.info process_monitor[2026]: Local timer delta is 1668068338


the additional dnsmasq option "server=/pool.ntp.org/8.8.8.8" works also

Code:
Jan 1 01:01:09 DD-WRT daemon.debug ntpclient[2061]: Connecting to 2.pool.ntp.org [90.187.148.77] ...
Nov 10 09:15:51 DD-WRT daemon.info ntpclient[2061]: Time set from 2.pool.ntp.org [90.187.148.77].
Nov 10 09:15:51 DD-WRT daemon.info process_monitor[2060]: Cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
Nov 10 09:15:51 DD-WRT daemon.info process_monitor[2060]: Local timer delta is 1668068082


I have forwarded it all to BS as I said.

1. that custom NTP entries are ignored
2. a typo in the ntp.c (2x checks for unbound, probably missing smartdns check)
3. that 88.99.174.22 is not working

you know yourself - he is very busy at the moment

footnote: I cannot confirm that nothing works at all as described.

so I have until now always immediately received a time
there is at least 1 hardcoded and working NTP server available.
also you can resolve the pool "2.pool.ntp.org" via unsafe DNS server. (if google cloudlare or quad9 can't resolve pool.ntp.org addresses that's not our problem - i would suspect some other network problems)


Last edited by ho1Aetoo on Thu Nov 10, 2022 9:01; edited 1 time in total
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Thu Nov 10, 2022 9:00    Post subject: Reply with quote
blkt wrote:
Interesting iptables also agree egc's Additional DNSMasq options. Should remove || nvram_matchi("dns_crypt", 1).
I agree with ho1Aetoo we do not need any exceptions at all so user specified servers are always used unless blank.

About blank default 2.pool.ntp.org 212.18.3.19 88.99.174.22 in the beginning order was three IPv4 then one pool.
Over passage of time order was inverted so pool became first, not last, and reduced to two IP addresses not good.

So maybe we should reconsider this order, also some testing to make new choices for the hardcoded IP addresses.
Some online tools I use, additions to local tests. https://servertest.online/ntp and https://www.ntppool.org/scores/

Lastly, there are five global pool.ntp.org 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org (2 is for IPv6).
All different IPs which are periodically rotated, so I can see why portsup needed to specify 2.pool.ntp.org to work.


I agree to remove nvram_matchi("dns_crypt", 1) and change the default dns ips, maybe it would be good to add an extra pool domain ?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Nov 10, 2022 9:20    Post subject: Reply with quote
egc wrote:
blkt wrote:
88.99.174.22 fails on my machine when attempting to time sync, also https://servertest.online/ntp regional limit?
https://www.ntppool.org/scores/212.18.3.19 this IP address is reliable, offset a little scattered, but I can use this.


Could be a regional limit, ISP block or just went out of order?

Using IP addresses as time server is not the best idea as they can be down or out of order or whatever.

Using an URL and make sure that URL can be resolved by insecure DNS would be my first choice, and use IP addresses as backup

I think I saw @ho1Aetoo testing dnscrypt maybe he can see what is going on?



well...in my case (Stubby/GetDNS) or DNScrypt case...DNS comes up after NTP time is set...
so, i have 216.239.35.8 162.159.200.123 in my NTP servers...so time is resolved even without DNS

I don't understand why there is a mock, when in case of ISP is blocking NTP time request or fetching their servers you can't do much anyway...the only solution is secure NTP time resolving via port 443 or 853, to be able to bypass the firewall edge or any restrictions...but, i don't know if this is possible, as most of the time servers use port 123 and this is easy to cap/block from ISP side...nor you will have DNS if there is no NTP time ... chicken and the egg problem...
egc solution via advanced dnsmasq rules or adding this 2 ip's in NTP time box is working in my case...i also tried reset R7000 and set those ip's and ntp time was ok...so if portsup
has an issue with NTP time its either ISP or he has something wrong with his setup (usererr) Cool
I guess for DDWRT case NTP its better to look for IP in the box first, than use the hardcoded NTP time servers as it does...or just change those to hardcoded GGl and Cloudflare NTP time...
It will be interesting to see how far the rabbit hole goes... Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Thu Nov 10, 2022 9:27; edited 1 time in total
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Thu Nov 10, 2022 9:21    Post subject: Reply with quote
egc wrote:

But how do you think those are resolved?
Indeed by DNS so what you are doing makes no sense unless the IP addresses 212.18.3.19 and 88.99.174.22 are no longer functional.

I just checked 212.18.3.19 and 88.99.174.22, they are both working so the question remains why is the default not working for you. That is the real problem


I am going to guess my DNSmasq server=/2.pool.ntp.org/9.9.9.9 is somehow also migrated onto the redirected domain because it does work, and I now get different ips than 2.pool.ntp.org gives out

As to 212.18.3.19 and 88.99.174.22 , ho1Aetoo confirmed no NTP server on 88.99.174.22, no idea about 212.18.3.19 but we all have regional isp differences and so why there is custom fields..... delving into my specific network issues doesn't seem necessary though is interesting
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Thu Nov 10, 2022 9:29    Post subject: Reply with quote
Alozaros wrote:

well...in my case (Stubby/GetDNS) or DNScrypt case...DNS comes up after NTP time is set...
so, i have 216.239.35.8 162.159.200.123 in my NTP servers...so time is resolved even without DNS


The code ignores the custom NTP server setting if you use DNScrypt. Which I am not sure you get given the below.

Alozaros wrote:
.so if portsup
has an issue with NTP time its either ISP or he has something wrong with his setup (usererr) Cool
I guess for NTP its better to look for IP in the box first than use the hardcoded NTP time servers...or just change those to GGl and Cloudflare NTP time...
It will be interesting to see how far the rabbit hole goes... Rolling Eyes
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Nov 10, 2022 9:44    Post subject: Reply with quote
The entry "server=/pool.ntp.org/8.8.8.8" also resolves the subdomains correctly...


direct request to the google server

Code:
dig 2.pool.ntp.org A @8.8.8.8 2.pool.ntp.org AAAA @8.8.8.8

; <<>> DiG 9.16.1-Ubuntu <<>> 2.pool.ntp.org A @8.8.8.8 2.pool.ntp.org AAAA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33300
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.pool.ntp.org.         IN   A

;; ANSWER SECTION:
2.pool.ntp.org.      81   IN   A   193.99.165.217
2.pool.ntp.org.      81   IN   A   131.188.3.222
2.pool.ntp.org.      81   IN   A   85.10.240.253
2.pool.ntp.org.      81   IN   A   45.9.61.155

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Do Nov 10 10:42:13 CET 2022
;; MSG SIZE  rcvd: 107

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51179
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.pool.ntp.org.         IN   AAAA

;; ANSWER SECTION:
2.pool.ntp.org.      150   IN   AAAA   2a01:4f8:141:282::5:1
2.pool.ntp.org.      150   IN   AAAA   2a01:7e0:0:620::13
2.pool.ntp.org.      150   IN   AAAA   2003:a:87f:c37c::3
2.pool.ntp.org.      150   IN   AAAA   2a01:4f8:200:1473:bee::123

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Do Nov 10 10:42:13 CET 2022
;; MSG SIZE  rcvd: 155


request to dnsmasq

Code:
dig 2.pool.ntp.org A @192.168.1.1 2.pool.ntp.org AAAA @192.168.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> 2.pool.ntp.org A @192.168.1.1 2.pool.ntp.org AAAA @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54071
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.pool.ntp.org.         IN   A

;; ANSWER SECTION:
2.pool.ntp.org.      81   IN   A   193.99.165.217
2.pool.ntp.org.      81   IN   A   131.188.3.222
2.pool.ntp.org.      81   IN   A   85.10.240.253
2.pool.ntp.org.      81   IN   A   45.9.61.155

;; Query time: 19 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Do Nov 10 10:42:13 CET 2022
;; MSG SIZE  rcvd: 107

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50657
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.pool.ntp.org.         IN   AAAA

;; ANSWER SECTION:
2.pool.ntp.org.      150   IN   AAAA   2a01:4f8:141:282::5:1
2.pool.ntp.org.      150   IN   AAAA   2a01:7e0:0:620::13
2.pool.ntp.org.      150   IN   AAAA   2003:a:87f:c37c::3
2.pool.ntp.org.      150   IN   AAAA   2a01:4f8:200:1473:bee::123

;; Query time: 15 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Do Nov 10 10:42:13 CET 2022
;; MSG SIZE  rcvd: 155



Smile

keep in mind the IP's rotate
r7000-2
DD-WRT User


Joined: 23 May 2022
Posts: 61

PostPosted: Thu Nov 10, 2022 9:55    Post subject: Reply with quote
Router/Version: Netgear R7000
File/Kernel: netgear-r7000-webflash.bin / Linux 4.4.302-st25 #8205 SMP Tue Nov 8 23:53:52 -00 2022 armv7l
Previous/Reset: r50786 std (11/02/22) / No
Mode/Status: RIP2 Router
Issues/Errors: None

_________________
Several NetGears with Broadcom and with Atheros
Mode: RIP2 Router, 2G/5G radios are active, Routed WiFi multiple SSID's/separated by IP subnets.
Remote Syslog, NTP, IPv6 management, WireGuard routed Site-2-Site VPNs
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 4 of 7
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum