On Wed, Nov 29, 2023 at 01:52:46PM -0500, gene heskett wrote: > On 11/29/23 13:20, John Hasler wrote: > > Install chrony. But first fix that address. > > How, John? QIDI is afraid of enabling full net access because it might > overwrite some of their special stuff. Right now its running armbian buster, > which is out of support. And surprise, kiauh.sh is installed, likely how > they set the printer up in the first place. Its just a bash script but its > magic!
There are so many things in this paragraph that I don't understand. What is "QIDI"? Why would enabling full net access "overwrite stuff"? What "stuff"? What is "kiauh.sh" and how is it relevant to this question? Either configure a static IP address for this host, or set up a DHCP server which will assign it the desired IP address. Those are your two choices. If you want it to be on an isolated network, then put it on an isolated network. If it needs an NTP server, make sure you put one of those on the isolated network as well. It sounds like you don't want a *physically* isolated network, but rather, some kind of numeric subnet whose packets won't be routed to the public Internet. That should be feasible. Here's an example setup: Machine R: Router. Configured to talk to the public Internet, and to the local 192.168.1.x subnet. IP forwarding is enabled (from 192.168.1). Does not know about the 192.168.2.x subnet, and will not forward packets from that subnet. Machine T: Time server. Has two IP addresses -- one on 192.168.1.x and one on 192.168.2.x. Default gateway set to R. Runs NTP, configured to permit client connections from both subnets, and to retrieve time from the public Internet. Machine P: Printer. Has an IP address on the 192.168.2.x subnet only. Runs NTP, configured to retrieve time from T. Other hosts: If they need to talk to the public Internet, then they have an address on 192.168.1.x, and default gateway set to R. If they need to talk to P, they have an address on 192.168.2.x. Some will have both. If they run NTP, configure it to retrieve time from T. Of course, there are other ways to achieve isolation. You could also use a single subnet, but set up a fancy firewall in the router, which blocks the forwarding of all packets from P. Or which doesn't forward by default, but is specifically configured to forward packets from T and other identified hosts. You have lots of choices here.
