Had it all set up fine and working.
First had one rb1000 with sntp that was syncd. Installed sntp package so it could be ntp server and it worked.
Next day did an upgrade to a 6.x version, no more sync. removed ntp packate and after reboot the rb1000 got syncd with the same time servers.
reboot again with ntp package again, no more sync.... This now in v.6.4, 6.5 and 6.6
Now, since some days, also the sntp is not syncing any more...
Had a CCR working for months as time server for my local clients. Worked fine, never saw any problems.
2 days ago needed to reboot the CCR and in the days after found that many clients are out of time sync. They all 'look' to this CCR for their time sync.
So, today spend several hours to try to get my CCR to sync again. No luck.
Tried every possibe ntp (udp or tcp port 123) firewall rule in forward, output and inpot chain. With mentioning the incoming, or outgoing ports of the CCR.
Run now torch on the CCR's LAN port and see loads of clients requesting ntp but all the tx rate is "0".
At the same time, when I torch the WAN port for outgoing package (with dst port, or 'any port' 123 in both udp or tcp) I don't see any package going out...
It looks like one way or another the time protocol is not leaving routers any more?
When I set a firewall filter on the LAN port (outgoing interface) to accept the ntp traffic, the counter stays "0".
In the ntp client window (winbox) the ntp clients just 'hangs' in "started"
Any suggestions on trouble shooting this? Or is it the software that has once more a bug?
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
Re: NTP drives me nuts again, now in 6.x versions
What am I doing wrong?
CCR = my internet gateway.
/system ntp client> pr
enabled: yes
mode: unicast
primary-ntp: 217.127.2.161
secondary-ntp: 94.125.129.7
dynamic-servers:
status: started
/system ntp server> pr
enabled: yes
broadcast: yes
multicast: no
manycast: yes
broadcast-addresses: 10.10.xx.1
#10.10.xx.1 is the def. gateway for all clients and routers on the LAN. src-nat takes place in this router to give clients public IP
#CCR has all exept .1 (which is provider's gateway address) on its WAN interface.
In firewall nat I set srcnat rule;
0 chain=srcnat action=src-nat to-addresses=89.140.xxx.2 protocol=udp out-interface=ether1-WAN dst-port=123
It is the first rule, so ntp requests should be able to leave from router? Well, counter stays at "0"
In firewall filter, no outgoing rules (router can go out with whatever traffic initiated frow this router..)
In firewall filter, incoming;
0 ;;; Accept udp prt 123 ntp time protocol
chain=input action=accept protocol=udp in-interface=ether1-WAN dst-port=123
1 ;;; Accept udp prt 123 ntp time protocol
chain=input action=accept protocol=udp in-interface=User_Man_bridge dst-port=123
#0 is for router's own time server request. 1 is for clients that request the time server in this router. (LAN interface is actually a bridge containing 2 ethernet interfaces)
#0 is not counting. 1 is counting like crazy (500+ units without time!)
I run torch on the bridge interface and see a rx rate for any unit on my network requesting a time stamp, but the Tx rates all stay "0". So obviously CCR is not answering....
I also set a firewall forward rule (actually 3, see code) so client should be able to directly request internet time servers;
0 ;;; allow passing ntp time sync protocol
chain=forward action=accept protocol=udp src-port=123
1 ;;; allow passing ntp time sync protocol
chain=forward action=accept protocol=udp dst-port=123
2 ;;; allow passing ntp time sync protocol
chain=forward action=accept protocol=udp port=123
#I set the different ports just to see which one would 'catch' the traffic from clients. Only "0" is counting.
#Since I did not mention any incoming or outgoing interface, these rules should 'catch' all ntp traffic passing router?
Well, although "0" is counting, none of the clients requesting a valid ntp time server (I tried several, also the one from my windows PC which works fine) but none of my clients get a time stamp update....
Any more suggestions?
CCR = my internet gateway.
/system ntp client> pr
enabled: yes
mode: unicast
primary-ntp: 217.127.2.161
secondary-ntp: 94.125.129.7
dynamic-servers:
status: started
/system ntp server> pr
enabled: yes
broadcast: yes
multicast: no
manycast: yes
broadcast-addresses: 10.10.xx.1
#10.10.xx.1 is the def. gateway for all clients and routers on the LAN. src-nat takes place in this router to give clients public IP
#CCR has all exept .1 (which is provider's gateway address) on its WAN interface.
In firewall nat I set srcnat rule;
0 chain=srcnat action=src-nat to-addresses=89.140.xxx.2 protocol=udp out-interface=ether1-WAN dst-port=123
It is the first rule, so ntp requests should be able to leave from router? Well, counter stays at "0"
In firewall filter, no outgoing rules (router can go out with whatever traffic initiated frow this router..)
In firewall filter, incoming;
0 ;;; Accept udp prt 123 ntp time protocol
chain=input action=accept protocol=udp in-interface=ether1-WAN dst-port=123
1 ;;; Accept udp prt 123 ntp time protocol
chain=input action=accept protocol=udp in-interface=User_Man_bridge dst-port=123
#0 is for router's own time server request. 1 is for clients that request the time server in this router. (LAN interface is actually a bridge containing 2 ethernet interfaces)
#0 is not counting. 1 is counting like crazy (500+ units without time!)
I run torch on the bridge interface and see a rx rate for any unit on my network requesting a time stamp, but the Tx rates all stay "0". So obviously CCR is not answering....
I also set a firewall forward rule (actually 3, see code) so client should be able to directly request internet time servers;
0 ;;; allow passing ntp time sync protocol
chain=forward action=accept protocol=udp src-port=123
1 ;;; allow passing ntp time sync protocol
chain=forward action=accept protocol=udp dst-port=123
2 ;;; allow passing ntp time sync protocol
chain=forward action=accept protocol=udp port=123
#I set the different ports just to see which one would 'catch' the traffic from clients. Only "0" is counting.
#Since I did not mention any incoming or outgoing interface, these rules should 'catch' all ntp traffic passing router?
Well, although "0" is counting, none of the clients requesting a valid ntp time server (I tried several, also the one from my windows PC which works fine) but none of my clients get a time stamp update....
Any more suggestions?
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: NTP drives me nuts again, now in 6.x versions
I have put the same NTP server 2 times in config. Seems to help me. If i had just one, it was random when it was working and not.
ros code
/system ntp client> print
enabled: yes
mode: unicast
primary-ntp: 172.31.255.6
secondary-ntp: 172.31.255.6
poll-interval: 1m4s
active-server: 172.31.255.6
last-update-from: 172.31.255.6
last-update-before: 17s930ms
last-adjustment: -38ms701us
/system ntp client> export
/system ntp client
set enabled=yes mode=unicast primary-ntp=172.31.255.6 secondary-ntp=\
172.31.255.6
/system ntp client>-
-
WirelessRudy
Forum Guru
- Posts: 3119
- Joined:
- Location: Spain
Re: NTP drives me nuts again, now in 6.x versions
I tried that. No result.
I tried several different 'valid' ntp servers. We removed all 'drop' firewalls rules so ALL traffic should pass or leave router. But no matter what we tried, we don't see to be able to reach any ntp server anymore....
Clients using the sntp package show their ntp servers as beeing "active" but no time stamps seems to be received.......
I tried several different 'valid' ntp servers. We removed all 'drop' firewalls rules so ALL traffic should pass or leave router. But no matter what we tried, we don't see to be able to reach any ntp server anymore....
Clients using the sntp package show their ntp servers as beeing "active" but no time stamps seems to be received.......