NTP Server answers from wrong ip

jdMobiusIT · Fri Mar 11, 2022 7:52 pm

I'm trying to use the Mikrotik as an NTP server for various VLANs.
It only works if the respective client uses the gateway IP of its VLAN.

Example:

Client: 10.0.20.10

ntpdate 10.0.1.1

tcpdump:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp6s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:27:49.298384 IP 10.0.20.10.40184 > 10.0.1.1.ntp: NTPv4, Client, length 48
18:27:49.299215 IP 10.0.20.1.ntp > 10.0.20.10.40184: NTPv4, Server, length 48
18:27:51.301905 IP 10.0.20.10.53176 > 10.0.1.1.ntp: NTPv4, Client, length 48
18:27:51.302574 IP 10.0.20.1.ntp > 10.0.20.10.53176: NTPv4, Server, length 48
18:27:53.305887 IP 10.0.20.10.48852 > 10.0.1.1.ntp: NTPv4, Client, length 48
18:27:53.306560 IP 10.0.20.1.ntp > 10.0.20.10.48852: NTPv4, Server, length 48
18:27:55.341304 IP 10.0.20.10.35699 > 10.0.1.1.ntp: NTPv4, Client, length 48
18:27:55.342032 IP 10.0.20.1.ntp > 10.0.20.10.35699: NTPv4, Server, length 48
18:27:57.352659 IP 10.0.20.10.48296 > 10.0.1.1.ntp: NTPv4, Client, length 48
18:27:57.353381 IP 10.0.20.1.ntp > 10.0.20.10.48296: NTPv4, Server, length 48
18:27:59.387333 IP 10.0.20.10.60959 > 10.0.1.1.ntp: NTPv4, Client, length 48
18:27:59.388031 IP 10.0.20.1.ntp > 10.0.20.10.60959: NTPv4, Server, length 48

Routeros Version

/system/package> print 
Columns: NAME, VERSION
# NAME      VERSION
0 routeros  7.1.3

Why are the replies coming from "10.0.20.1"
I know this is the gateway address of the VLAN, but the IP that was requested should answer.
I have not configured any NAT.

Did I not understand something there, or is that a bug?

Edit:

Netcat from Client 10.0.20.10 to Mikrotik (10.0.1.1):

~ # nc -zuvw3 10.0.1.1 123
10.0.20.1: inverse host lookup failed: Unknown host
[10.0.20.1] 123 (ntp) open

404Network · Fri Mar 11, 2022 10:08 pm

If the router is providing NTP services, then one simply sets the client to the path to the router which is the vlan gateway, so that is expected behaviour!

All my smart devices are on the same management vlan and I set their NTP server to the vlan gateway.
For example if my vlan is 192.168.0.1/24 network=192.168.0.0
Under my NTP client settings I put 192.168.0.1, regardless if its an MT device like a hex router, or CAPAC or a TPLINK access point etc.....

jdMobiusIT · Fri Mar 11, 2022 10:39 pm

If the router is providing NTP services, then one simply sets the client to the path to the router which is the vlan gateway, so that is expected behaviour!

All my smart devices are on the same management vlan and I set their NTP server to the vlan gateway.
For example if my vlan is 192.168.0.1/24 network=192.168.0.0
Under my NTP client settings I put 192.168.0.1, regardless if its an MT device like a hex router, or CAPAC or a TPLINK access point etc.....

All devices should use this NTP server, not just devices in the management VLAN.
I would also like to be able to resolve the NTP server via DNS. How is that supposed to work if the NTP server always responds with a wrong address?
I have now set up a VM for NTP, but I still think it's a pity that I can't get this solved via routeros, since a separate VM for the network size is overkill. Maybe I'm really missing something.

404Network · Fri Mar 11, 2022 11:06 pm

Its working as it supposed to, all devices will get their time from their lan gateway which is ipso facto the router and as long as you have set the NTP client on the main router, it should work.
yOu will need an input chain rule to allow all LAN users access to the NTP server
add chain=input action=accept in-interface-list=LAN dst-port=123 protocol=udp

Sob · Sat Mar 12, 2022 8:58 pm

Yep, looks like bug. It works correctly in v6.

anav · Sat Mar 12, 2022 10:44 pm

Please post your config
/export file=anynameyouwish,

A BIT premature there sob to make a definite bug call without at lease seeing the config.

Sob · Sat Mar 12, 2022 11:27 pm

It happens here too. If you have NTP server in v6, response packet is from same address a client connected to. In v7 it doesn't use correct source address, so from client's perpective it's completely unrelated and unsolicited packet. Client asks server A, but gets response from B, so it doesn't work.

anav · Sat Mar 12, 2022 11:59 pm

Okay so your experiencing it in version 7!
Hmm weird, must be the SERVER in ver7 then,
because my hex and my capac as ver7 clients get the time just fine from my CCR1009 which is still ver6.

chewie198 · Thu Mar 17, 2022 10:25 am

I'm seeing the same bug on ROS 7.2rc4. Has anyone reported the bug to Mikrotik, or received a reply from support? I just spent a couple of hours troubleshooting this same problem only to arrive at the same conclusion and was considering contacting them.

chewie198 · Sat Mar 19, 2022 8:16 pm

I contacted Mikrotik to create a support request. I'll update the thread if I receive any more information from them.

chewie198 · Tue Mar 22, 2022 10:24 pm

I received the following reply from Mikrotik:

Hello,

Thank you for contacting MikroTik Support.

There will be fixes added to upcoming versions of ROS.

Best regards,
Oskars K.

Sob · Wed Mar 23, 2022 12:15 am

Already happened:

What's new in 7.1.4 (2022-Mar-21 13:23):

...
*) ntp - improved source address usage for reply packets;
...

NTP Server answers from wrong ip

NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip

Re: NTP Server answers from wrong ip