Hex Lite and NTP client updates

I have a MikroTik Hex Lite - RB750r2 - running 6.49.10 Long-Term. We haven’t upgraded to newer version because one of the websites we deal with requests that we run this firmware. I request your patience as I’m new to MikroTik (but not new to routers in general.)

The device seems to lose time. So, I uploaded the NTP package. I have NTP SERVER (which I don’t use) and NTP CLIENT (which I do use) under SYSTEM. I have the NTP CLIENT settings all correct. But I can’t seem to get the device to update the time. In fact, it’s losing time. I don’t know why.

Any suggestions on what I need to check? Does something else need to be installed?

Are you certain the NTP server is open to your traffic? Old reliable servers stop providing service from time to time, some ISPs block NTP access to third-party servers to make you use their server instead, etc. Torch the WAN link on port 123 to find out; don’t guess, don’t assume.

Even if you’ve got a working NTP server configured, a proper NTP client doesn’t make single step changes unless forced, especially not backwards in time. It slowly slews toward the correct time over a long period, and in the forward direction only to keep anyone from seeing time go backwards at any point.

I’m using two public NTP servers. Their IP addresses are in the NTP CLIENT. I’ve made no adjustments to the firewall since activating the router - so the firewall settings are basically just “default.”

I torch port 123 - and I can see activity from the two NTP servers (SRC) back to the public IP of the router (DST). I see TX packets, but no RX packets.

To test further, I’ve changed the two original static IPs for the public NTP servers to two other public NTP servers. Same problem - I see TX packets, but no RX packets.

That sounds like your ISP is dropping them. Ask. Maybe they have a nearby NTP server they’d prefer you use instead.

So, I contacted my ISP. They state that the static IP I have for the router is straight out on the internet, no port blocking. They didn’t have any suggestions for an NTP server other than the publicly available ones.

I’m wondering if I just don’t have something configured correctly. But I don’t know what it would be! Does something besides NTP need to be installed?

My visual configuration debugging skills work better than my psychic ones. Post the sanitized output of “/export hide-sensitive” into a “code” block.

I think I did this right…

# mar/06/2024 00:43:27 by RouterOS 6.49.10
# software id = 3PBW-X0JH
#
# model = RB750r2
# serial number = 
/interface bridge
add name=HS_bridge
add admin-mac=48:A9:8A:D5:C8:60 auto-mac=no comment=defconf name=bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=mikrotik.login.hotspotsystem.com hotspot-address=10.5.50.1 \
    html-directory=flash/hotspot login-by=http-chap,https,http-pap,mac-cookie \
    name=hsprof1 ssl-certificate=cert.pem_0 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] shared-users=5
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-3 ranges=10.5.48.1-10.5.63.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp disabled=no interface=bridge-local name=default
add address-pool=hs-pool-3 disabled=no interface=HS_bridge lease-time=1h name=\
    dhcp1
/ip hotspot
add address-pool=hs-pool-3 disabled=no interface=HS_bridge name=hotspot1 \
    profile=hsprof1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=HS_bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-gateway list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.188.0
add address=10.5.50.1/20 comment="HotspotSystem network" interface=HS_bridge \
    network=10.5.48.0
add address=96.43.63.14/26 interface=ether1-gateway network=96.43.63.0
/ip dhcp-client
add comment=defconf interface=ether1-gateway
/ip dhcp-server network
add address=10.5.48.0/20 comment="hotspot network" gateway=10.5.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.188.0/24 comment="default configuration" gateway=\
    192.168.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.188.1 name=router
add address=8.8.8.8 name=Google1
add address=8.8.4.4 name=Google2
/ip firewall filter
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291 \
    protocol=tcp
add action=add-src-to-address-list address-list=Paying443 address-list-timeout=\
    10m chain=hs-unauth dst-port=3434 protocol=tcp
add action=return chain=hs-unauth dst-port=443 protocol=tcp src-address-list=\
    Paying443
add action=return chain=hs-unauth-to dst-address-list=Paying443 protocol=tcp \
    src-port=443
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=return chain=hs-unauth dst-port=443 protocol=tcp src-address-list=\
    Paying443
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.48.0/20
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=*.hotspotsystem.com
add dst-host=*.worldpay.com
add dst-host=*.paypal.com
add dst-host=*.paypalobjects.com
add dst-host=*.paypal-metrics.com
add dst-host=*.altfarm.mediaplex.com
add dst-host=*.akamaiedge.net
add dst-host=paypal.112.2O7.net
add dst-host=*.moneybookers.com
add dst-host=*.adyen.com
add dst-host=checkoutshopper-live.adyen.com
add dst-host=*.directebanking.com
add dst-host=*.paysafecard.com
add dst-host=*.appdynamics.com
add dst-host=betalen.rabobank.nl
add dst-host=*.ing.nl
add dst-host=ideal.abnamro.nl
add dst-host=*.triodos.nl
add dst-host=*.asnbank.nl
add dst-host=*.knab.nl
add dst-host=*.regiobank.nl
add dst-host=*.snsbank.nl
add dst-host=*.symcd.com
add dst-host=*.rapidssl.com
add dst-host=*.digicert.com
add dst-host=*.letsencrypt.org
add dst-host=*.simplepay.hu
add dst-host=gv.symcd.com
add dst-host=cdp.rapidssl.com
add dst-host=status.rapidssl.com
add dst-host=crl3.digicert.com
add dst-host=crl4.digicert.com
add dst-host=secure.simplepay.hu
add dst-host=securepay.simplepay.hu
add dst-host=europe111.hotspotsystem.com
add dst-host=usa111.hotspotsystem.com
add dst-host=asia111.hotspotsystem.com
add dst-host=www.googletagmanager.com
add dst-host=polyfill.io
add dst-host=www.recaptcha.net
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=194.149.46.0/24
add action=accept disabled=no dst-address=198.241.128.0/17
add action=accept disabled=no dst-address=66.211.128.0/17
add action=accept disabled=no dst-address=216.113.128.0/17
add action=accept disabled=no dst-address=70.42.128.0/17
add action=accept disabled=no dst-address=128.242.125.0/24
add action=accept disabled=no dst-address=216.52.17.0/24
add action=accept disabled=no dst-address=62.249.232.74
add action=accept disabled=no dst-address=155.136.68.77
add action=accept disabled=no dst-address=66.4.128.0/17
add action=accept disabled=no dst-address=66.211.128.0/17
add action=accept disabled=no dst-address=66.235.128.0/17
add action=accept disabled=no dst-address=88.221.136.146
add action=accept disabled=no dst-address=195.228.254.149
add action=accept disabled=no dst-address=195.228.254.152
add action=accept disabled=no dst-address=203.211.140.157
add action=accept disabled=no dst-address=203.211.150.204
add action=accept disabled=no dst-address=82.199.90.136/29
add action=accept disabled=no dst-address=82.199.90.160/27
add action=accept disabled=no dst-address=91.212.42.0/24
add action=accept disabled=no dst-address=193.67.130.68
add action=accept disabled=no dst-address=213.52.172.68
/ip route
add distance=1 gateway=96.43.63.9
/radius
add address=195.228.75.174 service=hotspot timeout=3s
add address=85.25.150.36 service=hotspot timeout=3s
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no time-zone-name=GMT
/system identity
set name=hahncomputers_1
/system ntp client
set enabled=yes primary-ntp=96.43.63.9 secondary-ntp=129.6.15.32
/system package update
set channel=long-term
/system scheduler
add interval=1h name=up on-event="/tool fetch keep-result=no mode=http address=t\
    ech.hotspotsystem.com host=tech.hotspotsystem.com src-path=(\"up.php\\\?mac=\
    \".[/interface ethernet get 0 mac-address].\"&nasid=\".[/system identity get\
    \_name].\"&os_date=Mikrotik&uptime=\".[/system clock get time].\"%20up%20\".\
    [/system resource get uptime].\",%20load%20average:%20\".[/system resource g\
    et cpu-load].\"%\")" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    jan/01/1970 start-time=01:20:00
add name=CertUpdateOnBoot on-event="/delay 30; /system script run CertUpdate;" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=CertUpdateOnSchedule on-event=\
    "/system script run CertUpdate" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/02/2020 start-time=08:07:00
/system script
add dont-require-permissions=no name=CertUpdate owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\r\
    \n# Certificate update script\r\
    \n# v1.0.1 - 2021. mar. 30\r\
    \n# HotspotSystem Ltd.\r\
    \n#\r\
    \n\r\
    \n:global FlashDirExist do={\r\
    \n  :if ([:len [/file find name=flash]] > 0) do={\r\
    \n    :return (\"flash/\");\r\
    \n  } else={\r\
    \n    :return (\"\");\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local IsWhiteLabel do={\r\
    \n  :global FlashDirExist;\r\
    \n  :local HTMLContent  [ /file get [ /file find name=( [ \$FlashDirExist ] \
    . \"hotspot/alogin.html\" ) ] contents ];\r\
    \n  :local Start ( [ find \$HTMLContent \"\\\"redirect\\\" action=\" ] + 19)\
    ;\r\
    \n  :local End ( \$Start + 35);\r\
    \n  :if ([ :pick \$HTMLContent \$Start \$End ] = \"https://customer.hotspots\
    ystem.com/\") do={\r\
    \n    return false;\r\
    \n  } else={\r\
    \n    return true;\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:global Download do={\r\
    \n  :local result [/tool fetch url=\$1 as-value output=file];\r\
    \n  :do {\r\
    \n  } while (\$result->\"status\" != \"finished\");\r\
    \n  delay 1;\r\
    \n}\r\
    \n\r\
    \n:local DoCertUpdate do={\r\
    \n  :global Download;\r\
    \n  \$Download ( \$2 . \"/cert.pem\" );\r\
    \n  \$Download ( \$2 . \"/fullchain.pem\" );\r\
    \n  \$Download ( \$2 . \"/privkey.pem\" );\r\
    \n  /certificate remove [ find name~\"cert.pem\" ];\r\
    \n  /certificate import file-name=cert.pem passphrase=\"\";\r\
    \n  /certificate remove [ find name~\"fullchain.pem\" ];\r\
    \n  /certificate import file-name=fullchain.pem passphrase=\"\";\r\
    \n  /certificate remove [ find name~\"privkey.pem\" ];\r\
    \n  /certificate import file-name=privkey.pem passphrase=\"\";\r\
    \n  /ip hotspot profile set [ find name=hsprof1 ] dns-name=\$3 login-by=[ ( \
    [ /ip hotspot profile get [ find name=hsprof1 ] login-by ] , \"https\" ) ] s\
    sl-certificate=cert.pem_0;\r\
    \n  :local buffer [/file get [/file find name=\"cert.sha1\"] contents];\r\
    \n  /file set [ /file find name~\"\$1\" ] contents=\"\$buffer\";\r\
    \n  /file remove cert.pem;\r\
    \n  /file remove fullchain.pem;\r\
    \n  /file remove privkey.pem;\r\
    \n}\r\
    \n\r\
    \n:local InstalledCertName ( [ \$FlashDirExist ] . \"hotspot/InstalledCertSH\
    A.txt\" );\r\
    \n:local FirstRun true;\r\
    \n:local BaseURL \"\";\r\
    \n:local HotspotDNSName \"\";\r\
    \n\r\
    \n:if ( [ \$IsWhiteLabel ] ) do={\r\
    \n  :set BaseURL \"https://tech.hotspotsystem.com/firmware/ssl/mikrotik.logi\
    n.hotspotadmin.com/\";\r\
    \n  :set HotspotDNSName \"mikrotik.login.hotspotadmin.com\";\r\
    \n} else={\r\
    \n  :set BaseURL \"https://tech.hotspotsystem.com/firmware/ssl/mikrotik.logi\
    n.hotspotsystem.com/\";\r\
    \n  :set HotspotDNSName \"mikrotik.login.hotspotsystem.com\";\r\
    \n}\r\
    \n\r\
    \n# Download checksum for newest published certificate and load into a varia\
    ble\r\
    \n\$Download ( \$BaseURL . \"cert.sha1\" );\r\
    \n:do {\r\
    \n  :local OldFileContent [ /file get [ /file find name=\$InstalledCertName \
    ] contents ];\r\
    \n  :set \$FirstRun false;\r\
    \n} on-error={\r\
    \n  :log info ( \"Checksum for installed certificate \" . \$InstalledCertNam\
    e . \" does not exist. Installing certificate.\" );\r\
    \n  /file print file=\$InstalledCertName;\r\
    \n  \$DoCertUpdate \$InstalledCertName \$BaseURL \$HotspotDNSName;\r\
    \n}\r\
    \n\r\
    \n:if ( !\$FirstRun ) do={\r\
    \n  :local OldFileContent [ /file get [ /file find name=\$InstalledCertName \
    ] contents ];\r\
    \n  :local OldChecksum [ pick \$OldFileContent 0 [ find \$OldFileContent \" \
    \" ] ];\r\
    \n  :local NewFileContent [ /file get [ /file find name=cert.sha1 ] contents\
    \_];\r\
    \n  :local NewChecksum [ pick \$NewFileContent 0 [ find \$NewFileContent \" \
    \" ] ];\r\
    \n  :if ( \$OldChecksum = \$NewChecksum ) do={\r\
    \n    :log info ( \"Checksum not changed. Not installing certificate.\" );\r\
    \n  } else={\r\
    \n    :log info ( \"Checksum changed. Installing certificate.\" );\r\
    \n    \$DoCertUpdate \$InstalledCertName \$BaseURL \$HotspotDNSName;\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n/file remove cert.sha1\r\
    \n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I would have also removed the software ID and MAC addresses as potential PII, but opinions differ on how big a risk that is.

/system ntp client
set enabled=yes primary-ntp=96.43.63.9 secondary-ntp=129.6.15.32

Those servers time out for me, too. Why not use something like “us.pool.ntp.org” instead, which stays up to date automatically?

I was going to use a domain name. But as soon as I do, it immediately converts it to an IP. (pool.ntp.org)

Yes, and the docs tell you that it repeats that lookup each time it tries to sync with SNTP on ROS v6 when you set it via server-dns-names. This is what allows it to be evergreen; as public NTP servers come and go, the round-robin results of a DNS lookup on that name change accordingly.

So I’ve set it to pool.ntp.org and time.google.com. Those were both converted to IP addresses. I wait a few minutes, but time does not appear to sync. I look at the torch again, and I see the same thing - there’s a TX packet, but no RX packet.

I’m seeing Tx and SOME Rx packets now. But no time change…

1. By the way, why do you have winbox exposed to the internet???

/ip firewall filter
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291
protocol=tcp


2. The time sometimes doesnt sync right away…???

As I said, it’s supposed to slew, not jump instantaneously. If it jumps forward by a big amount, it’s bad. If it jumps backward by any amount, it’s extra-bad.

I intentionally set the clock about 3 minutes slow. That was a few hours ago, but I haven’t noticed any change…

I’m also not entirely sure I have the MODE set correctly in the NTP client. I assume “unicast”?

I’m still not sure why this isn’t updating. I manually set the time again - this time about a minute off. Two days later, I don’t see any change. I realize it will slew, but it doesn’t seem to be slewing at all.

You’ve got enough to take to tech support now. All the due diligence done, all the diagnostic data needed taken.

Let us know what they say, will ya?

I don’t know what’s going on with support. I created a ticket 5 days ago - and I’ve got no response since.

This type of problem is usually caused by your ISP. Even when they claim that they do not filter, they may filter incoming UDP traffic to port 123 because at some point in the past there were a lot of improperly configured NTP servers (because example config files were wrong!) that were used as reflectors in DDoS attacks.
The department you asked may not know that another department implemented those filters.

You can translate the source port of your NTP requests to some other value using SNAT:

/ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN protocol=udp src-port=123 to-ports=12300

When that solves the issue, the ISP is the cause of the problem.

BTW: it is time to buy another router. These ones are old and underpowered for most of todays usage.
But of course on new devices you cannot run version 6.49.10 anymore so first clear up why you would have to use that.

Hi pe1chl
How will the source nat fix the problem…
If the router goes out to a website and the website sees port 12300 wont it just drop the traffic as its not the usual NTP port???