I suppose like many of you, we look to Victron to provide more capabilities with various manufacturer integrations on our boat or home (I use Victron for both). One way or another we do this to save ourselves money and/or provide more features/capabilities than what can be offered with a limited wallet or what can be provided for by being cost conscious without throwing unlimited funds at something.
I’m a Network/Systems Engineer for my normal work, and I have an Electronic Engineering degree. I deploy many custom ESP32 devices, computers, cameras, and specific manufacturer solutions to accomplish things that make integrations/features improve my life and enjoyment of home and more importantly on the boat.
I have many devices at home, and I have a Statum 0/1 NTP server in my house that I built. I control all time sync locally and do not allow any NTP traffic to the internet. I configure (where applicable) all devices to use my local NTP server and configure my SonicWALL firewall to redirect all NTP traffic to the NTP server for those that are hardcoded and not configurable.
For the boat, it ‘should’ be fairly simple to do the similar. I have a Garmin NMEA 2000 GPS unit that is always on and synced. The Cerbo SGX knows about it and has access to it natively, SignalK, and Node-Red. I should not need to build and install another GPS receiver/device to provide an NTP source for my boat local ethernet (LAN) network for all other equipment I’ve installed. Not to mention the Cerbo is one of those devices that hardcoded to talk to Europe NTP servers (I’m in the US)?!?! Why is this not a configurable item on the Cerbo???
I should not have to deploy an enterprise grade firewall just to redirect that NTP traffic either. So, I solve it through controlling local DNS resolution to an NTP server of my choice. I also do DNS redirects where I am able to detect or know the list of FQDN’s that are being used by a device.
I found a plugin for SignalK in the Appstore ‘signalk-ntp-server’ that fit’s the exact solution that I want/need and provides a proper NTP server without having to deploy extra hardware.
BUT the issue is now that the SignalK process does not have access to ‘privileged’ ports on Venus OS (e.g. <1024). The plugin cannot bind to port 123 and will not work as an NTP server.
The solution I’m looking for should survive device reboots and firmware updates to the Cerbo.
I’m weak on Venus OS, so I’m not sure how to accomplish this properly, let alone on the Linux OS. I’m extremely strong on Windows O/S Kernal’s.
I found the command ‘sysctl -w net.ipv4.ip_unprivileged_port_start=122’ that works until the Cerbo reboots. the ‘-w’ should allow it to persist, so there is something I’m unaware about? The command does not error out either.
What would be the best way to accomplish allowing SignalK to access ports below 1024 and even better specifically allow it to only access port 123. I am good with a solution that allows access on all ports or just port 123.
If needed, the specifics of my Cerbo version are usually the latest version as I keep things regularly updated as provided through Cerbo Updates, SignalK, or Node-Red.
I’ve found you have to be careful sometimes on updates as some SignalK plugins or Node-RED plugins updates sometime have dependencies that are not included yet in the Cerbo firmware.
Cerbo GX / SGX v3.54 (Large)
build date/time: 20250128120635
/usr/lib
├── @victronenergy/node-red-contrib-victron@1.5.23
├── corepack@0.28.0
├── node-red@3.1.10
├── npm@10.7.0
├── signalk-server@2.11.0
└── victron-vrm-api@0.2.10
Sorry for the long first post, but I thought also providing some context would help in understanding the ‘Why’ of wanting to allow SignalK to access port 123.