[ntp:questions] NTP and NAT

Svein Skogen svein at d80.iso100.no
Thu Nov 8 09:44:39 UTC 2007

Daniel Guerrero wrote:
> Hello,
> I'm a newbie on NTP, and i would like to know if there is any problem in
> configuring more than one machine with the same NTP server on a LAN that
> connects to the internet through a NAT (with the same outgoing IP for
> everyone).

As has been answered by others on the list, this is more of a
network/NAT question than an NTP one, but I'll give a shot at explaining

You will face two problems, one that is easy to remedy, one that isn't.

To start with the one that isn't: A lot of the public servers (those in
the pool) have several kinds of rate limiting to reduce the chances of
DoS (Denial of Service/Destroy our Sanity) attacks. Many of these can be
translated to human as "for unknown IP's, allow only 1 sync session per
given time period". The time period is usually set low enough to let a
default-configured NTPd to sync normally, but two NTPds communicating
from what (from the public servers point of view) is a single IP, gives
you 2 sync sessions within the same period. Best case, one of the
internal servers get to sync, the other don't. Worst case both of them
is rejected. This isn't a good thing. The easiest way around this is to
use two different external servers, or contact the operator of the
server you want to use and get a special rule. Most server operators are
rather easy to deal with, especially if you "ask first". :)

The second thing, is that ntp through NAT would get a variable latency
point (since NAT speed of most routers vary with router traffic load).

This second one can somewhat be remedied, since most routers handle
static NAT rules a little differently than dynamic ones, and static
rules tend to not get the same latency addition as dynamic ones. If your
router is a Cisco, your basic NAT rule may look something akin to the

ip nat inside source list RFC1918Out interface FastEthernet1/0 overload

What you want to add is something like the following:

ip nat inside source static udp <myinternalserver> 123 <myexternalip>
123 extendable

This gives you a static route, but has the drawback of exposing your ntp
server publicly.

There is however a second option, but it requires a little more thinking.

If you are running a cisco router with reasonably new IOS, the Cisco
router itself runs a fairly decent ntp implementation.

Thus you can set up the router itself to act as an NTPd, set the router
to sync with your external NTP servers, and add your two internal boxes
as NTP peers to the Cisco.

You will have a higher stratum, but it will probably actually be more
accurate than running it through the nat. (Since the router doesn't need
to traverse the NAT rules when communicating with the external NTP
servers, the NAT latency won't add to it), and it will reduce traffic

Just hope I didn't confuse the topic too much.


Svein Skogen		| svein at d80.iso100.no
Solberg Østli 9		| PGP Key:	0xE5E76831
2020 Skedsmokorset	| svein at jernhuset.no
Norway			| PGP Key:	0xCE96CE13
msn messenger: 		| Mobile Phone:	+47 907 03 575
svein at jernhuset.no	| RIPE handle:	SS16503-RIPE

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntp.org/pipermail/questions/attachments/20071108/be285438/attachment.pgp>

More information about the questions mailing list