Can not get NTP or SNTP clients to work

ilium007 · February 26, 2011, 1:24pm

Hi - I have followed the wiki article:

http://wiki.mikrotik.com/wiki/Manual:System/Time

and I have also installed the standalone NTP package. System is running routerOS 4.16.

I have verified the NTP servers I an trying to query by running from my OSX machine inside the network:

MacBookPro:~ user$ /usr/sbin/ntpdate -d 0.au.pool.ntp.org
26 Feb 23:15:46 ntpdate[14380]: ntpdate 4.2.4p4@1.1520-o Mon May 18 19:38:28 UTC 2009 (1)
Looking for host 0.au.pool.ntp.org and service ntp
host found : yarrina.connect.com.au
transmit(192.189.54.17)
receive(192.189.54.17)
transmit(192.189.54.17)
receive(192.189.54.17)
transmit(192.189.54.17)
receive(192.189.54.17)
transmit(192.189.54.17)
transmit(119.148.81.6)
receive(192.189.54.17)
transmit(192.189.54.17)
receive(119.148.81.6)
transmit(119.148.81.6)
receive(119.148.81.6)
transmit(119.148.81.6)
receive(119.148.81.6)
transmit(119.148.81.6)
receive(119.148.81.6)
transmit(119.148.81.6)
transmit(203.161.123.133)
receive(203.161.123.133)
transmit(203.161.123.133)
transmit(203.161.123.133)
transmit(203.161.123.133)
transmit(203.161.123.133)
server 192.189.54.17, port 123
stratum 2, precision -17, leap 00, trust 000
refid [192.189.54.17], delay 0.07643, dispersion 0.00009
transmitted 4, in filter 4
reference time:    d1137a40.c311c000  Sat, Feb 26 2011 23:10:24.761
originate timestamp: d1137b83.0d35b000  Sat, Feb 26 2011 23:15:47.051
transmit timestamp:  d1137b82.d66b2f23  Sat, Feb 26 2011 23:15:46.837
filter delay:  0.07697  0.07643  0.07651  0.07678 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.188720 0.188337 0.188432 0.188298
         0.000000 0.000000 0.000000 0.000000
delay 0.07643, dispersion 0.00009
offset 0.188337

server 119.148.81.6, port 123
stratum 2, precision -20, leap 00, trust 000
refid [119.148.81.6], delay 0.06618, dispersion 0.00037
transmitted 4, in filter 4
reference time:    d113793c.2a8e820e  Sat, Feb 26 2011 23:06:04.166
originate timestamp: d1137b83.36fe0ce0  Sat, Feb 26 2011 23:15:47.214
transmit timestamp:  d1137b83.025accd5  Sat, Feb 26 2011 23:15:47.009
filter delay:  0.06908  0.06618  0.06657  0.06691 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.183933 0.185250 0.184929 0.184956
         0.000000 0.000000 0.000000 0.000000
delay 0.06618, dispersion 0.00037
offset 0.185250

server 203.161.123.133, port 123
stratum 3, precision -23, leap 00, trust 000
refid [203.161.123.133], delay 0.11691, dispersion 56.00000
transmitted 4, in filter 4
reference time:    d11377a7.0907057a  Sat, Feb 26 2011 22:59:19.035
originate timestamp: d1137b83.500f866e  Sat, Feb 26 2011 23:15:47.312
transmit timestamp:  d1137b85.157e9963  Sat, Feb 26 2011 23:15:49.083
filter delay:  0.11691  0.00000  0.00000  0.00000 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.183166 0.000000 0.000000 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.11691, dispersion 56.00000
offset 0.183166

26 Feb 23:15:50 ntpdate[14380]: adjust time server 119.148.81.6 offset 0.185250 sec
MacBookPro:~ user$

So I know the NTP server is working - it is 0.au.pool.ntp.org which os part of the AU NTP Pool. In the NTP Client config on the RB750G I am using the IP address of this NTP server:

192.189.54.17

I am not sure if this is a firewall issue, I am not sure how it could be. As I said, the OSX NTP client can connect fine. Could it be a NAT’ing issue ?? I habve played around with this now for hours but can not get the time to sync.

Help !!

[admin@MikroTik] /system ntp client> print
        enabled: yes
           mode: unicast
    primary-ntp: 192.189.54.17
  secondary-ntp: 0.0.0.0
         status: started

[admin@MikroTik] /system clock> print
            time: 11:28:34
            date: jan/01/2002
  time-zone-name: Australia/Brisbane
      gmt-offset: +10:00

ilium007 · February 27, 2011, 2:58am

OK, so going through the logs I found the error was because the NTP server was trying to send SYN packets to the external (public IP) interface of the router but these SYN packets were being dropped.

I added the following rule:

So now I allow Established and Related traffic back in to the router interface via the input chain as opposed to how I had it before where I only had it set up on the forward chain.

The reason it was working from my laptop was because the allow established rule was going via the forward chain.

Is this an acceptable configuration ??

ditonet · February 27, 2011, 9:44pm

Yes, it’s OK.

get2guy · September 19, 2011, 11:58pm

Hi i seem to have the same issue and the image is temp dropbox.

Can u please post it again? i’ve seen the same SYN errors but what is your role to resolve it?

Thanks!

fewi · September 20, 2011, 1:54am

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=!ether1 action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=!ether1 action=accept
add chain=forward action=drop

That’s assuming ether1 is used for WAN connectivity. It’s a stateful firewall set that makes sure connections established by LAN users and the router itself allow return packets back in. Of course merge that with your other firewall requirements.

get2guy · September 20, 2011, 6:55pm

What if i have multiple WAN’s ?

Should i just pick one and adjust the rules for it?

THX.

zervan · September 20, 2011, 7:38pm

When did your problem appear? I had some problems with NTP after upgrade to 5.7 on RB1200 - most of the time synchronization was failing. NTP servers were working, but not with Mikrotik. I had to find other NTP server, which is still working. Maybe it has nothing to do with software upgrade, maybe it is coincidence only - that’s why I am asking.

ditonet · September 20, 2011, 11:31pm

I’ve upgraded two RB (750 and 433AH) to ROS 5.7 and NTP client works properly.

HTH,

zervan · September 21, 2011, 5:32am

For me too - only problem I had was RB1200 (using NTP servers from sk.pool.ntp.org - first problem has appeared http://forum.mikrotik.com/t/upgrade-to-2-8-from-2-4-extended-license/42/1 and again few days later after reboot), but as I said: it may be some coincidence. I’m trying various NTP servers just now and everything is working. Maybe problem appears only after reboot, but I can’t reboot now. So - I’m just asking

get2guy · September 21, 2011, 9:10am

fewi:

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=!ether1 action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=!ether1 action=accept
add chain=forward action=drop
That’s assuming ether1 is used for WAN connectivity. It’s a stateful firewall set that makes sure connections established by LAN users and the router itself allow return packets back in. Of course merge that with your other firewall requirements.

Hi, The last drop role is stoping my mail server from receiving mails. why is that?

zervan · September 21, 2011, 9:33am

The rules are blocking all incoming non-initiated connections. You have to add all exceptions for incoming connections (in this case TCP/25) before last drop rule.