I take a big hit in queries

Server operators
21

Hmm, according to this post OPNsense should support VLAN settings for WAN interfaces.

22

Last postā€¦.nopeā€¦.and I could not find it either.

Iā€™m going to try MikroTik RouterOS.

23

Currently traveling, so more responses later (e.g., steps to get 256 Kbit setting), just briefly now:

I understand only your server in Belgium, on your home Internet connection, is affected. Any reason why all your other server are monitoring only as well (entirely your decision, obviously, just wondering)?

I offered to have my NL server added to the BE zone as well to help out (it is rather underwhelmed in NLā€¦), still waiting to hear back, though.

1 Like
24

My other server in NL is also homebased by a friend of mine, and I canā€™t risk overloading his router too.

Until this is fixed, I only keep monitorā€™s (testing-monitors) running and the npt-deamon itself runs in monitor-setting.

So I help the pool testing servers, but not serving time.

1 Like
25

The actual post with information on setting up the wan with a VLAN is at https://forum.opnsense.org/index.php?topic=21207.0

Opnsense would be the best option as you can easily change the NAT table size to suit your situation, as well as make custom traffic shaping rules to ensure that NTP traffic doesnā€™t saturate your connection. Basically, Opnsense can drop packets over your threshold, and/or prioritize normal network traffic over that of NTP traffic. This will result in a lower score for your NTP server, but that will also mean less traffic to you in the end.

26

Chances are that your new provider also utilizes VLANs in their setup. You probably have access to their support pages already so you could look this up in advance.

I admit that my experience with OPNsense, pfSense, Mikrotik RouterOS and friends is limited, but Iā€™ll echo Mpegger and suggest trying again with OPNsense. If you have problems setting things up, Iā€™d think your best bet would be to ask for help on the OPNsense forums. They probably know more about OPNsense than we do.

27

Only thing is, it still wonā€™t help much, as the pool will keep knocking hard on my door.

I will wait until itā€™s fixed. My servers are not down, just not added to the pool.

I really do not understand why Netspeed isnā€™t fixed. Iā€™m pretty sure Iā€™m not the only one that has this problem.

28

Opnsense would be the best option as you can easily change the NAT table size to suit your situation, as well as make custom traffic shaping rules to ensure that NTP traffic doesnā€™t saturate your connection.

But that wonā€™t help the fact that the pool keeps pushing my port too hard.

I can make my Draytek drop traffic too, no that hard to do.

Maybe a good idea to reduce traffic for that server the ā€˜hardā€™ way. Then itā€™s regulated before itā€™s natted.

Schermafdruk op 2025-10-05 16-10-07
Schermafdruk op 2025-10-05 16-10-07825Ɨ670 50.5 KB

However, I do not like doing it this way, as it will hinder the monitors as well.

But then, it will drop me out of the pool automaticly.:joy:

29

If youā€™re dropping packets, the monitors will see that. The monitors will lower your score, which will lead to less clients being directed to your server. You would be indirectly controlling the amount of traffic directed to you. It wonā€™t be consistant, as when the traffic is lower, the dropped packets will be next to nothing, so the monitors will score you higher, resulting in more clients being directed to your server again, but then that will mean that your firewall will start dropping packets again, monitor will see that, lower your score, etc, etc, etc, repeating cycle.

Sure, solving the problem at the source would be best, but untill that is done your best option is controlling it on your end. I wouldnā€™t exactly wait on it being controlled on the monitor end, it just seems almost impossible.

30

Only problem, the system will start mailing when the checked ntp-server is in ā€˜troublesā€™:grinning_face_with_smiling_eyes:

So if that happens a lot the mailbox will be targeted :grin:

31

The following is with Firefox (other browsers might have similar functionality, but I did not immediately find it, e.g., with Chromium):

  • Open the Manage Servers page which has the server on it for which to change the netspeed.
  • Hit Ctrl+Shift+I to open the web developer tools pane (or go via the ā€œhamburger menuā€ for the same purpose).
  • Select the ā€œNetworkā€ tab if not already active.
  • Use the normal procedure via the dropdown menu on the web page to set a netspeed for the server in question to some arbitrary value, e.g., select the currently active value again.
  • This will produce a line in the pane for the HTTP request this generates, method ā€œPOSTā€, domain ā€œmanage.ntppool.orgā€, but most importantly with file ā€œnetspeedā€.
  • Right click on that line to open its context menu.
  • Select ā€œEdit and Resendā€, which will open another subpane with the header details and body of the POST request previously sent.
  • Scroll all the way down in that pane until the ā€œBodyā€ section becomes visible.
  • The body will have various parameters and values concatenated by ā€œ&ā€, among them the netspeed with the value set above in bit, e.g., 512000 if the officially lowest netspeed of 512 Kbit was selected above.
  • Change that value to the desired target value.
  • Hit ā€œSendā€ underneath the subwindow with the body contents.
  • This will generate another request with the new value, as reflected by another line in the middle pane.
  • Optional: On the right-most pane, one can select the ā€œResponseā€ heading to see what the response of the individual request is (part of what also ends up on the overall web page). I found that values below 256000 will result in an error message.
  • Optional: Refreshing the web page should then show the new, custom value.

Looking forward to hearing whether that works for you or not.

1 Like
32

I tried this, canā€™t find it.

But why doesnā€™t @ask simply fix the Netspeed.

As it will hinder other servers too.

At least change the approach to e.g. EU serversā€¦.

Simple way to reduce the load:

When DNS is servered:

1: 1 or 2 Global servers

2: 2 or 1 Zone server (depending on numbers)

3: 1 Local server ( if you set high netspeed, you up anyway to above)

If no local at all, point 1 and 2 only. Problem solved.

Means 1 local server will only get max 25%, but I would list them lower if numbers reduce.

Let round-robin favour Global, then Zone and last local.

How hard can this be to program?

And change the Netspeed to: Country / Continent / Global something like that, not on speed.

In fact, a country setting should be 1 server per DNS anyway, want more traffic, up your region to zone or global.

NTP and Chrony work out fast-slow servers anyway and what to ignore. The pool should not do this.

So I vote for 5 settings:

1 Global

2 Zone + nearby zone (e.g. EU + Asia)

3 Zone (Just EU)

4 Country + nearby countires (e.g. BE + DE + NL + Lux + France)

5 Country only

ā€¦ā€¦.OR make country selectable for servers. You just tell Country+Nearby what you wanā€™t to serve too.

Meaning the DNS-round-robin should give for every request:

1 Country + 1 Country+extra + 1 global + 1 zoneā€¦ā€¦I hope I make sense in all of this.

As people also request to serve a zone that has no serversā€¦.let them add a country.

I do want to serve Belgium, but not get 10-50% trafficā€¦depending on the DNS. I can not deal with that.

1 Like
33

No, the monitorrring system is great. It just checks a server for being good or not.

It has nothing to do with NTP-DDOS or not.

It just takes a bad server offline, for the good reasons, and not false.

But a good marked server is now being targetted by a DNS-Netspeed problem. Like mine.

1 Like
35

You are not getting that much of the Belgian NTP traffic. In your initial screenshot you displayed a ā€œTop Countriesā€ table which showed ā€œbe 12.595ā€±ā€. Note the unit: that is not percent % but permyriad ā€±, ie. 1/10000. Translated to percents that is 0.12595%.

(for the record: Iā€™m aware that this number is related to DNS queries only and does not directly relate to NTP queries)

2 Likes
36

When a CGNAT ISP makes 1 DNS request and caches the IP-resolving, then all GSMā€™s will use that IP.

I have seen it in my clients-log, where GSM IPā€™s (1 IP) hits you massive.

Or when their DNS offers DNS-caching to all DSL clients.

With ratelimit on, it fixes the replies by dropping massifly.

Yet they still hit you hard.

See this example:

nslookup 194.78.124.15
15.124.78.194.in-addr.arpa name = 15.124-78-194.adsl-static.isp.belgacom.be.

See Chrony dropping it 1568 timesā€¦.but being hit 12433:

194.78.124.15               12433   1568   3   2   430

This is 1 IP-address, constantly hitting me.

I have many more examples when I enter the pool again.

For the pool this probably counts as 1 DNS-request when this happens.

Or itā€™s a morron with a real bad configured NTP-client, but I doubt that looking at the number of drops.

However, CGNAT-IPā€™s hit far harder then this non-pool sample.

37

True - though a bit ironic, as Iā€™ve been shouting this into the void for yearsā€¦

:man_facepalming:

(Btw, there is a solution for this.)

38

It seems like that provider change has now happened. Any improvement regarding your situation?

My NL server is now also serving the BE zone. Maybe thatā€™ll reduce the load on your server sufficiently, though hard to tell in advance since its all relative shifts.

And that will obviously also not help with the peaks stemming from the kludges needed to deal with the IPv4 address shortage, that part can only be addressed by the known solution @marco.davids is referring to.

1 Like
39

Thereā€™s also quite simpler way of clicking right on the Net speed select menu, then choosing to inspect element. I find I have to do it once again when the dev console opens up. Then you can edit the value of any option currently not selected, for example to 256 instead of 1500 for 1.5 Mbit, and click on it. In the past it was possible to select 128K but now as you write 256K is the lowest that still works.

Not exactly related to this but to underserved regions I too support the idea that those zones should have automatically add servers from nearby countries or the whole continent region, ideally as part of the overall netspeed. That is if the total user set (=available) netspeed from one country is quite low but still being bit by many requests then it should count as small part of the netspeed for a whole continent and receive proportionately less traffic. Iā€™m already in poistion that I have to disable two to three servers in underserved regions because the allocated traffic is either eaten out too quickly or the providers outright throttles the incoming wave of requests, leading to low score oscillations.

2 Likes
40

Hi @Bas I am willing to support Belgium zone from NL. I have spun up a new IPv6 server to do this. Iā€™m considering also adding an IPv4 server since this is where most of the problems appear to be.

However, currently this server is assigned to NL zone (which is logical since it is located there). @marco.davids Could you please reassign this server to BE zone? Sent you a PM with the server address.

41

I think youā€™d want @apuls or @Knot3n. But I think the usual recommendation is to send a mail to server-owner-help@ntppool.org, so it can be properly tracked via the ticketing system (in my experience may take some time to get processed that way, though).

Also, in case youā€™re not yet aware, and if interested, it is possible to have multiple zones assigned to a server, e.g., NL and BE. Itā€™s not an either or thing.

1 Like