Daniel Guerrero wrote: > Hello, > > > > I'm a newbie on NTP, and i would like to know if there is any problem in > configuring more than one machine with the same NTP server on a LAN that > connects to the internet through a NAT (with the same outgoing IP for > everyone).
As has been answered by others on the list, this is more of a network/NAT question than an NTP one, but I'll give a shot at explaining anyways. You will face two problems, one that is easy to remedy, one that isn't. To start with the one that isn't: A lot of the public servers (those in the pool) have several kinds of rate limiting to reduce the chances of DoS (Denial of Service/Destroy our Sanity) attacks. Many of these can be translated to human as "for unknown IP's, allow only 1 sync session per given time period". The time period is usually set low enough to let a default-configured NTPd to sync normally, but two NTPds communicating from what (from the public servers point of view) is a single IP, gives you 2 sync sessions within the same period. Best case, one of the internal servers get to sync, the other don't. Worst case both of them is rejected. This isn't a good thing. The easiest way around this is to use two different external servers, or contact the operator of the server you want to use and get a special rule. Most server operators are rather easy to deal with, especially if you "ask first". :) The second thing, is that ntp through NAT would get a variable latency point (since NAT speed of most routers vary with router traffic load). This second one can somewhat be remedied, since most routers handle static NAT rules a little differently than dynamic ones, and static rules tend to not get the same latency addition as dynamic ones. If your router is a Cisco, your basic NAT rule may look something akin to the following: ip nat inside source list RFC1918Out interface FastEthernet1/0 overload What you want to add is something like the following: ip nat inside source static udp <myinternalserver> 123 <myexternalip> 123 extendable This gives you a static route, but has the drawback of exposing your ntp server publicly. There is however a second option, but it requires a little more thinking. If you are running a cisco router with reasonably new IOS, the Cisco router itself runs a fairly decent ntp implementation. Thus you can set up the router itself to act as an NTPd, set the router to sync with your external NTP servers, and add your two internal boxes as NTP peers to the Cisco. You will have a higher stratum, but it will probably actually be more accurate than running it through the nat. (Since the router doesn't need to traverse the NAT rules when communicating with the external NTP servers, the NAT latency won't add to it), and it will reduce traffic overall. Just hope I didn't confuse the topic too much. //Svein -- Svein Skogen | [EMAIL PROTECTED] Solberg Østli 9 | PGP Key: 0xE5E76831 2020 Skedsmokorset | [EMAIL PROTECTED] Norway | PGP Key: 0xCE96CE13 ------------------------+----------------------------- msn messenger: | Mobile Phone: +47 907 03 575 [EMAIL PROTECTED] | RIPE handle: SS16503-RIPE
signature.asc
Description: OpenPGP digital signature
_______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
