NTP client doesn't sync

victorp · May 17, 2014, 10:05am

Hi.
NTP client doesn’t sync.
Please help.

My Routerboard model: 951Ui-2HnD, current-firmware: 3.14, RouterOS v.6.13

[admin@MikroTik] > /system ntp client print 
          enabled: yes
             mode: unicast
      primary-ntp: 195.214.215.17
    secondary-ntp: 193.27.209.1
  dynamic-servers: 
           status: started

Ping works

[admin@MikroTik] > /ping 195.214.215.17
HOST                                     SIZE TTL TIME  STATUS                 
195.214.215.17                             56  59 30ms 
195.214.215.17                             56  59 25ms 
195.214.215.17                             56  59 28ms 
    sent=3 received=3 packet-loss=0% min-rtt=25ms avg-rtt=27ms max-rtt=30ms

Firewall filters:

[admin@MikroTik] /ip firewall> /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=forward action=accept connection-state=established 
 1   ;;; default configuration
     chain=forward action=accept connection-state=related 
 2   ;;; default configuration
     chain=forward action=drop connection-state=invalid 
 3   chain=input action=accept protocol=icmp 
 4   chain=input action=accept connection-state=established 
 5   chain=input action=accept connection-state=related 
 6   chain=input action=drop in-interface=ether1-gateway 
 7   ;;; Allow NTP
     chain=services action=accept protocol=udp dst-port=123 
 8   ;;; Allow NTP
     chain=RouterServices action=accept protocol=udp src-port=123 
 9   ;;; Allow NTP server If we are running NTP server
     chain=RouterServices action=accept protocol=udp dst-port=123

The NTP client status is always “started”, clock never gets synced.

Any ideas?
Thanks in advance,
Victor

SurferTim · May 17, 2014, 12:18pm

I don’t know if this is the problem, but I don’t see where you have started a services chain.

7   ;;; Allow NTP
     chain=services action=accept protocol=udp dst-port=123

I would set that chain to input, and allow the src-port=123.

7   ;;; Allow NTP
     chain=input action=accept protocol=udp src-port=123

cdiedrich · May 17, 2014, 12:27pm

…and move it above the ‘drop all’ rule…

Sent from my iPhone using Tapatalk

SurferTim · May 17, 2014, 12:31pm

…and that too. I missed that part.

victorp · May 17, 2014, 12:44pm

Thanks, I have added that rule and move them above ‘drop’,
But still doesn’t work.

[admin@MikroTik] /ip firewall filter> /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=forward action=accept connection-state=established 
 1   ;;; default configuration
     chain=forward action=accept connection-state=related 
 2   chain=RouterServices action=accept protocol=udp dst-port=123 
 3   chain=RouterServices action=accept protocol=udp src-port=123 
 4   chain=input action=accept protocol=udp src-port=123 
 5   chain=input action=accept protocol=icmp 
 6   chain=input action=accept connection-state=established 
 7   chain=input action=accept connection-state=related 
 8   ;;; default configuration
     chain=forward action=drop connection-state=invalid 
 9   chain=input action=drop in-interface=ether1-gateway