Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Idea: fake Firebrick NTP server  (Read 1786 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Idea: fake Firebrick NTP server
« on: December 01, 2018, 06:05:47 AM »

As I said in another thread, I seem to remember reading something that suggested that RevK, who is working on Firebrick development, is writing a local NTP server process for the Firebrick. So that would be superb. More reliable, as the local machines can still NTP-sync to something, just over the LAN, even if internet access goes down or if the internet link is really busy so time sync fails. And it slightly reduces the amount of traffic over your internet link.

Anyway, just having got redirection working through the Firebrick so that my modems can get access to an NTP server through the Brick where the Brick its acts as a proxy, relay or fake local NTP server, I had an idea.

What about if I wrote a redirection rule in the Firebrick config which redirects traffic coming in to the Firebrick’s LAN-facing address at UDP port 123 and redirects that to the ISP’s NTP server?

Would that be worthwhile ? What do you think?

It would hide the detail from clients on the LAN, they would no longer need to know the value of an external NTP server which might change and could be a per-location value depending on the ISP at each site. It would also get them ready for the real local Firebrick NTP server.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Idea: fake Firebrick NTP server
« Reply #1 on: December 01, 2018, 05:45:02 PM »

I'm not too sure which of your device(s) need(s) to have access to a time server. I presume it is just the four ZyXEL VMG1312-B10As, so that their system and security logfile entries are correctly timestamped?

With my one VMG1312-B10A, configured as a modem/router, I just have four entries ([0-3].uk.pool.ntp.org) on the Maintenance >> Time page.

So, does your FB2700 know the correct time? If it could be configured to synchronise with one of the four UK pools, then your VMG1312-B10As would only need to know about the Firebrick . . . it would be a proxy time server at the edge of your LAN.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #2 on: December 01, 2018, 07:07:07 PM »

The Brick currently gets time from AA’s NTP servers as the closest, but it is only an NTP client now.

I have many devices that all need NTP sync. My main switch, my WAPs, VoIP box and various client boxes too which I have forgotten.

And yes, now I have the recipe working, the four modems will get NTP through the Brick from AA in fact. But if at some point the Brick starts to become a real NTP server then getting it direct from the Brick’s own synchronised clock will be more reliable.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Idea: fake Firebrick NTP server
« Reply #3 on: December 01, 2018, 09:35:02 PM »

And yes, now I have the recipe working, the four modems will get NTP through the Brick from AA in fact.

Right, got that.  :)

Quote
But if at some point the Brick starts to become a real NTP server then getting it direct from the Brick’s own synchronised clock will be more reliable.

So you need the "magic incantation" to configure the FB2700 as a NTP server on your LAN. Perhaps a brief message to Firebrick support would be the best next step?  :-\
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #4 on: December 02, 2018, 08:57:35 AM »

I have the fake server working to the modems, I will have a go on my own at doing the fake server to the main LAN using approximately the same technique. I am assuming that if I just spot UDP port 123 traffic coming in off the LAN to the Firebrick, where it will be addressed to one of the usual addresses that the Brick publishes to the LAN, then that will be good enough.

I’m thinking, rule needs to have the following conditions to match against
IF
    source-interface=IF-LAN
    destination-interface=SELF
    protocol=UDP
    port=123
THEN
    set destination address=time.aa.net.uk

These aren’t the correct Firebrick XML config attributes, I haven’t bothered to look them up.

I’m hoping that the SELF thing is correct, for ‘going to the Brick’ as I’ve seen this used elsewhere for what looks like the right kind of scenario. I’ll look that up. Will someone shout if this is wrong?

I decided I definitely need this extra check condition, because I don’t want to catch such traffic going to all addresses. I know some people do exactly this, catching all outgoing email, but this is evil. Even though it’s well-intentioned if the idea is just to help misconfigured systems, and perhaps defensible as a rather fascist security measure, it can confuse people who suddenly end up getting replies from the wrong server, and apps could even fail because of this. I don’t know whther or not it is ok in this case for NTP, it would save me from having to round up systems and reconfigure them properly but it doesn’t feel right somehow. What do you think? Enforced catch-all?

Who is to say that UDP port 123 is definitely always NTP? Perhaps another reason why I should be going there. Opinions?

Do I need a set-NAT action? I don’t see why, unless I’m missing something. I think that would rewrite the source address, but do I even need this?

I should point out that I never use NAT. The tricky stuff with my modems which are using RFC1918 addresses and do not have proper network config set up at their end (because it’s incomplete unfortunately) is about the first time I have used NAT in ten years. All my systems live in globally-routable static IPv4 and IPv6 address ranges. This means the source address coming in off the LAN here will be fine anyway, globally routable, without any tweaking needed. So am I right, forget about a set-nat action?

Logged

andrew-AAISP

  • ISP Rep
  • Member
  • *
  • Posts: 41
    • aa.net.uk
Re: Idea: fake Firebrick NTP server
« Reply #5 on: December 03, 2018, 12:54:51 PM »

As I said in another thread, I seem to remember reading something that suggested that RevK, who is working on Firebrick development, is writing a local NTP server process for the Firebrick. So that would be superb. More reliable, as the local machines can still NTP-sync to something, just over the LAN, even if internet access goes down or if the internet link is really busy so time sync fails. And it slightly reduces the amount of traffic over your internet link.

Yes, NTP server is being written at the moment - we hope to have it in an alpha soon - maybe before Christmas - not sure yet. With any luck we'll also use a FireBrick in our time.aa.net.uk pool to serve our customers.
Logged
A&A

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #6 on: December 04, 2018, 12:14:07 AM »

Many thanks, Andrew.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #7 on: December 04, 2018, 01:57:37 AM »

Could someone help sanity-check me? I think my scheme proposed earlier would work, but could be evil. I didn’t think things through regarding the return journey. When stuff comes back through the Firebrick to the client on the LAN, I have to rewrite the source address so that the client sees the source address that it expects, which would be the address of the Firebrick on the LAN, not the external remote NTP server, which is where the request actually came from because then Firebrick redirected it.

But how do I know to do that or not ? How do I know it is the response from of a redirected request to the external server, not a response to a straight request direct to the external server which never was redirected. I don’t have the information any more and I would be messing up direct-to-remote NTP queries’ responses, wouldn’t I?

If this is right then I had better not go near this.

I had an idea that I might be able to rescue this plan by marking the redirected upstream packets in a certain way so that the responses coming back would be recognisable and I would know how to deal with those responses, leaving them alone or rewriting them as is needed. The plan is: for upstream traffic being redirected rewrite the dest address to be time.aa.net.uk as usual but also rewrite the source address to equal that of the Brick’s LAN interface. I’m assuming [?] that this does not accidentally match something the Brick does for its own internally-generated requests, is that correct? Will the Firebrick itself not surely always set a source address of its WAN i/f when querying the remote NTP server? I’m needing a special distinct case that will never occur normally. Anyway, then for the replies, I only rewrite NTP packets coming in that are addresses to the Firebrick’s LAN i/f.

This amount of hassle is making this seem rather unattractive.

Another two things. 1. I’m not sure how to write rules that match only IPv4 traffic or only IPv6 traffic. I’m wondering if I might need such a thing here. The problem is, if I don’t know which family something is, how to I specify the rewrite address valu appropriately? I have to say xx4 if IPv4 and xx6 if IPv6. If a packet happens to be IPv6 say and it matches a particular rewrite rule, what happens if some of the specified rewrite values in the rules are the wrong IP family?
Logged

andyfitter

  • Reg Member
  • ***
  • Posts: 172
Re: Idea: fake Firebrick NTP server
« Reply #8 on: December 04, 2018, 03:05:46 AM »

Why don’t you just build a gps based ras Pi ntp server and run it on your local lan, or add the hardware functionality to one of your other pi’s? I’m sure it would be exponentially easier and safer in the long run.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #9 on: December 04, 2018, 06:14:48 AM »

Hi Andy. I’d love to.

A bit of background: Unfortunately due to illness, ME/CFS plus chronic pain and a whole load of other things, I’m confined to bed and can’t sit upright or stand for long periods, although thank goodness I can make it as far as the bathroom, but need help sometimes. Also pain, fatigue, dizziness and confusion, in part due to all the pain drugs, limits my activities a lot. I have periods where I can type, think, speak and communicate. The medics recently mentioned putting me in ‘a home’, which scared me to death.

I have a local raspberry pi but I bricked it by mistake and haven’t been able to get it going again due to my physical limitations. I rent a hosted remote Pi from Mythic Beasts, out on the Internet, in The Isle of Dogs, for all I know, but there are a lot of things for which I would need such a box to be local.
Logged

andrew-AAISP

  • ISP Rep
  • Member
  • *
  • Posts: 41
    • aa.net.uk
Re: Idea: fake Firebrick NTP server
« Reply #10 on: December 04, 2018, 09:25:04 AM »

If I understand correctly, you have a FireBrick, you have modem(s) plugged in to it and the FireBrick is doing PPP. You've also set up interfaces on the FireBrick so that you can access the modems web interfaces... and what you want to do is to get the modems to use NTP to set their clocks by port forwarding NTP traffic via the FireBrick.

A rule such as this one will map UDP 123 to the A&A timeservers

      <rule name="NTP" source-interface="MODEMS" target-port="123" target-interface="self" protocol="17" set-nat="true">
         <share weight="50" set-target-ip="90.155.53.94"/>
         <share weight="50" set-target-ip="90.155.53.93"/>
      </rule>


This allows all devices on the MODEMS interface to use the FireBrick's IP as a time server.

As A&A have two time servers, I've set the port map to share traffic between them

To test this, go to Diagnostics - Firewall test and enter in:

  Source: modem's IP
  Target: FireBrick's IP
  Protocol: 17
  Port: 123


Click Check, and you should see the FireBrick portmap and NAT the traffic...
Logged
A&A

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
Re: Idea: fake Firebrick NTP server
« Reply #11 on: December 04, 2018, 09:50:03 AM »

I have a local raspberry pi but I bricked it by mistake and haven’t been able to get it going again due to my physical limitations. I rent a hosted remote Pi from Mythic Beasts, out on the Internet, in The Isle of Dogs, for all I know, but there are a lot of things for which I would need such a box to be local.

I wonder if someone on here, if you provided an SD card and what you wanted on the Pi, would build a setup that just needed Janet to plug it in?
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #12 on: December 04, 2018, 05:55:17 PM »

@jelv my neighbour did just that for me, but then I stupidly went and bricked the pi by accident while trying to get NTP client and local server working. The first card I had was one that came with the pi and was small, crap and had way way too short a lifetime, number of writes. Janet went back and asked for help, but the second card I had bought was the wrong type apparently. I have never managed to go and pester the poor man a third time. I would need help choosing the right card though as I’m new to the pi.

I would need an o/s with the appropriate setup tweak that means I can ssh straight unto it as I have to use it over the LAN only, with no keyboard / mouse / display. Ideally an AArch64 o/s would be best as I would like to learn ARM64 asm.

This should be a different thread really.

I think I have talked about this (too many times before). I know I have also in fact had extremely generous offers of help from kitizens regarding this before but because of the fentanyl and other drugs I can’t even remember the rest of the story.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Idea: fake Firebrick NTP server
« Reply #13 on: December 04, 2018, 08:09:59 PM »

@andrew many thanks that’s excellent. Better than the solution I had for giving the modems access, which works fine, but yours has the advantage of using both time servers properly.

I was discussing the idea of giving clients on the main LAN a fake NTP server until the real thing arrives. Could set them up ready for it ahead of time.
Logged
 

anything