Community discussions

MikroTik App
 
mikrofrank
just joined
Topic Author
Posts: 14
Joined: Thu Jan 21, 2021 9:02 pm

NTP setup with VLANs

Wed Apr 07, 2021 9:23 pm

Hi again to all readers,
based on my config (see viewtopic.php?t=171875) I'm now in the need to have NTP on my VLAN networks (reasons are clients that can only be set to the current time by an NTP server, not manually).

My NTP client and server on the MT are running (server with enabled entries in "enabled" and "manycast") and working fine (see below), but I'm now struggling with finding the best way to access the NTP server from the other VLANs outside the main VLAN.

Any hint or help or example, much appreciated - thanks a lot! It may even be to simply create a firewall rule to an external NTP server is the best option (considering that my mobile clients may be outside the reach of my MT every now and then anyway)?

Current status:
  • I installed the NTP package and have both a NTP client and a NTP server running
  • My notebook PC in the main VLAN is receiving the time when the time server in the windows settings is set to the gateway IP in the same VLAN like the PC is (let's say NTP server IP = 192.168.1.1)
  • I tried to setup a firewall rule on UDP 123 to forward NTP requests to 192.168.1.1 from other VLANs (let's say clients in 192.168.2.0/24), but that did not work (forward UDP 123 from any source IP to 192.168.1.1)
  • I tried to setup additional NAT in the firewall settings with no effect whatsoever (srcnat UPD 123 from any source IP to 192.168.1.1)
  • Also, independently from the NTP server on the MT, I did not find a working firewall rule to simply allow the NTP requests from my clients to an external NTP server
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NTP setup with VLANs

Wed Apr 07, 2021 11:34 pm

/export hide-sensitive file=anynameyouwish

should be resolved quickly once viewed.
 
mikrofrank
just joined
Topic Author
Posts: 14
Joined: Thu Jan 21, 2021 9:02 pm

Re: NTP setup with VLANs

Thu Apr 08, 2021 8:51 pm

/export hide-sensitive file=anynameyouwish
Hi Anav, you again;)

There are a couple of experimental test & learning settings in my config ...:
# apr/08/2021 19:32:19 by RouterOS 6.48.1
# software id = 8ZCU-N24W
#
# model = RBD52G-5HacD2HnD
# serial number = D7160DC46EB8
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes name=bridge_VLAN100 vlan-filtering=\
    yes
/interface pppoe-client
add ac-name=FFMJ14 add-default-route=yes comment=\
    "PPPoE Telekom - AC Name: FFMJ14" disabled=no interface=ether1 max-mru=\
    1492 max-mtu=1492 name=PPPoE-Telekom user=[xzy]
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX country=germany disabled=no frequency=auto hide-ssid=yes \
    installation=indoor mode=ap-bridge name=FrannyMainW scan-list=5GHz ssid=\
    FrannyMainW station-roaming=enabled vlan-id=99 wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-onlyn country=germany \
    default-forwarding=no disabled=no frequency=auto hide-ssid=yes mode=\
    ap-bridge name=FrannyW24 ssid=FrannyMainW24 station-roaming=enabled \
    vlan-id=66 wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add disabled=yes interface=bridge_VLAN100 name=VLAN1 vlan-id=1
add interface=ether1 name=VLAN7-PPPoE vlan-id=7
add interface=bridge_VLAN100 name=VLAN66 vlan-id=66
add interface=bridge_VLAN100 name=VLAN77 vlan-id=77
add interface=bridge_VLAN100 name=VLAN88 vlan-id=88
add interface=bridge_VLAN100 name=VLAN99 vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=LANfullWAN
add name=LANlimWAN
/interface wireless channels
add band=5ghz-onlyac comment="ch56 - 40MHz: eC Ce - 80MHz: eCee" disabled=yes \
    extension-channel=eCee frequency=5280 list=5GHz name=ch56 width=20
add band=5ghz-onlyac comment="ch136 - 40MHz: Ce - 80MHz: \?" \
    extension-channel=eC frequency=5680 list=5GHz name=ch136 width=20
add band=5ghz-onlyac comment="ch104 - 80MHz: eCee" extension-channel=eCee \
    frequency=5520 list=5GHz name=ch104 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    business supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=home \
    supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
    mac-address=0A:55:31:3B:07:7F master-interface=FrannyMainW \
    multicast-buffering=disabled name=FrannyHOW security-profile=business \
    ssid=FrannyHOW station-roaming=enabled vlan-id=88 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:3B:07:7E master-interface=FrannyMainW multicast-buffering=\
    disabled name=FrannyGastW security-profile=guest ssid=FrannyGastW \
    station-roaming=enabled vlan-id=77 wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:3B:07:7D master-interface=FrannyW24 multicast-buffering=disabled \
    name=FrannyHomeW24 security-profile=home ssid=FrannyHomeW24 \
    station-roaming=enabled vlan-id=66 wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add comment="Default VLAN (ID 1):" name=dhcp_pool5 ranges=\
    192.168.100.10-192.168.100.50
add comment="Smart Home Network:" name=dhcp_pool6 ranges=\
    192.168.66.10-192.168.66.30
add comment="Guest Wifi:" name=dhcp_pool7 ranges=\
    192.168.77.10-192.168.77.30
add comment="Internal Network:" name=dhcp_pool9 ranges=\
    192.168.99.10-192.168.99.50
add comment="Business Network:" name=dhcp_pool10 ranges=\
    192.168.88.10-192.168.88.50
/ip dhcp-server
add address-pool=dhcp_pool5 interface=VLAN1 lease-time=10h name=dhcp1
add address-pool=dhcp_pool6 disabled=no interface=VLAN66 lease-time=1w name=\
    "dhcp2 (66)"
add address-pool=dhcp_pool7 disabled=no interface=VLAN77 lease-time=10h name=\
    "dhcp3 (77)"
add address-pool=dhcp_pool9 disabled=no interface=VLAN99 lease-time=10h name=\
    "dhcp5 (99)"
add address-pool=dhcp_pool10 disabled=no interface=VLAN88 lease-time=10h \
    name="dhcp2 (88)"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge_VLAN100 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyGastW pvid=77
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyHOW pvid=88
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyMainW pvid=99
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=FrannyHomeW24 pvid=66
add bridge=bridge_VLAN100 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge_VLAN100 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=66
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether3 vlan-ids=77
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5 vlan-ids=88
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5,ether3 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=bridge_VLAN100 list=LAN
add interface=VLAN88 list=LANfullWAN
add interface=VLAN99 list=LANfullWAN
add interface=VLAN66 list=LANlimWAN
add interface=VLAN77 list=LANlimWAN
add interface=VLAN66 list=LAN
add interface=VLAN77 list=LAN
add interface=VLAN88 list=LAN
add interface=VLAN99 list=LAN
add interface=PPPoE-Telekom list=WAN
add interface=VLAN1 list=LANfullWAN
add interface=VLAN1 list=LAN
/ip address
add address=192.168.99.1/24 interface=VLAN99 network=192.168.99.0
add address=192.168.66.1/24 interface=VLAN66 network=192.168.66.0
add address=192.168.88.1/24 interface=VLAN88 network=192.168.88.0
add address=192.168.77.1/24 interface=VLAN77 network=192.168.77.0
add address=192.168.100.1/24 disabled=yes interface=VLAN1 network=\
    192.168.100.0
add address=192.168.99.100 interface=bridge_VLAN100 network=192.168.99.100
/ip dhcp-client
add !dhcp-options interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.100.1
add address=192.168.66.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.66.1 \
    netmask=24
add address=192.168.77.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.77.1 \
    netmask=24
add address=192.168.88.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.88.1 \
    netmask=24
add address=192.168.99.0/24 dns-server=9.9.9.9,8.8.8.8 gateway=192.168.99.1 \
    netmask=24
/ip dns
set servers=9.9.9.9
/ip firewall address-list
add address=192.168.77.0/24 list="VLAN77 Guest Wifi"
add address=192.168.88.0/24 list="VLAN88 Business"
add address=192.168.99.0/24 list="VLAN99 Intern"
add address=192.168.66.0/24 list="VLAN66 Home"
add address=192.168.100.0/24 list="VLAN1 (addr. list)"
add address=192.168.7.0/24 list="Ether1 Routermodem IPs"
add address=192.168.100.1-192.168.77.255 disabled=yes list=limWAN
add address=192.168.88.1-192.168.99.255 disabled=yes list=fullWAN
/ip firewall filter
add action=accept chain=input comment="Management Port ether2 (input)" \
    in-interface=ether2
add action=accept chain=input comment=\
    "Management Port via VLAN99 (to Router / Gateway IP)" dst-address=\
    192.168.99.1 dst-port=8291 in-interface=VLAN99 protocol=tcp
add action=drop chain=input comment=\
    "drop WAN router config for non-VLAN99 (input)" dst-address-list=\
    "Ether1 Routermodem IPs" in-interface=!VLAN99
add action=drop chain=forward comment=\
    "drop WAN router config for non-VLAN99 (forward)" dst-address-list=\
    "Ether1 Routermodem IPs" in-interface=!VLAN99
add action=accept chain=input comment=\
    "defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=" allow VLAN66  to WAN traffic (UDP)" \
    dst-port=53,25050 in-interface=VLAN66 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment=\
    "allow VLAN66 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
    in-interface=VLAN66 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment=\
    "allow VLAN88 to VLAN99 printer (TCP)" dst-address=192.168.99.193 \
    protocol=tcp src-address-list="VLAN88 Business"
add action=accept chain=forward comment=\
    "allow VLAN77 to VLAN99 printer (TCP)" disabled=yes dst-address=\
    192.168.99.193 protocol=tcp src-address-list="VLAN77 Guest Wifi"
add action=accept chain=forward comment=\
    "allow VLAN77 to VLAN99 printer (UDP)" disabled=yes dst-address=\
    192.168.99.193 protocol=udp src-address-list="VLAN77 Guest Wifi" \
    src-port=""
add action=accept chain=forward comment="Router NTP Service (TCP, test)" \
    disabled=yes dst-port=123 in-interface=VLAN77 protocol=tcp
add action=accept chain=forward comment="Router NTP Service (TCP, test)" \
    disabled=yes dst-address=192.168.99.1 dst-port=123 protocol=udp \
    src-port=123
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="Allow Admin Access" in-interface=\
    VLAN99
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
    dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else (input)"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked (LANfullWAN)" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow LAN to WAN traffic" \
    in-interface-list=LANfullWAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow VLAN77 to WAN traffic (test, full)" disabled=yes in-interface=\
    VLAN77 out-interface-list=WAN
add action=accept chain=forward comment=" allow VLAN77  to WAN traffic (UDP)" \
    dst-port=53,123,25050 in-interface=VLAN77 out-interface-list=WAN \
    protocol=udp
add action=accept chain=forward comment=\
    "allow VLAN77 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
    in-interface=VLAN77 out-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="allow Admin to all limited vlans" \
    disabled=yes in-interface=VLAN99 out-interface-list=LANlimWAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else (forward)"
/ip firewall nat
add action=src-nat chain=srcnat comment=\
    NTP-test disabled=yes \
    protocol=udp src-port=123 to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-port=123 \
    to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=\
    192.168.88.1 src-port=123 to-addresses=192.168.99.1
add action=src-nat chain=srcnat disabled=yes protocol=udp src-address=\
    192.168.66.1 src-port=123 to-addresses=192.168.99.1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=FrannyHap
/system ntp client
set enabled=yes primary-ntp=141.2.22.74 secondary-ntp=134.176.2.5
/system ntp server
set enabled=yes
/system routerboard settings
set auto-upgrade=yes
Thanks a lot
Frank
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NTP setup with VLANs

Thu Apr 08, 2021 10:13 pm

Feedback. Get rid of VLAN1 it serves no purpose.

(1) I dont have Snooping DHCP or IGMP on my bridge, and just wondering what is the value of those settings??

(2) We do not identify vlans in the wirless settings themselves.
We associate the vlans to the Bridge ports (ether ports or WLAN ports).

interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
20/40/80mhz-XXXX country=germany disabled=no frequency=auto hide-ssid=yes \
installation=indoor mode=ap-bridge name=FrannyMainW scan-list=5GHz ssid=\
FrannyMainW station-roaming=enabled vlan-id=99 wireless-protocol=802.11 \
wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-onlyn country=germany \
default-forwarding=no disabled=no frequency=auto hide-ssid=yes mode=\
ap-bridge name=FrannyW24 ssid=FrannyMainW24 station-roaming=enabled \
vlan-id=66 wireless-protocol=802.11 wps-mode=disabled


(3) Remove the line for vlan1, doesnt need to exist.
/interface vlan
add disabled=yes interface=bridge_VLAN100 name=VLAN1 vlan-id=1
add interface=ether1 name=VLAN7-PPPoE vlan-id=7
add interface=bridge_VLAN100 name=VLAN66 vlan-id=66
add interface=bridge_VLAN100 name=VLAN77 vlan-id=77
add interface=bridge_VLAN100 name=VLAN88 vlan-id=88
add interface=bridge_VLAN100 name=VLAN99 vlan-id=99


(4) WHY is ether1 associated with vlan7. Assuming this is an ISP vlan that you are required to match up!! Otherwise not needed.

(5) Same comments here, wirless settings should avoid vlan parameters.
/interface wireless
add default-forwarding=no disabled=no hide-ssid=yes keepalive-frames=disabled \
mac-address=0A:55:31:3B:07:7F master-interface=FrannyMainW \
multicast-buffering=disabled name=FrannyHOW security-profile=business \
ssid=FrannyHOW station-roaming=enabled vlan-id=88 wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
0A:55:31:3B:07:7E master-interface=FrannyMainW multicast-buffering=\
disabled name=FrannyGastW security-profile=guest ssid=FrannyGastW \
station-roaming=enabled vlan-id=77 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
0A:55:31:3B:07:7D master-interface=FrannyW24 multicast-buffering=disabled \
name=FrannyHomeW24 security-profile=home ssid=FrannyHomeW24 \
station-roaming=enabled vlan-id=66 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled


(6) This not vlan1 related, and in fact would replace where you state vlan1 with HOME, or simply create vlan100 for the home network!! (assuming this is also your managment network) However I read config top to bottom so there may be reasons as I go along.
Understand you have four vlans 66,77,88,99 for various wifi networks mostly (smart devices, guests, business, and internal respectively)
/ip pool
add comment="Default VLAN (ID 1):" name=dhcp_pool5 ranges=\
192.168.100.10-192.168.100.50


(7) Example of the above that is confusing..... If they were actual VLANs, like VLAN100 with subnets etc, would be easy to understand and read, and if no such desire just change
vlan1 to HomeLAN. There is nothing wrong or in error just bloody confusing.
add interface=VLAN1 list=LANfullWAN
add interface=VLAN1 list=LAN

(8) From Bridge port settings you have two trunk ports to smart devices (either switches or access points for example) on ether3 and ether 5.
Ether4 is going to an internal device (probably a PC) on vlan99.
Curious about ether2 LOL.
The wlan ports are also identified.
WHAT IS MISSING............................................. no wifi for VLAN1 subnet and no etherports specifically for VLAN1 subnet

(9) My concerns about calling an interface vlan1 with no actual vlan definition come to the for looking at bridge vlans......
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1 WHAT THE HECK DOES THIS DO??? {purpose}

(10) What your bridge vlan settings tell me is that (besides already noted in (9), is that vlan 66 is not trunked elsewhere, vlan77 and vlan 99 are trunked to ether3 and vlans 88 and 99 are trunked to ether5. I personally ADD the untagging as its way more clear to me what I have done and is much easier to understand a config.
/interface bridge vlan
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=1
add bridge=bridge_VLAN100 tagged=bridge_VLAN100 vlan-ids=66
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether3 vlan-ids=77
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5 vlan-ids=88
add bridge=bridge_VLAN100 tagged=bridge_VLAN100,ether5,ether3 vlan-ids=99

(11) OKAY your firewall rules need a serious clean up and ORDER within a chain matters. It should look more like this.

/ip firewall filter {input chain}
add action=accept chain=input comment=\
"defconf: accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Allow Admin Access" in-interface=\
VLAN99
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Router DNS Service (TCP)" disabled=yes \
dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else (input)"

/ip firewall filter {forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked (LANfullWAN)" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow LAN to WAN traffic" \
in-interface-list=LANfullWAN out-interface-list=WAN

{okay next rules seem okay but are a bit different, only comment is why port 53, There is no need to allow port 53 to the internet as we have already allowed all port 53 to the router?? However i dont think its wrong if you are accessing an outside DNS server??)
add action=accept chain=forward comment=" allow VLAN66 to WAN traffic (UDP)" \
dst-port=53,25050 in-interface=VLAN66 out-interface-list=WAN protocol=udp
add action=accept chain=forward comment=\
"allow VLAN66 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
in-interface=VLAN66 out-interface-list=WAN protocol=tcp

{okay next set of rules have to do with accessing printer. Seem okay, not sure why you use source address list instead of in-interface=vlan88 for example?? Both work!!
{not sure why you separate out tcp and udp to a printer, just use addresses??

add action=accept chain=forward comment=\
"allow VLAN88 to VLAN99 printer (TCP)" dst-address=192.168.99.193 \
protocol=tcp src-address-list="VLAN88 Business"
add action=accept chain=forward comment=\
"allow VLAN77 to VLAN99 printer (TCP)" disabled=yes dst-address=\
192.168.99.193 protocol=tcp src-address-list="VLAN77 Guest Wifi"
add action=accept chain=forward comment=\
"allow VLAN77 to VLAN99 printer (UDP)" disabled=yes dst-address=\
192.168.99.193 protocol=udp src-address-list="VLAN77 Guest Wifi" \
src-port=""

What I would do is one clear and simple rule for all
add action=accept chain=forward comment='shared printer access" source-address-list=sharedprinter
dst-address=192.168.99.193
where:
/ip firewall address list
add address=192.168.77.0/24 list=sharedprinter
add address=192.168.66.0/24 list=sharedprinter

This IS NOT required here and can be MOVED to where they belong in the INPUT chain rules, above the drop all rule.
Access to router services is provided in the INPUT CHAIN Rules.
add action=accept chain=forward input comment="Router NTP Service (TCP, test)" \
disabled=yes dst-port=123 in-interface=VLAN77 protocol=tcp
add action=accept chain=forward input comment="Router NTP Service (TCP, test)" \
disabled=yes dst-address=192.168.99.1 dst-port=123 protocol=udp \
src-port=123

Same comments I had for vlan66..........................................
add action=accept chain=forward comment=\
"allow VLAN77 to WAN traffic (test, full)" disabled=yes in-interface=\
VLAN77 out-interface-list=WAN
add action=accept chain=forward comment=" allow VLAN77 to WAN traffic (UDP)" \
dst-port=53,123,25050 in-interface=VLAN77 out-interface-list=WAN \
protocol=udp
add action=accept chain=forward comment=\
"allow VLAN77 to WAN traffic (limited, TCP)" dst-port=80,123,443,53,25050 \
in-interface=VLAN77 out-interface-list=WAN protocol=tcp

Rest is fine.
add action=accept chain=forward comment="allow Admin to all limited vlans" \
disabled=yes in-interface=VLAN99 out-interface-list=LANlimWAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else (forward)"
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: NTP setup with VLANs

Thu Apr 08, 2021 10:51 pm

[*]My notebook PC in the main VLAN is receiving the time when the time server in the windows settings is set to the gateway IP in the same VLAN like the PC is (let's say NTP server IP = 192.168.1.1)
[*]I tried to setup a firewall rule on UDP 123 to forward NTP requests to 192.168.1.1 from other VLANs (let's say clients in 192.168.2.0/24), but that did not work (forward UDP 123 from any source IP to 192.168.1.1)
There is no need to forward any packets when you have the NTP package installed and running.
You can send the NTP requests to the IP address of the MikroTik in each subnet (VLAN).
So in the VLAN where the MikroTik has address 192.168.1.1 you send the NTP packets to 192.168.1.1
In the second VLAN where the MikroTik e.g. has address 192.168.2.1 you send the NTP packets to 192.168.2.1
There is nothing more to it. When the clients support NTP server address from DHCP (e.g. Linux) you can set the NTP server in the DHCP network config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NTP setup with VLANs

Fri Apr 09, 2021 3:10 am

Well stated pelch1, its a service provided by the router so handled in input chain and the Gateway links in the vlans point to the router as noted.
 
mikrofrank
just joined
Topic Author
Posts: 14
Joined: Thu Jan 21, 2021 9:02 pm

Re: NTP setup with VLANs

Mon Apr 12, 2021 10:58 pm

Hi anav and pe1chl,
ja, I know, it's still a bit chaotic (that's why I'm here). Will take a while until I can go through your feedback - thanks for now!

Who is online

Users browsing this forum: h1ghrise, lifeboy, RobertsN, UkRainUa and 44 guests