NTP issues - One source of truth on the network

Product Discussion Peplink Balance
#1

I have been playing with getting a single NTP source on my network. I discovered that changing the configured NTP server on the router that is the AP controller causes a synchronization of configurations on the APs (and they set their NTP server to whatever is configured in the router). This seems odd to me since I want the APs to pull time from the local NTP server (I only want the router to go to the internet for time, everything else on my network should use the router as the NTP source)

So, I have a second Balance router (B30). The B30 is connected via WAN1 to a LAN port on the B1. No matter what I do, I cannot get the B1 to use the NTP server on the B30. I tried to access the NTP server via WAN1 IP address as well as local LAN IP address.

I tried configuring Inbound Rules, Internal Rules, and local service rules. I also tried setting up a forwarder from the WAN IP address to the LAN address – nothing worked.

I would have thought that an Inbound Firewall Rule would have been appropriate since the request is coming from the WAN link. Nope. Then, I thought maybe it is considered an Internal network connection since it is using IP Forwarding instead of NAT. Nope. Finally, since the service is hosted on the router - maybe a Local Service rule is required. Nope again.

I have since abandoned trying to get a central NTP server to work with all of my networking gear, which begs the question – why use the router as an NTP server?

In a perfect world, I would set my main router (B1) to be an NTP server and update its own time via the internet source, and then my APs (5) and my other router would point to the B1 as their NTP source. Since the NTP server seems inaccessible from outside of the LAN, and the APs will always follow the setting in the AP Controller – there is no way to accomplish what I am wanting. Full disclosure - I have not validated anything via packet capture – so, I am assuming the APs are using the value configured for their NTP source (time.google.com).

FWIW - I am able to use the B1 as a time source for the B30. The B30 is on the B1 LAN, therefore the NTP server is accessible. So, I was able to keep one device out of 7 from going to the internet for its time sync.

#2

NTP client supposed to connect to the LAN side of the NTP server. Below is the diagram.

image
image936Ă—469 23.7 KB

The left side of the Router is WAN and the right side of the Router is LAN.

Hope this helps.

1 Like
#3

I totally understand that, but what confuses me is whether or not the APs are going to use the same value as the B1 router? I set my B1 (which is my also my AP Controller) to use time.google.com. The B1 then “pushed” out the value time.google.com to all of my APs. My APs are on the LAN and I would like them to use the B1 as their time source. How can I do that?

One way is to remove the AP Controller role from the router and then manually configure all the APs.

It just seems that when the router is set to be a NTP server, it should (if anything) push its own address to the APs.

I also tried a custom service forwarder to go from the WAN IP to the LAN IP, but I guess there are some restrictions on whether the router can be the target of the service forwarding.

All in all, it isn’t the end of the world using time.google.com for everything - at least it works on the first try consistently. The default time servers often would fail the first time and then succeed the next.

#4

I would say it is the design for AP Controller Standard. The managed AP will follow the controller NTP server selection. Please refer to the setting from AP Controller Pro below. You are allowed to customize the NTP server for the managed AP.

image
image1282Ă—793 65.5 KB

May be I can put this as a feature request to allow a customization of the NTP server for the managed AP in AP Controller Standard version. I will send this request to the team.

1 Like
#5

Thanks TK. I hope that they eventually add it to the regular AP controller. Is there any documentation on the differences between the regular AP Controller vs. the AP Controller Pro vs. InControl vs. Local config.

FWIW, my links are not very great and any bit of web traffic that I can convert to local traffic is in my best interest. Every little bit helps. Thanks again for the enlightenment!

#6

Discussed with engineering team. As NTP server is available in BalanceOne, we think it is reasonable to customize the NTP setting for the managed AP. We target to implement it in 8.2.0 tentatively.

Please refer to the different between AP Controller Pro and Standard:

Screenshot_3
Screenshot_31919Ă—401 75.8 KB

Screenshot_4
Screenshot_41919Ă—900 126 KB

Screenshot_5
Screenshot_51919Ă—904 106 KB

3 Likes
#7

Thanks @TK_Liew ! This is great information. Thanks for bringing it up to the engineering folks! This will be a great addition.

#8

@TK_Liew - hey buddy, a few more dumb questions and I promise to leave you alone.

The last log entry for time updates in my event log is about 9 days ago. Prior to changing it to the g-man NTP services, I would see log entries much more frequently. My questions are…

A. How often does the Balance One Core update its time?
B. Does it log it every time it updates its time?

What I suspect is that after a successful update, it will only log a failure to update. i.e. consecutive successful updates will NOT be logged.

If that is the case – what is up with the default NTP servers? - they seem to have a pretty consistent failure rate.

Thanks again for your patience as I try to learn this stuff a bit better. This equipment and this forum have taught me a ton, and I am very appreciative.

#9

A. How often does the Balance One Core update its time?

It will check every half an hour.

B. Does it log it every time it updates its time?

No. It will log when it failed to contact the NTP server and re-sync with the NTP server.

What I suspect is that after a successful update, it will only log a failure to update. i.e. consecutive successful updates will NOT be logged.

You are correct.

If that is the case – what is up with the default NTP servers? - they seem to have a pretty consistent failure rate.

Do you mean this NTP server - 0.peplink.pool.ntp.org? My device is syncing with it without issue. I suspect it is the communication issue (WAN connection issue or the IP failed to resolve) between your Balance One Core and 0.peplink.pool.ntp.org. Please try to ping 0.peplink.pool.ntp.org from System > Ping when the problem occurs.

#10

Thanks @TK_Liew - yes, I was referring to 0.peplink.pool.ntp.org. The failures to sync with it is what got me looking at NTP stuff to begin with. It would fail almost every day - and then succeed 5 minutes later. I saw this on both Balance routers across three different WANs. I really do try not to “point fingers” as it has bitten me in the past; but since moving to time.google.com – there have been 0 failures.

I have seen other forum posts for similar experiences. I do believe there is “something” going on with the Peplink NTP servers. It may just be a timing fluke where too many devices are trying to update their time concurrently - since these are the default NTP servers across a ton of Peplink devices. maybe? Do the devices randomize their update times? Or are they always at 1.5 hours? Also, is that 1.5 hours based on startup time – or is there a pre-defined schedule?

At any rate – thanks for the explanation on what is going on under the covers.

#11

I booted my B20x (at home) 2 times today.

image
image1919Ă—974 186 KB

The time synchronization is written into the event log once only for each boot. Fyi, the time synchronization will happen every 30 minutes based on the startup time.

Please open a ticket and attention to me if you wish to find out the root cause. :slightly_smiling_face:

#12

I am good since changing to a different NTP source. Since I have had 0 failures since the change, I am assuming the client and my connections are functional and the issue is “down the line”. It may not be an issue with the Peplink time servers, but some kind of transient issue on the path to those servers. The path to the new NTP servers doesn’t seem to have that stumbling block.

When I was having failures, it would not be every time. I would see one failure about every 2-3 days, and then it would succeed 5 minutes later. If it was updating every 90 minutes, it was succeeding silently most of the time.

#13

Hello and Good Day

I’m still trying to get all my devices to sync time with Surf soho.
I don’t see anything in the WUI to set the Sur soho to NTP Server. Does it just do it automatically? I have set all devices to get NPT from Surf soho and I set service forwarding up on Soho. What else can I try?

image
image2048Ă—1536 315 KB