I have two NICs on my native HAOS system with Frigate. One NIC is just for cameras 192.168.10.0/24(aka enp3s0) and one is on my default home network 192.168.1.0/24 (aka eno1)
The cameras work great. However, they need to fetch NTP time periodically to keep their on-screen time and dates correct. (This also provides a time stamp on the video that is saved to the SD card in each camera which is my ultimate backup of recordings, assuming the camera is not stolen…).
It seems that I need to create some routing to open route for port 123 (NTP) from enp3s0 through eno1 I find no access to iptables on the native HAOS system.
How does one handle this issue? (simplified: accessing ntp from secondary NICthrough primary NIC)
@jeffcrum I really disagree. With all I have it doing, it is still using less than 10% of the CPU and a small fraction of the NICs’ bandwidth. Afterall, I’m not running this on a rasppi, for example.
Home Assistant wants to be “the one screen to rule all” and it does a great job of that.
Home Assistant OS has linux underlying it. Why would it disable this basic functionality of linux?
So the question remains, since it does disable iptables, how does one handle this situation without adding another router? (I will soon have another router free, but that seems like a silly solution for just one rule (NTP access))
Most likely your HA has IP forwarding enabled, but to check, SSH into HA and enter cat /proc/sys/net/ipv4/ip_forward. If it comes back as a 1 then forwarding is enabled so you should be able to forward from network 192.168.10.0 to network 192.168.1.0 (and vice-versa) without any additional setup. (Note: just as a check, while xx.xx.xx.0/24 is a valid network address, it is an invalid address to configure for eno1 nor enp3s0).
However the cameras will need to know what the next hop gateway is (to get to the NTP server) and it should be the address of enp3s0.
If you’re using DNS to get to the NTP server, then I would point the camera’s DNS server to be something outside of HA.
HA has setup iptables in my case, so maybe double-check your situation.
I don’t necessarily disagree with what you have said about resources being available.
I personally don’t want everything in one place. For instance, I have never used my phone to play songs. I have always had a tiny MP3 player from before when phones could do it regularly. I kept using the MP3 player even when phones evolved due to resources (specifically battery on the phone. I wanted to be able to use the phone when I wanted).
So, my setup is …
I have a PC dedicated to the cameras and runs Blue Iris. It has two NICs. I want to keep the cameras off of the line.
I run an NTP server on that PC. All normal network devices point to my 192.168.0.x IP address for NTP services. All of my cameras point to the 192.168.10.x IP address for NTP services.
I have never looked so I don’t know. Is there an NTP server add-on for HA? Can an NTP server be added at the OS level for HA? Then you don’t have to do any routing and keeps the cameras without a route to the outside.
ETA: I just reread the thread and see that francisp gave an option for NTP server on HA.
@wmaker Thank you. This is some great guidance. I will need a little time to see if the camera clocks are getting updated, but I will feedback and document what I changed. Thanks again.
@jeffcrum Thanks. I had a setup very similar to yours. I decided to get off of Blue Iris after working with Frigate on top of native Home Assistant as I found it very stable and reliable in terms of being able to view the cameras on the Home Assistant Android app whereas, after two years of working with Blue Iris 1) I got tired of them breaking their own Android app 2) I wanted fewer apps for my wife to deal with 3) having cloudflared working to my servers has proved to be bulletproof. ** all of these points… after working hard at first to get things working in the first place. All that said, Blue Iris is great and easier to get many things working, but in the end, Frigate on HA really worked well for my needs…
@francisp That looks like it fits the bill. What I like best about that is I can keep my cameras “in a security box” by not giving them a route out to the internet and only point them to a non-existent DNS server and use the address of the HA server on the separate camera NIC for the Chrony NTP server.