Old Netgate Appliance for cheap NTP Server?

[XplodingData]

Looking for some wisdom on a good way forward for this project.

I have 3 VLANs on a physically air-gapped network that don't currently have any routing setup between them. These are industrial, production/control, network and security cameras networks. They do not have a need to speak to each other, and there aren't regular "users" on the network. At least not in the traditional sense. Only servers polling machinery for trend logging/SCADA purposes, or the NVR and cameras, etc.

I would like to get all the clocks on the machines/equipment synced so it's easier to compare logs/alarms/cameras/etc to the correct times.
So we purchased and installed a GPS based NTP Server appliance (Time Machines TM2000B) and set it up on one of the VLANs. But it only accepts one IP Address and can't handle multiple VLANs or subnets.

Bosses don't want to buy extra TM2000B units for each range, and they want the solution to be rack mounted and look good in the rack. So no SFF PC or RasPi on shelf. We talked about virtualizing a pfsense instance, but I think in this case it would be best to keep a dedicated piece of hardware.

I need to either setup a gateway (there isn't any currently) for each of the VLANs, and let it handle either routing the NTP requests to the GPS NTP Unit or act as a time server itself, with connections to each VLAN/subnet.

There is nearly zero processing power required to handle the ~500 calls per day to the NTP server. So I'm wondering about just buying an older netgate appliance off eBay, and using that. Thoughts?

If I haven't bought it from Netgate directly (licenses?) can I still load pfSense Plus, or can I just load regular pfSense onto it and be done?
Is there a better option? I'd prefer the hardware to have forward facing ports (like a switch) to keep the aesthetic and easy to manage cabling in the rack.

Thanks

 

[nexox]

I don't have a lot of input directly to the questions you have, but I do know there are quite a few 1U Mikrotik devices that will run NTP (or just NAT to your existing NTP alliance) and have ports on the front.

 

[Tech Junky]

Why not plug it into the managed switch and put it into trunk mode for the port and allow it to communicate with the other vlans?

 

[XplodingData]

Why not plug it into the managed switch and put it into trunk mode for the port and allow it to communicate with the other vlans?

The GPS NTP server only has one IP and is not equipped to handle tagged VLAN traffic. I need a device to handle that portion, hence the negate idea. I'm semi familiarity with pfsense from using it at home so figured it was easier than learning another system for a single device

 

[XplodingData]

I don't have a lot of input directly to the questions you have, but I do know there are quite a few 1U Mikrotik devices that will run NTP (or just NAT to your existing NTP alliance) and have ports on the front.

I had wondered about a mikrotik device as well, but have zero experience with them. I've used pfsense a little sooooo figured I might get out of having to learn/support a one off device.

But I'm not completely against it. Especially if they're easy to configure with virtual interfaces to handle various subnets and VLANs.

If you happen to have a link of something you suggest, I'd be very grateful.

 

[Tech Junky]

The GPS NTP server only has one IP and is not equipped to handle tagged VLAN traffic. I need a device to handle that portion, hence the negate idea. I'm semi familiarity with pfsense from using it at home so figured it was easier than learning another system for a single device

Assign the IP and then trunk the vlans to communicate with it or point a route to it from each vlan.

 

[nexox]

I had wondered about a mikrotik device as well, but have zero experience with them. I've used pfsense a little sooooo figured I might get out of having to learn/support a one off device.

But I'm not completely against it. Especially if they're easy to configure with virtual interfaces to handle various subnets and VLANs.

If you happen to have a link of something you suggest, I'd be very grateful.

It might be difficult to avoid learning a bit of specific stuff for Mikrotik, I have heard it's not that different to other enterprise switch configuration, but I wouldn't know. You don't need to configure virtual interfaces so much as specify default VLANs for physical ports, in the simplest setup you could put the NTP appliance on one of your VLANs, point the Mikrotik NTP client at it, then run the Mikrotik NTP daemon on the other VLANs.

I don't really know which model would be best, many of them are 1U high but not a full 1U wide and come with brackets to span the rest of the space, or have brackets available to purchase separately, but pretty much anything which runs RouterOS and has enough ports for your VLANs would work.

 

[elvisimprsntr]

I've never dabbled in VLANs, but I simply connected a <$50 Garmin GPS receiver directly to my pfSense firewall to distribute time to all clients.

GitHub - elvisimprsntr/pfsense-ntp-gps: pfSense NTP GPS Server

pfSense NTP GPS Server. Contribute to elvisimprsntr/pfsense-ntp-gps development by creating an account on GitHub.

github.com

 

[sko]

Pretty much every switch can act as a NTP server. Use the GPS module as the upstream time source for the switch and let it run an NTP server for all connected subnets.

 

[Stephan]

Pretty much every switch can act as a NTP server. Use the GPS module as the upstream time source for the switch and let it run an NTP server for all connected subnets.

Then it is no longer airgapped? Personally I would buy any 19" case from ebay for little money, an ATX power supply with off-switch on the back, bridge the pin so PSU turns on and gives you 5 volts and just glue a few RPi3 into the case with hot glue. And use GitHub - domschl/RaspberryNtpServer: Stratum-1 time server with Raspberry Pi and GPS and be done.

 

[sko]

Then it is no longer airgapped? Personally I would buy any 19" case from ebay for little money, an ATX power supply with off-switch on the back, bridge the pin so PSU turns on and gives you 5 volts and just glue a few RPi3 into the case with hot glue. And use GitHub - domschl/RaspberryNtpServer: Stratum-1 time server with Raspberry Pi and GPS and be done.

Of course its still airgapped - the switch only gets its time from the GPS module, that's all. absolutely zero connections going to other (or external) networks. You could even use a dedicated VLAN for that single connection between the switch and the GPS module.
Also just because the switch gets an IP in every subnet to be reachable as a NTP server doesn't mean there's any routing involved unless you configure it; the VLANs are still strictly isolated by default.

And he already stated: no raspberry toys or other mickey mouse job...
(Even *if* he'd be open for such solutions, why buy that heavily overpriced (and overhyped) raspberry gadget, if there are things like the orangePi zero out there, which can easily handle such small tasks at a tiny fraction of the price)

 

[BoredSysadmin]

Then it is no longer airgapped? Personally I would buy any 19" case from ebay for little money, an ATX power supply with off-switch on the back, bridge the pin so PSU turns on and gives you 5 volts and just glue a few RPi3 into the case with hot glue. And use GitHub - domschl/RaspberryNtpServer: Stratum-1 time server with Raspberry Pi and GPS and be done.

Or Rpi + this Pi-Hat and free software:

Chrony and GPSD - Alpine Linux

wiki.alpinelinux.org

I just like how easy to get chrony to work.

How to serve the Network Time Protocol with chrony | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

ubuntu.com

 

[Stephan]

Of course its still airgapped

No it isn't, because if you hack, through say a buffer overflow, the NTP service on the switch, and turn on IP forwarding through switch ASIC or by CPU path by hand, you suddenly bridged the segments. Worse, those services on switches cannot be trusted one iota to be securely implemented. Out the window goes your air gap, and whatever secrets you try to keep.

I know he said no RPIs, but who can tell when it looks like an IBM x3650 for basically free from ebay, which has been gutted to host completely autonomous RPIs. Only issue is getting network and SMA connectors for the antennae cleanly out of the box. Aliexpress or ebay got you covered: LR-LINK M.2 A+E Key Single-port 1G Copper Ethernet Network Adapter and two of those https://www.amazon.com/Eightwood-Antenna-Computer-Bracket-Network/dp/B0CNPQQL44 and a bunch more cables and a soldering iron and shrink wrap for isolation. Depending on antenna might need SMA female not RP-SMA like for Wifi but all in all, this can be done for cheap.

 

[gregsachs]

Just an idea, to keep air-gap concept, and still get good time service:
1: Buy something rackmount with 4x NICs.
2: Install hypervisor of choice, preferably with ability to get time from GPS module.
3: Stand up 3x identical vms, each only connected to one of the networks.
4: Tie the vm time to the host time.

 

[XplodingData]

Some very fun ideas here. But we are trying to keep everything professional and appearance wise I have worked hard with the management to get this new rack looking like a million bucks. They're proud of it now and would like to keep it that way.

For home I would just use a raspi I have laying around or mess with serial inputs to a VM etc. But this I want to be a visually clean, easily supported, and obvious to the purpose.

We have also already purchased and installed the GPS unit, so it is in play and we're not looking to replace it. It has easy to identify status LED and a numeric display to confirm accurate time.

There's a bit of confusion surrounding the air gap thing that I can clear up though.

The entire physical network, containing all these VLANs, is airgapped as a collective from the outside world. They all share the same physical backbone throughout the plant, and distribute through the same switches. So while the VLANs can't talk to each other, or the internet, we aren't overly concerned with internal hacking attempts with buffer overflows and the like.

It would be best practice (in my opinion) to have them continue to not talk to each other, and simply have a device that handles exclusively the NTP requests. Since I don't want to be the only point of support for this, I'm hoping to keep it extra simple.

For visual clarity, separate physical NICs/cables for each VLAN would be preferred over a trunked/tagged single cable to the NTP device. This is why I originally figured an old negate appliance. Mikrotik sounds like a possibility as well. I may see if the management wants to pick up a used one off eBay to play with.

They've got a new 1U server laying around I could use but it's deep, noisy (I mean it's already a rack but why make it worse) and wildly overpowered for the purpose. Why not save that for another project when a $250 device will do? Plus, I'd still really prefer to keep the cabling forward facing, as the core switches are the next rack over so nice, clean, short jump to tie in.

 

[gregsachs]

Something like this:

SuperMicro Server 505-2 Intel Atom 2.4GHz 8GB RAM SYS-5018A-FTN4 REV 2 Rackmount | eBay

Shop SuperMicro Server 505-2 with Intel Atom C2758 2.4GHz, 8GB RAM & 2x4GB slots. Ideal for enterprise network setups. Perfect for rack mounting.

www.ebay.com

4x isolated ethernet ports on front panel, plus a management port
Might need some RAM, but for 4x vms or docker containers an atom should be fine. To me, a netgate running "something" is likely to stay your problem, while a server you may be able to get help with.

 

[Tech Junky]

separate physical NICs/cables for each VLAN would be preferred over a trunked/tagged single cable to the NTP

How about sync the core switch? Point the ntp to one of the loopbacks on the switch aka give it an ip within the same subnet and configure the switch to get ntp from the device. Then point devices to the individual vlan ip for sync.