The problem is not “MikroTik gps package is bad”, but “using a USB GPS dongle as time reference is bad”. So those Openwrt packages will perform equally as bad as the gps package.
To solve it, you need one of the specialized NTP server devices shown above. They use PPS sync internally.
Yes, you are right, both have the same accuracy, which is not as high as it could be with a PPS signal received over GPIO. But the real point is: you don´t need more accuracy for the simple usecase of normal network troubleshooting or setting your laptops clock. Accuracy to the second is mostly OK. And if you are so precise, that you want to compare millisecond timestamps, you can still do it inside your network, which is synchronised from the same, relatively unprecise source.
W
An alternative might be to use a raspberry pi with a GPS receiver. That will allow GPS time WITH PPS signal. I have 2 pi’s with GPS (one pi 1 and one pi2), works perfectly. Yes it takes some time and effort to set it up.
Yeah, but unfortunately (unless you perform more NAT tricks) you cannot enforce that everyone uses your MikroTik as the NTP reference and not some hardcoded or DNS-resolved external server (e.g. time.windows.com) and you will still have a 300ms skew of time inside your network…
Using a Raspberry Pi with dedicated GPS module that has PPS wiring of course is OK. But with current Raspberry Pi availability and prices that dedicated NTP module may be a better choice.
woland said:
Accuracy to the second is mostly OK.
Very often true, but sometime annoying. Let me tell you a recent example I dealt with. I was recently in a traffic accident, and I have both a dash camera and driver camera that recorded the accident. I put the two videos together so the driver cam was a Picture in Picture inside the dash cam. Since both cameras have on screen time displays, it was easy to time sync the two cameras - until I watched the result and found that they differed by about 2/3 of a second. I had to time shift one of the videos by watching for activities (a bit of a challenge since the cameras don’t have any overlapping video).
The two cameras are able to time sync when they connect to my WiFi at home, but I have no control of how often they do so, or what NTP source they use.
A man with a watch always knows what time it is. A man with two watches is never sure.
pe1chl,
Thank you for your help.
The ISP confirmed that they are blocking it and they are not going to unblock it. It is blocked for Mikrotik with Private and Public IPs.
When we connected the same Mikrotik to any other ISP the NTP client works without any firewall rule.
Sadly, I tried your rule and It didn’t help and still the time is not synced.
Any help on how to do it via VPN?
Yes confirmed by the ISP they are blocking it form their firewall. The same Mikrotik when we change it to another ISP like 4G, ADSL the NTP client works like charm.
This issue is not for only Mikrotik, this is for any NTP client on any device like routers, hotspot controllers etc.
I think I need to do it via VPN but I don’t know how to do it.
Can you help me
Did you try the improved rule that was a couple of postings later? The initial try that you quote there was not correct.
My apology. Did you mean you can’t see my reply? 
Edit: Just figured what you mean. I will try the one with the Output interface list and let you know. Give me a min.
I want to thank eveyone who is participating in this post. Very much appreciating your efforts.
It is confirmed that the ISP is blocking NTP protocol and they will not do anything to solve it. I have to do it from my side.
It is not a Mikrotik Issue at all. The same mikrotik router when we plug it to 4G or ADSL or any other provider the NTP client synced like a charm. As soon we connect it to my ISP the NTP client fails to sync.
This is also not a problem specific to Mikrotik. We have several routers like TP-Link Omada OC200 Controller it has the same exact problem.
Not that only in Mikrotik I can’t use IP-Cloud login method unless a Public IP is assigned to it. I think they are very strict when it comes to firewall.
Moreover, getting a public IP did not help us to resolve the NTP client issue. So I guess I have to do it by VPN and I need your help to configure it please.
Best Regards
I tried this rule: /ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN protocol=udp src-port=123 to-ports=12300
with a Tweak instead of Out-interface-list, I used “Out Interface” and specified the WAN interface. Turned OFF the NTP client and re-enabled it and also It did not work I mean did not sync although I am pointing to popular NTP protocols like Micorosoft, Google, Ubiquiti etc
If they won’t provide a time server of their own to redress the loss of service, I’d select another ISP, if only since the X.509 certificates behind TLS and multiple VPN protocols are time-based. Those being essential Internet services these days, accurate time is ipso facto also an essential Internet service. I’d give them a pass if they chose a better protocol than NTP, but to provide no time sync service at all is inexcusable.
The same mikrotik router when we plug it to 4G or ADSL or any other provider the NTP client synced like a charm.
If any of those other networks are available at the problem location, you could configure the router with both, then route NTP alone to the alternate network. As a bonus, you then have the ability to fail-over to the alternate network when the main one goes down.
I guess I have to do it by VPN and I need your help to configure it please.
The topic is well-covered elsewhere already. There’s a whole section on it in the docs. This forum has many guides, and there are third-party sources if you don’t like any of those options.
The only element that varies on this point is whether you want to route just NTP to this VPN or send all traffic over it. It’s easier to route everything, and it may give service benefits, such as to avoid any other ridiculous restrictions your ISP imposes. There are many guides for doing that.
If you wish to route NTP alone, something like this should work:
/routing table add name=NTP fib
/ip firewall mangle
add action=mark-routing new-routing-mark=NTP chain=output \
dst-port=123 protocol=udp
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 table=NTP
That example assumes you’ve chosen WireGuard, which in turn assumes you’re on RouterOS 7, and also that your ridiculous ISP doesn’t block that, too. If you’re forced to some other VPN type by any of these considerations, modify the gateway parameter to suit.
Not really… My GNSS antenna has 100 feet of good coax, could easily triple it. Also the serial cable at 9600 or 4800 baud that GPS runs at can be very, very long without issues.
A more DIY approach is a Raspberry Pi and a GNSS receiver, that can be done for under $100 with a well available and frequently updated script that will install and configure it for you.
For the OP, ask your ISP if they have a time-server for you to use (see if it is provided in the DHCP responses), check if the one Windows/Apple uses is blocked too.. That would mess a lot of computers up if the default time server Windows and Apple uses was blocked. It may just be incoming port 123 that is blocked, in that case, run a separate NTP server on your network that NAT automatically changes the incoming port for.
The I have created a PPTP VPN server on a remote Mikrotik that has a public IP and connected to a VSAT (Satellite connection) and the NTP client has no issues to get synced.
I have created also a VPN client (PPTP) on the remote Mikrotik with NTP issues and connected it to the Above Mikrotik successfully via PPTP.
When I tried the first line of your commands: /routing table add name=NTP fib it rose an error on “table”. Searched the documentations and no luck.
The command is for RouterOS 7. The whole routing infrastructure is changed around relative to v6. (Details)
Did you ask your ISP if they have an NTP server you can use?
Apologize, I should have mentioned my OS version it is 6.49.6. It is connected to an external radius server in which it is not compatible with OS7 yet
Yes it is confirmed. they don’t have and I have been running after them for weeks now to put a CPU just to work as NTP server.
That fits into the crazy department - they don’t provide a service that damn near everyone uses, and then block any attempt to use any one of the many available public NTP servers.