NTP-Server does not work

Spartacus · August 22, 2018, 12:28pm

Hi,
I would like to sync my local mashines (different networks) with the RB3011. I setup the NTP-Server service, but the clients do not sync.

/system ntp server
set broadcast=no enabled=yes manycast=yes multicast=no

NTP-Server for the clients is the GW-Address of the Subnet. (e.g. Network:172.16.30.0: GW and NTP-Server: 172.16.30.1)

What is additional necessary to use the RB3011 as NTP-Server?
Regards,
Christian

pe1chl · August 22, 2018, 1:55pm

You need to setup NTP-Client with other servers in your network or on the internet that provide the RB3011 with correct time.

Spartacus · August 22, 2018, 2:06pm

Hi,
thanks for your answer,
but I have configured I"P Cloud ->Update Time". This means that RB3011 has the correct time. This is not the reason for sync issues. Seems to be that the cliend do not find the NTP-Server on my network.
Maybe I have to enter some FW rules?

Christian

pe1chl · August 22, 2018, 2:40pm

IP cloud update time does not provide sync for the NTP server. And it usually provides very inaccurate time.
The NTP server only synchronizes using the NTP client. It should indicate status “synchronized” (after some time).
You should not require special firewall rules when you have the usual “established / related” rule on your input firewall.
It may be that your ISP filters NTP because they believe it can be used for DDoS attack, but an NTP server on your internal network should always work.
Of course for your clients to use the NTP server, there has to be a rule that allows traffic to UDP port 123 in input. However, usually ALL input is allowed for the local network.

Spartacus · August 22, 2018, 6:48pm

Hi,
thanks for clarification. I´ve setup the NTP Client and I can see that NTP-Client on RB is synchronited. But client cannot sync.

RB IP 172.16.1.1
My subnet with the NTP-Client is 172.16.30.0/24.
IP requested via DHCP, GW is 172.16.30.1

NTP-Config on the client is 172.16.30.1. and I can see in the logile this message:

systemd-timesyncd[525]: Timed out waiting for reply from 172.16.30.1:123 (172.16.30.1)

Seems to be that the NTP-Server cannot be found.

FW-Rule (172.16.1.0/24 and 172.16.30.0/24 are members of VlanFriends)

add action=accept chain=forward comment=\
    "Allow inter VLAN communication with VLAN friends" dst-address-list=\
    VlanFriends in-interface-list=LAN src-address-list=VlanFriends

Any ideas?

Christian

pe1chl · August 22, 2018, 6:53pm

You need a chain=input rule because this packet is input to the router, not forwarded.

Spartacus · August 22, 2018, 7:32pm

Hi,
this rule seems to be working

add action=accept chain=input comment="Allow LAN NTP queries-UDP" dst-port=123  in-interface-list=LAN protocol=udp

Christian