NTP NTP NTP I will crazy

jm3west · June 15, 2020, 1:42pm

Hi guys,

since three days I try a connect NTP client to NTP server (local)

Here is server/router …

/system ntp server export 
# jun/15/2020 15:17:52 by RouterOS 6.47
# software id = UJP9-7QYV
#
# model = RouterBOARD 3011UiAS
# serial number = 7XXXXXXXXX
/system ntp server
set broadcast=yes enabled=yes

/system ntp client
set enabled=yes primary-ntp=134.130.4.17 secondary-ntp=134.130.5.17

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment="*** Connect to winbox ***" dst-port=8291 protocol=tcp src-address=10.1.10.21
add action=accept chain=input dst-port=8291 protocol=tcp src-address=10.1.30.0/24
add action=accept chain=input in-interface=all-vlan protocol=icmp
add action=accept chain=input dst-port=123 in-interface=all-vlan protocol=udp
add action=drop chain=input comment="*** Drop from outside ***" in-interface=eth-01_WAN
add action=drop chain=input
add action=drop chain=forward connection-state=invalid
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward in-interface=eth-01_WAN
add action=accept chain=forward in-interface=vlan-1
add action=accept chain=forward in-interface=vlan-10
add action=accept chain=forward in-interface=vlan-30
add action=accept chain=forward comment="*** Guest WLAN ***" dst-port=53,80,443 in-interface=vlan-60 protocol=tcp
add action=accept chain=forward dst-port=53 in-interface=vlan-60 protocol=udp
add action=accept chain=forward comment="*** MNGM VLAN ***" in-interface=vlan-99
add action=drop chain=forward

/ip firewall nat
add action=dst-nat chain=dstnat comment="*** nas SSH ***" dst-port=22 in-interface=eth-01_WAN protocol=tcp to-addresses=10.1.10.3 \
    to-ports=22
add action=dst-nat chain=dstnat comment="*** raspberry DNS1 ***" dst-port=1194 in-interface=eth-01_WAN protocol=udp to-addresses=\
    10.1.10.21 to-ports=1194
add action=dst-nat chain=dstnat comment="*** Proxmox proxy ***" dst-port=80 in-interface=eth-01_WAN protocol=tcp to-addresses=\
    10.1.10.35 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=eth-01_WAN protocol=tcp to-addresses=10.1.10.35 to-ports=443
add action=dst-nat chain=dstnat comment="*** Turnserver ***" dst-port=3478 in-interface=eth-01_WAN protocol=tcp to-addresses=\
    10.1.10.38 to-ports=3478
add action=dst-nat chain=dstnat dst-port=3478 in-interface=eth-01_WAN protocol=udp to-addresses=10.1.10.38 to-ports=3478
add action=dst-nat chain=dstnat comment="*** PLEX ***" dst-port=32400 in-interface=eth-01_WAN protocol=tcp to-addresses=\
    10.1.10.39 to-ports=32400
add action=dst-nat chain=dstnat comment="*** Proxmox mx1 ***" dst-port=25 in-interface=eth-01_WAN protocol=tcp to-addresses=\
    10.1.10.53 to-ports=25
add action=dst-nat chain=dstnat dst-port=465 in-interface=eth-01_WAN protocol=tcp to-addresses=10.1.10.53 to-ports=465
add action=dst-nat chain=dstnat dst-port=587 in-interface=eth-01_WAN protocol=tcp to-addresses=10.1.10.53 to-ports=587
add action=dst-nat chain=dstnat dst-port=993 in-interface=eth-01_WAN protocol=tcp to-addresses=10.1.10.53 to-ports=993
add action=dst-nat chain=dstnat comment="*** raspberry DNS1 ***" dst-address-type=local dst-port=1194 protocol=udp to-addresses=\
    10.1.10.21 to-ports=1194
add action=dst-nat chain=dstnat comment="*** Proxmox proxy ***" dst-address-type=local dst-port=80 protocol=tcp to-addresses=\
    10.1.10.35 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp to-addresses=10.1.10.35 to-ports=443
add action=dst-nat chain=dstnat comment="*** Turnserver ***" dst-address-type=local dst-port=3478 protocol=tcp to-addresses=\
    10.1.10.38 to-ports=3478
add action=dst-nat chain=dstnat dst-address-type=local dst-port=3478 protocol=udp to-addresses=10.1.10.38 to-ports=3478
add action=dst-nat chain=dstnat comment="*** PLEX ***" dst-address-type=local dst-port=32400 protocol=tcp to-addresses=10.1.10.39 \
    to-ports=32400
add action=dst-nat chain=dstnat comment="*** Proxmox mx1 ***" dst-address-type=local dst-port=25 protocol=tcp to-addresses=\
    10.1.10.53 to-ports=25
add action=dst-nat chain=dstnat dst-address-type=local dst-port=465 protocol=tcp to-addresses=10.1.10.53 to-ports=465
add action=dst-nat chain=dstnat dst-address-type=local dst-port=587 protocol=tcp to-addresses=10.1.10.53 to-ports=587
add action=dst-nat chain=dstnat dst-address-type=local dst-port=993 protocol=tcp to-addresses=10.1.10.53 to-ports=993
add action=dst-nat chain=dstnat comment="*** NTP ***" dst-address-type=local dst-port=123 log=yes protocol=udp to-ports=123
add action=masquerade chain=srcnat comment=";;;" out-interface=eth-01_WAN
add action=masquerade chain=srcnat src-address=10.1.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.1.10.39

My route on client …

 /ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          ether1                    1
 1 ADC  10.1.99.0/24       10.1.99.11      vlan-99                   0

anav · June 15, 2020, 3:09pm

You dont need this rule for the router to act as NTP server…
add action=dst-nat chain=dstnat comment=“*** NTP ***” dst-address-type=local dst-port=123 log=yes protocol=udp to-ports=123

jm3west · June 16, 2020, 4:50pm

I log the rule …

/ip firewall filter add action=accept chain=input dst-port=123 in-interface=all-vlan protocol=udp

inquiry
all devices (Proxmox, VMs, Mac’s, windows 10 machines) ask the RB3011 (NTP-server) and get the right time/date

only the three RB951 (VLANs via bridge and switch chip) don’t put a question to the RB3011. The log don’t show an inquiry from the RB951
But I can all addresses dissolve (ping, nslookup) via RB951

/interface ethernet switch port print
Flags: I - invalid 

 0   ether1			switch1			secure    add-if-missing            auto
 1   ether2			switch1			secure    always-strip                30
 2   ether3			switch1			secure    always-strip                30
 3   ether4			switch1			secure    always-strip                30
 4   ether5			switch1			disabled  leave-as-is               auto
 5   switch1-cpu		switch1			disabled  leave-as-is               auto

/interface ethernet switch vlan> print 
Flags: X - disabled, I - invalid 
                                                                 
 0   switch1	30	ether1                                                                      
			ether2                                                                      
			ether3                                                                      
			ether4                                                                      
 1   switch1	ether1                                                                      
			switch1-cpu