Set up a couple of NetBox 5’s a couple months ago on a PtP link. They are working fine.
Just noticed that the clocks aren’t syncing with the NTP server. Probably because of this, found elsewhere on the forum:
“Another consideration is that the NTP request will originate from the IP attached to the interface the traffic is routed through. If this is a private address for example on a point to point link, it wont be able to connect out to the remote NTP site.”
Exactly the case.
Is there any way around this? Not affecting operation, but the signal logs are showing an inaccurate time. Just annoying.
Nothing much to be done on PtP nodes, NTP needs IP connectivity with server … But there are two possibilities:
set up a NTP server, which can synchronize to precision time sources (either a high quality source, such as GPS receiver, or to internet NTP servers), and serves clients inside management LAN.
Allow NTP connections from management LAN towards internet. NTP uses UDP port 123.
If you decide on option #1, then thet NTP server will either have to be multi-homed (having two interfaces, one with access to management LAN and other with access to internet) or you’ll have to implement appropriate solution according to option #2 above, but only for the NTP server (not for all network devices).
If I create a firewall rule on each device (there are 2) to allow access out, is creating an “accept” on 123 adequate? Or does it need to be to an IP for a NTP server?
Problem with NTP servers is that the IP for them are always changing.
Is it possible to use pool.ntp.org as a destination for a rule? Or does it always need to be a numeric IP?
What about Mikrotik’s Cloud time service? Anything special about that?
It is enough to allow protocol=udp dst-port=123 (and the default accept established,related). Entering pool.ntp.org may or may not be fine, because firewall will resolve name to IP address(es) at some moment in time, possibly taking only single IP address. Ntp client will possibly resolve that to other (set of) IP address(es). So you better open this fairly wide to avoid intermittent service.
Just be careful about which devices need changed/added firewall rules. Is it the originating device (usually chain=output is not blocked at all) or is it gateway between management LAN and the rest of universe?
Mikrotik’s cloud service sets aproximate time (error margin being several seconds) which is good to have some almost correct time instead of 1st of January 1970 at boot time. If you have to correlate logs from different devices this precission is far from adequate.
The two NetBox devices were set up as PtP WDS using examples from the Wiki (can’t remember which ones) and per those examples have no firewall rules at all. I do remember that the starting point was to select PtP Bridge CPE and PtP Bridge AP for them and then make other changes using WebFig / WinBox. That might account for the lack of firewall rules.
Seemed strange to me, but they are working. I just don’t know enough to say if it’s “wrong”.
The signal logging script can run on either the originating end or the destination end. Would one be better than the other?
From what you have written, sounds like I need two filter rules:
Yes, a RB960PGS. And it is, of course, syncing with NTP just fine through the PtP link.
Setting up a NTP server there is of course an option. I do need to disclose that the NetBoxes are on a different subnet from the router to allow me to access them remotely via an IP/Address rule on the 960. Just in case that matters (it usually does).
I am looking for simplicity. Like I said, things are running OK, and the time is only off 2 min since I powered things up initially over two months ago. I wonder how the NB’s got the initial time? I don’t remember setting it manually…
If RB960 can communicate with netmetals (or you can communicate with them via RB960), then you can set up NTP server on RB960 (install ntp-X.XX.X-mipsbe.npk from Extra packages, available from downloads.mikrotik.com … just be sure npk version matches ROS version installed on RB960) and then configure netmetals to use RM960 as their NTP server. Probably nothing to be changed on firewall at edge of your network.