Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Thu Nov 10, 2022 3:15 Post subject:
portsup wrote:
mwchang wrote:
The clock must be set for all encryption to work properly, with or without ntp_server's value!
But I can't set the clock with the default ntp_server value
Punch an IP address instead of domain name into that field, hit <Apply>. Then execute "ntpclient" to test it and use "grep ntpclient /var/log/messages" to see results.
Maybe you should just leave it blank to use factory default. Press <CTRL+A> in that field, then press <Delete>, then hit <Apply>. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
HOME Wired Multicast ISP 4K TV Network Router/Version: R7000
File/Kernel: DD-WRT v3.0-r50841 std (11/08/22)
Kernel Version: Linux 4.4.302-st25 #8205 SMP Tue Nov 8 23:53:52 -00 2022 armv7l
Previous/Reset: r50814 / No Reset, CLI Update
Mode/Status: GW / Working Well
Issues/Errors: none / none
Services Used: Multicast,IGMP,CTF,SSH,Syslog
Services Disabled: FA,WiFi,QoS,ttraff,Telnet,NAS,Samba
Running for over 14 hours.
OffSite #1 Router/Version: R7000
File/Kernel: DD-WRT v3.0-r50841 std (11/08/22)
Kernel Version: Linux 4.4.302-st25 #8205 SMP Tue Nov 8 23:53:52 -00 2022 armv7l
Previous/Reset: r50814 / No Reset, Remote CLI Update
Mode/Status: GW & AP / Working Well
Issues/Errors: none / none
Services Used: CTF,DHCP WAN,IPv6-6to4,NTP,WG Client,VLANx,BRx,SSH,Syslog,Cron,USB Storage,Entware DNSCrypt v2.1.1
Services Disabled: QoS,ttraff,Telnet,NAS.Samba,YAMon3.4.6
Running for over 14 hours.
Thank-you BrianSlyer for your Great Work and everyone else who makes DD-WRT Great on the Forum! _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Punch an IP address instead of domain name into that field, hit <Apply>. Then execute "ntpclient" to test it and use "grep ntpclient /var/log/messages" to see results.
About blank default 2.pool.ntp.org 212.18.3.19 88.99.174.22 in the beginning order was three IPv4 then one pool.
Over passage of time order was inverted so pool became first, not last, and reduced to two IP addresses not good.
Lastly, there are five global pool.ntp.org 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org (2 is for IPv6).
All different IPs which are periodically rotated, so I can see why portsup needed to specify 2.pool.ntp.org to work.
Last edited by blkt on Thu Nov 10, 2022 7:16; edited 2 times in total
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Thu Nov 10, 2022 7:01 Post subject:
@portsup, yes iptables can work with hostnames:
Quote:
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address.
But how do you think those are resolved?
Indeed by DNS so what you are doing makes no sense unless the IP addresses 212.18.3.19 and 88.99.174.22 are no longer functional.
Additional dnsmasq options solution with 2.pool.ntp.org is perfect so long as the specified DNS servers are reliable.
Otherwise, prioritize two or three globally reliable hardcoded IP addresses guarantees no issue just as it was day 1.
Could be a regional limit, ISP block or just went out of order?
Using IP addresses as time server is not the best idea as they can be down or out of order or whatever.
Using an URL and make sure that URL can be resolved by insecure DNS would be my first choice, and use IP addresses as backup
I think I saw @ho1Aetoo testing dnscrypt maybe he can see what is going on?
currently no reachable NTP server is running on IP 88.99.174.22
212.18.3.19 is online and working
Code:
Jan 1 01:01:14 DD-WRT daemon.err ntpclient[2032]: Failed resolving address to hostname 2.pool.ntp.org: Try again
Jan 1 01:01:14 DD-WRT daemon.err ntpclient[2032]: Failed resolving server 2.pool.ntp.org: Network is down
Jan 1 01:01:14 DD-WRT daemon.debug ntpclient[2032]: Connecting to 212.18.3.19 [212.18.3.19] ...
Nov 10 09:20:07 DD-WRT daemon.info ntpclient[2032]: Time set from 212.18.3.19 [212.18.3.19].
Nov 10 09:20:07 DD-WRT daemon.info process_monitor[2026]: Cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
Nov 10 09:20:07 DD-WRT daemon.info process_monitor[2026]: Local timer delta is 1668068338
the additional dnsmasq option "server=/pool.ntp.org/8.8.8.8" works also
Code:
Jan 1 01:01:09 DD-WRT daemon.debug ntpclient[2061]: Connecting to 2.pool.ntp.org [90.187.148.77] ...
Nov 10 09:15:51 DD-WRT daemon.info ntpclient[2061]: Time set from 2.pool.ntp.org [90.187.148.77].
Nov 10 09:15:51 DD-WRT daemon.info process_monitor[2060]: Cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
Nov 10 09:15:51 DD-WRT daemon.info process_monitor[2060]: Local timer delta is 1668068082
I have forwarded it all to BS as I said.
1. that custom NTP entries are ignored
2. a typo in the ntp.c (2x checks for unbound, probably missing smartdns check)
3. that 88.99.174.22 is not working
you know yourself - he is very busy at the moment
footnote: I cannot confirm that nothing works at all as described.
so I have until now always immediately received a time
there is at least 1 hardcoded and working NTP server available.
also you can resolve the pool "2.pool.ntp.org" via unsafe DNS server. (if google cloudlare or quad9 can't resolve pool.ntp.org addresses that's not our problem - i would suspect some other network problems)
Last edited by ho1Aetoo on Thu Nov 10, 2022 9:01; edited 1 time in total
About blank default 2.pool.ntp.org 212.18.3.19 88.99.174.22 in the beginning order was three IPv4 then one pool.
Over passage of time order was inverted so pool became first, not last, and reduced to two IP addresses not good.
Lastly, there are five global pool.ntp.org 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org (2 is for IPv6).
All different IPs which are periodically rotated, so I can see why portsup needed to specify 2.pool.ntp.org to work.
I agree to remove nvram_matchi("dns_crypt", 1) and change the default dns ips, maybe it would be good to add an extra pool domain ?
Could be a regional limit, ISP block or just went out of order?
Using IP addresses as time server is not the best idea as they can be down or out of order or whatever.
Using an URL and make sure that URL can be resolved by insecure DNS would be my first choice, and use IP addresses as backup
I think I saw @ho1Aetoo testing dnscrypt maybe he can see what is going on?
well...in my case (Stubby/GetDNS) or DNScrypt case...DNS comes up after NTP time is set...
so, i have 216.239.35.8 162.159.200.123 in my NTP servers...so time is resolved even without DNS
I don't understand why there is a mock, when in case of ISP is blocking NTP time request or fetching their servers you can't do much anyway...the only solution is secure NTP time resolving via port 443 or 853, to be able to bypass the firewall edge or any restrictions...but, i don't know if this is possible, as most of the time servers use port 123 and this is easy to cap/block from ISP side...nor you will have DNS if there is no NTP time ... chicken and the egg problem...
egc solution via advanced dnsmasq rules or adding this 2 ip's in NTP time box is working in my case...i also tried reset R7000 and set those ip's and ntp time was ok...so if portsup
has an issue with NTP time its either ISP or he has something wrong with his setup (usererr)
I guess for DDWRT case NTP its better to look for IP in the box first, than use the hardcoded NTP time servers as it does...or just change those to hardcoded GGl and Cloudflare NTP time...
It will be interesting to see how far the rabbit hole goes... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Thu Nov 10, 2022 9:27; edited 1 time in total
But how do you think those are resolved?
Indeed by DNS so what you are doing makes no sense unless the IP addresses 212.18.3.19 and 88.99.174.22 are no longer functional.
I just checked 212.18.3.19 and 88.99.174.22, they are both working so the question remains why is the default not working for you. That is the real problem
I am going to guess my DNSmasq server=/2.pool.ntp.org/9.9.9.9 is somehow also migrated onto the redirected domain because it does work, and I now get different ips than 2.pool.ntp.org gives out
As to 212.18.3.19 and 88.99.174.22 , ho1Aetoo confirmed no NTP server on 88.99.174.22, no idea about 212.18.3.19 but we all have regional isp differences and so why there is custom fields..... delving into my specific network issues doesn't seem necessary though is interesting
well...in my case (Stubby/GetDNS) or DNScrypt case...DNS comes up after NTP time is set...
so, i have 216.239.35.8 162.159.200.123 in my NTP servers...so time is resolved even without DNS
The code ignores the custom NTP server setting if you use DNScrypt. Which I am not sure you get given the below.
Alozaros wrote:
.so if portsup
has an issue with NTP time its either ISP or he has something wrong with his setup (usererr)
I guess for NTP its better to look for IP in the box first than use the hardcoded NTP time servers...or just change those to GGl and Cloudflare NTP time...
It will be interesting to see how far the rabbit hole goes...
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.pool.ntp.org. IN A
;; ANSWER SECTION:
2.pool.ntp.org. 81 IN A 193.99.165.217
2.pool.ntp.org. 81 IN A 131.188.3.222
2.pool.ntp.org. 81 IN A 85.10.240.253
2.pool.ntp.org. 81 IN A 45.9.61.155
;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Do Nov 10 10:42:13 CET 2022
;; MSG SIZE rcvd: 107
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2.pool.ntp.org. IN A
;; ANSWER SECTION:
2.pool.ntp.org. 81 IN A 193.99.165.217
2.pool.ntp.org. 81 IN A 131.188.3.222
2.pool.ntp.org. 81 IN A 85.10.240.253
2.pool.ntp.org. 81 IN A 45.9.61.155
;; Query time: 19 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Do Nov 10 10:42:13 CET 2022
;; MSG SIZE rcvd: 107