NTP stuck on Waiting....

simsrw73 · December 27, 2021, 7:31pm

I cannot get NTP client working. I had this setup on my hEX S before upgrading to the rb5009 and implementing a VLAN config. I’ve tried several time servers and I’m pretty sure I’ve set it up as I had it before and made a firewall rule to open that port. But my router hangs listening for the remote NTP server and all my client network devices hang listing for the NTP server on the router. I can use the IP/Cloud service to get the time on the router, but still the other MT network devices sit there stuck on “Waiting…” What am I getting wrong? Something on the Firewall? That’s my biggest weakness currently. I’m pretty sure there’s some redundancies and improvements that could be made to my config…

https://github.com/simsrw73/documents/tree/main/smart-home

# dec/27/2021 13:27:43 by RouterOS 7.1.1
# software id = SYTB-ZK4C
#
# model = RB5009UG+S+
# serial number = EC1A0FCC6B92

/system identity
set name=RT1-Office-NR2

/interface ethernet
set [ find default-name=ether7 ] name=ether7-Access

/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=119

/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119

/interface list
add name=WAN
add name=VLAN
add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no

/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0

/ip pool
add name=dhcp_pool-base ranges=192.168.99.20-192.168.99.254
add name=dhcp_pool-guest ranges=192.168.101.20-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.20-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.20-192.168.119.254

/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security

/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.101.0/24 gateway=192.168.101.1
add address=192.168.107.0/24 gateway=192.168.107.1
add address=192.168.119.0/24 gateway=192.168.119.1

/ip dhcp-server lease
add address=192.168.99.10 client-id=1:8:0:27:37:29:fa comment=\
    "Home Assistant (VM on DeskBox)" mac-address=08:00:27:37:29:FA server=\
    dhcp-base

/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow VLAN_BASE" in-interface=\
    vlan-base log=yes
add action=accept chain=input comment="Allow LAN NTP queries-UDP" dst-port=\
    123 in-interface-list=VLAN log=yes log-prefix=NTP:: protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "Isolation for wifi guest. Only allow internet." in-interface=vlan-guest \
    log=yes out-interface-list=!WAN
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else"

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.99.0/24 src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port Fwd for Home Assistant" \
    dst-address-list=WAN_IP dst-port=8123 protocol=tcp to-addresses=\
    192.168.99.10

/ip neighbor discovery-settings
set discover-interface-list=BASE

/tool mac-server
set allowed-interface-list=BASE

/tool mac-server mac-winbox
set allowed-interface-list=BASE

/ip ssh
set strong-crypto=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011

/system clock
set time-zone-name=America/New_York

/ip cloud
set ddns-enabled=yes

/system ntp client
set enabled=yes

/system ntp client servers
add address=time-d-g.nist.gov
add address=time-c-g.nist.gov

/system ntp server
set broadcast=yes broadcast-addresses=192.168.99.255 enabled=yes

/system routerboard settings
set cpu-frequency=auto

/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub

/ip smb users
add name=guest
add name=guest

/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
    "/system/script/run script-UpdateCACerts" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:30:00

/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=Yosef policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
    \r\
    \n  :do {\r\
    \n      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes\
    \_dst-path=cacert.pem;\r\
    \n      /certificate remove [ find where authority expired ];\r\
    \n      /certificate import file-name=cacert.pem passphrase=\"\";\r\
    \n      /file remove cacert.pem;\r\
    \n      :log info (\"Updated certificate trust store\");\r\
    \n  } on-error={\r\
    \n      :log error (\"Failed to update certificate trust store\");\r\
    \n  };\r\
    \n}"

smyers119 · December 27, 2021, 8:15pm

I am not able to reproduce your problem. It should not be a firewall issue as you don’t need to add any extra firewall rules. It would fall uinder estab/related traffic

[admin@router1] /system/ntp/client> print
         enabled: yes
            mode: unicast
         servers: time.nist.gov
      freq-drift: 0 PPM
          status: synchronized
   synced-server: time.nist.gov
  synced-stratum: 1
   system-offset: 0.096 ms

smyers119 · December 27, 2021, 8:16pm

I am kind of disappointed I can’t set it to pull multiple servers from the pool though

holvoetn · December 27, 2021, 8:25pm

Far stretch but I ran into the same problem last weekend messing with my lab setup.

Are you sure dns is working ?
No dns. No resolve. No ntp.

simsrw73 · December 27, 2021, 8:39pm

/system/ntp/client/servers print detail
Flags: X - disabled; D - dynamic
0 address=0.north-america.pool.ntp.org resolved-address=159.203.82.102
min-poll=6 max-poll=10 iburst=yes auth-key=none
1 address=1.north-america.pool.ntp.org resolved-address=74.6.168.73
min-poll=6 max-poll=10 iburst=yes auth-key=none
2 address=2.north-america.pool.ntp.org resolved-address=159.203.158.197
min-poll=6 max-poll=10 iburst=yes auth-key=none
3 address=3.north-america.pool.ntp.org resolved-address=45.15.168.96
min-poll=6 max-poll=10 iburst=yes auth-key=none

On my other switches/aps (I’ve tried different modes with same result):
/system/ntp/client/ print
enabled: yes
mode: multicast
servers:
freq-drift: 0 PPM
status: waiting

EDIT: my DNS on all my network devices, other than the router, is set to the router’s IP: 192.168.99.1. I do not know if that is correct, but that worked for upgrading routeros.

smyers119 · December 27, 2021, 9:02pm

what does /system/ntp monitor-peers show?

simsrw73 · December 27, 2021, 9:11pm

On my router:

/system/ntp monitor-peers
type=“multicast-server” address=224.0.1.1

type=“ucast-client” address=74.6.168.73 refid=“” stratum=16 hpoll=17
ppoll=0 root-delay=0 ms root-disp=0 ms offset=0 ms delay=0 ms
disp=15937.5 ms jitter=0 ms

type=“ucast-client” address=159.203.158.197 refid=“” stratum=16 hpoll=17
ppoll=0 root-delay=0 ms root-disp=0 ms offset=0 ms delay=0 ms
disp=15937.5 ms jitter=0 ms

type=“ucast-client” address=159.203.82.102 refid=“” stratum=16 hpoll=17
ppoll=0 root-delay=0 ms root-disp=0 ms offset=0 ms delay=0 ms
disp=15937.5 ms jitter=0 ms

type=“ucast-client” address=45.15.168.96 refid=“” stratum=16 hpoll=17
ppoll=0 root-delay=0 ms root-disp=0 ms offset=0 ms delay=0 ms
disp=15937.5 ms jitter=0 ms

On a switch

/system/ntp monitor-peers
type=“ucast-client” address=192.168.99.1 refid=“INIT” stratum=16 hpoll=3
ppoll=3 root-delay=0 ms root-disp=5547.47 ms offset=0 ms delay=0 ms
disp=15937.5 ms jitter=0.003 ms

anav · December 27, 2021, 9:12pm

Is NTP enabled (lol)
Do the addresses you put in there resolve to IP addresses? They should if connectivity is made.
If not perhaps the clue is DNS issues.
Mode on ntp client is unicast
5 NTP SERVER is enabled and manycast selected.
Date is accurate on the router?

For me the biggest difference is what I see on my config output
/system ntp server
set enabled=yes’

Yours

/system ntp server
set broadcast=yes broadcast-addresses=192.168.99.255 enabled=yes

Try changing that to manycast only!

smyers119 · December 27, 2021, 9:14pm

let me browse threw your firewall. stratum 16 means it’s not synchronizing.

smyers119 · December 27, 2021, 9:19pm

remove this rule:

add action=drop chain=input comment=“Drop everything else”

anav · December 27, 2021, 9:20pm

Why should he drop that rule?

He has all the rules prior to that allowing traffic from the LAN side.
He even doesnt need the specific NTP rules because above that rule he has the one that allows
all VLANs, FULL ACCESS to the router and all BASE…

simsrw73 · December 27, 2021, 9:33pm

NTP is enabled. DNS doesn’t seem to be an issue. Everything resolves. I went through several variations, trying different modes, but I believe I initially had it set to manycast and have changed it back now with no change. The time is correct on the router, but only because IP/Cloud is enabled and set to sync. None of my switches/AP’s are remotely correct.

anav · December 27, 2021, 9:36pm

On my IP cloud TIME is NOT I repeat NOT enabled.
Are all you switches and access points (assuming smart devices) get their IP from the management vlan or trusted vlan?

The mode for clients should be unicast and the server should be the gateway of the management vlan or trusted vlan.

smyers119 · December 27, 2021, 9:42pm

The only other difference I see is that my estab/related rule also allows untracked, which is the default config. Try adding that to your estab/related rule.

simsrw73 · December 27, 2021, 9:47pm

Tried this, but no change.

Also, no change here.

smyers119 · December 27, 2021, 9:48pm

your trying to troubleshoot a symptom of the problem, Not the problem itself. You can’t fix the local ntp server until you fix the communication with the remote ntp servers.

smyers119 · December 27, 2021, 9:52pm

I am not sure how to help you from here, in the linux world (iptables) I would add the TRACE action to the raw table to follow the path of the packet’s. I don’t think you can do that with mikrotik.

I am running 7.1.1 on a rb4011 and I am not able to reproduce your problem

simsrw73 · December 27, 2021, 9:55pm

I’ve tried with IP/Cloud Time disabled & with IP/Cloud completely disabled. Also, DHCP client Peer NTP/DNS settings are disabled.

All client devices I’m referring to are MT switches/aps and have static IP/route on management vlan.

Clients are now set to unicast and the server to the router/gateway. Still no joy.

anav · December 27, 2021, 11:13pm

Hmm it would seem you have covered all the bases…
Looking at my tplink switches, my HEx switch and capac they all work just fine with my settings…

The capac and switch have a ip Route
dst-address=0.0.0.0/0 gateway=gatewayIP (of trusted vlan)

simsrw73 · December 28, 2021, 5:34pm

Thanks. I appreciate you all walking me through it. I will keep playing with it. Maybe dig out the old config on my hEX S, if I kept it backed up somewhere, and see if i was doing something different when I had it working there.