MikroTik RouterOS NTP Server: Distributing Time to LAN Clients
MikroTik RouterOS NTP Server: Distributing Time to LAN Clients
Section titled “MikroTik RouterOS NTP Server: Distributing Time to LAN Clients”RouterOS Version: 7.x (v6 required separate NTP package) Difficulty: Beginner Estimated Time: 15 minutes
Overview
Section titled “Overview”
RouterOS includes a built-in NTP (Network Time Protocol) server that allows your router to distribute accurate time to LAN clients. The NTP server operates on UDP port 123 and supports unicast, broadcast, multicast, and manycast modes.
Critical prerequisite: The NTP server only becomes active when the local NTP client is synchronized. If the router’s own time isn’t accurate, it won’t serve time to clients.
Common use cases include:
- Centralized time source - All LAN devices sync to the router
- Isolated networks - Provide time when no internet access available
- Reduce external queries - Clients sync locally instead of querying internet NTP servers
- Consistent logging - Ensure all devices have synchronized timestamps
Key Concepts
Section titled “Key Concepts”Server Activation Requirement
Section titled “Server Activation Requirement”
The NTP server only activates when the NTP client status is either:
- synchronized - Synced to an external NTP server
- using-local-clock - Using the router’s internal clock (not recommended)
If the client shows any other status, the server ignores all NTP requests.
Server Modes
Section titled “Server Modes”| Mode | Description | Use Case |
|---|---|---|
| Unicast | Clients request time by sending packets to router’s IP | Default; most common for LAN |
| Broadcast | Router sends time to broadcast addresses periodically | Legacy devices |
| Multicast | Router sends time to multicast group 224.0.1.1 | Specialized deployments |
| Manycast | Discovery-based mode for finding NTP servers | Auto-discovery scenarios |
Stratum
Section titled “Stratum”Stratum indicates how many “hops” from a reference clock. The router’s stratum is always its upstream source stratum + 1. You cannot fake a lower stratum value.
Configuration Steps
Section titled “Configuration Steps”Step 1: Configure and Verify NTP Client (Prerequisite)
Section titled “Step 1: Configure and Verify NTP Client (Prerequisite)”The NTP server won’t work until the router itself has accurate time:
/system/ntp/client/set enabled=yes/system/ntp/client/servers/add address=pool.ntp.orgVerify synchronization:
/system/ntp/client/printExpected: status: synchronized
Wait for synchronization before proceeding. This may take a few minutes.
Step 2: Enable NTP Server
Section titled “Step 2: Enable NTP Server”/system/ntp/server/set enabled=yesStep 3: Verify Server Configuration
Section titled “Step 3: Verify Server Configuration”/system/ntp/server/printExpected Output:
enabled: yes broadcast: no multicast: no manycast: no broadcast-addresses: vrf: main use-local-clock: no local-clock-stratum: 5 auth-key:Step 4: Distribute NTP Server via DHCP
Section titled “Step 4: Distribute NTP Server via DHCP”Configure DHCP to tell clients where to find the NTP server:
/ip/dhcp-server/network/set [find] ntp-server=192.168.1.1Replace 192.168.1.1 with your router’s LAN IP address.
Common Configuration Scenarios
Section titled “Common Configuration Scenarios”Scenario 1: Basic LAN Time Server
Section titled “Scenario 1: Basic LAN Time Server”
Standard setup for home or small office:
# Ensure NTP client is working/system/ntp/client/set enabled=yes/system/ntp/client/servers/add address=pool.ntp.org
# Enable NTP server/system/ntp/server/set enabled=yes
# Distribute via DHCP/ip/dhcp-server/network/set [find] ntp-server=192.168.88.1Scenario 2: NTP Server with Broadcast Mode
Section titled “Scenario 2: NTP Server with Broadcast Mode”For legacy devices that don’t query NTP but listen for broadcasts:
/system/ntp/server/set enabled=yes broadcast=yes broadcast-addresses=192.168.1.255Note: Use the subnet broadcast address (e.g., X.X.X.255 for /24 networks), not a host IP.
Scenario 3: Isolated Network (No Internet)
Section titled “Scenario 3: Isolated Network (No Internet)”When no external NTP source is available, use the local clock as fallback:
/system/ntp/server/set enabled=yes use-local-clock=yes local-clock-stratum=10Warning: The router’s internal CPU clock is unreliable. Time will drift significantly (minutes per day). Most MikroTik devices lack battery-backed RTC, so time resets to 1970 on power loss.
Set time manually if needed:
/system/clock/set date=jan/16/2026 time=14:30:00 time-zone-name=America/New_YorkScenario 4: DHCP Option 42 (Alternative Method)
Section titled “Scenario 4: DHCP Option 42 (Alternative Method)”Some clients prefer DHCP option 42 over the ntp-server field:
# Create DHCP option/ip/dhcp-server/option/add name=ntp-server code=42 value="'192.168.1.1'"
# Assign to DHCP network/ip/dhcp-server/network/set [find] dhcp-option=ntp-serverImportant: Option 42 only accepts IP addresses, not domain names.
Scenario 5: NTP Server with Authentication
Section titled “Scenario 5: NTP Server with Authentication”For environments requiring authenticated NTP:
# Create symmetric key/system/ntp/client/keys/add id=1 key=mysecretkey
# Apply key to server/system/ntp/server/set auth-key=1Clients must be configured with the same key to authenticate.
Scenario 6: NTP Server in Specific VRF
Section titled “Scenario 6: NTP Server in Specific VRF”Bind NTP server to a VRF:
/system/ntp/server/set enabled=yes vrf=customer1Firewall Configuration
Section titled “Firewall Configuration”If using a restrictive firewall, allow NTP from LAN:
/ip/firewall/filter/add chain=input protocol=udp dst-port=123 src-address=192.168.1.0/24 action=accept comment="Allow NTP from LAN" place-before=0Key point: NTP traffic to the router uses the input chain, not forward.
Verification
Section titled “Verification”Check 1: Verify NTP Client Synchronized
Section titled “Check 1: Verify NTP Client Synchronized”/system/ntp/client/printExpected: status: synchronized
Check 2: Verify NTP Server Enabled
Section titled “Check 2: Verify NTP Server Enabled”/system/ntp/server/printExpected: enabled: yes
Check 3: Check for Firewall Blocking
Section titled “Check 3: Check for Firewall Blocking”/ip/firewall/filter/print where dst-port=123Expected: No blocking rules, or explicit allow rule for UDP 123.
Check 4: Test from Client
Section titled “Check 4: Test from Client”On a Linux client:
ntpdate -q 192.168.1.1On Windows:
w32tm /stripchart /computer:192.168.1.1 /samples:3Check 5: Check NTP Logs
Section titled “Check 5: Check NTP Logs”/log/print where topics~"ntp"Troubleshooting
Section titled “Troubleshooting”Problem: “Clients can’t sync - connection refused or timeout”
Section titled “Problem: “Clients can’t sync - connection refused or timeout””Cause: NTP client not synchronized; server only activates when client is synced.
Solution:
- Check NTP client status:
/system/ntp/client/print
- If not synchronized, verify upstream NTP server is reachable:
/ping pool.ntp.org count=3
- Wait for synchronization (may take several minutes)
Problem: “Firewall blocking NTP requests”
Section titled “Problem: “Firewall blocking NTP requests””Cause: UDP port 123 blocked on input chain.
Solution:
/ip/firewall/filter/add chain=input protocol=udp dst-port=123 action=accept place-before=0Problem: “Broadcast mode not reaching clients”
Section titled “Problem: “Broadcast mode not reaching clients””Cause: Invalid broadcast address (using host IP instead of broadcast).
Solution: Use proper subnet broadcast address:
# Wrong/system/ntp/server/set broadcast-addresses=192.168.1.1
# Right/system/ntp/server/set broadcast-addresses=192.168.1.255Problem: “Windows clients reject NTP server”
Section titled “Problem: “Windows clients reject NTP server””Cause: Stratum too high (Windows requires stratum < 15).
Solution: Ensure upstream NTP source has reasonable stratum. Avoid using local clock with high stratum values.
Problem: “Time resets to 1970 after reboot”
Section titled “Problem: “Time resets to 1970 after reboot””Cause: Most MikroTik devices lack battery-backed RTC.
Solution:
- Use NTP client for external sync (automatic after boot)
- For isolated networks, consider a script to disable NTP server until synced:
/system/scheduler/add name=wait-for-ntp on-event="/delay 5m; /system/ntp/server/set enabled=yes" start-time=startup
Problem: “ISP blocking UDP port 123”
Section titled “Problem: “ISP blocking UDP port 123””Cause: Some ISPs block NTP for DDoS mitigation.
Solution: Use NAT to translate source port:
/ip/firewall/nat/add chain=srcnat protocol=udp src-port=123 action=src-nat to-ports=1024-65535 out-interface=ether1-wanProblem: “Clients get ‘Kiss of Death’ (KoD) response”
Section titled “Problem: “Clients get ‘Kiss of Death’ (KoD) response””Cause: Router’s NTP client still synchronizing.
Solution: Wait for NTP client to fully synchronize. Check status:
/system/ntp/client/printCommon Pitfalls
Section titled “Common Pitfalls”1. Enabling Server Before Client Syncs
Section titled “1. Enabling Server Before Client Syncs”Wrong:
/system/ntp/server/set enabled=yes# Client not configured - server won't respondRight:
/system/ntp/client/set enabled=yes/system/ntp/client/servers/add address=pool.ntp.org# Wait for sync.../system/ntp/server/set enabled=yes2. Using Domain Name in DHCP Option 42
Section titled “2. Using Domain Name in DHCP Option 42”Wrong:
/ip/dhcp-server/option/add name=ntp code=42 value="'pool.ntp.org'"# Option 42 only accepts IP addressesRight:
/ip/dhcp-server/option/add name=ntp code=42 value="'192.168.1.1'"3. Firewall Rule in Wrong Chain
Section titled “3. Firewall Rule in Wrong Chain”Wrong:
/ip/firewall/filter/add chain=forward protocol=udp dst-port=123 action=accept# NTP to router uses input chain, not forwardRight:
/ip/firewall/filter/add chain=input protocol=udp dst-port=123 action=accept4. Relying on Local Clock for Production
Section titled “4. Relying on Local Clock for Production”Wrong:
/system/ntp/server/set enabled=yes use-local-clock=yes# CPU clock drifts; no RTC batteryRight: Always use external NTP sync when possible. Local clock is emergency fallback only.
5. Expecting Low Stratum from GPS
Section titled “5. Expecting Low Stratum from GPS”Reality: MikroTik doesn’t support PPS (Pulse Per Second). GPS gives stratum 4 at best, not stratum 1. For stratum 1, use a dedicated NTP server with PPS support.
Key Properties Reference
Section titled “Key Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | no | Enable NTP server |
broadcast | yes/no | no | Enable broadcast mode |
multicast | yes/no | no | Enable multicast mode |
manycast | yes/no | no | Enable manycast mode |
broadcast-addresses | IP list | - | Addresses for broadcast mode |
vrf | VRF name | main | VRF for NTP traffic |
use-local-clock | yes/no | no | Serve time from local clock |
local-clock-stratum | integer | 5 | Stratum when using local clock |
auth-key | key ID | none | NTP symmetric key for auth |
Limitations
Section titled “Limitations”- NTP server only one auth-key supported
- Cannot achieve stratum lower than upstream + 1
- Local clock unreliable (drift with temperature, no RTC battery)
- Broadcast mode requires explicit broadcast addresses
- DHCP option 42 requires IP address, not hostname
Version Differences
Section titled “Version Differences”| Version | Notes |
|---|---|
| v7 | NTP integrated into core system; VRF support; NTP authentication |
| v6 | Required separate NTP package; different menu path (/system ntp-server) |
Related Features
Section titled “Related Features”- NTP Client (
/system/ntp/client) - Must be synchronized for server to work - Clock (
/system/clock) - System time and timezone - DHCP Server (
/ip/dhcp-server) - Distribute NTP server to clients - Firewall (
/ip/firewall) - May need rules for UDP 123
References
Section titled “References”Related Topics
Section titled “Related Topics”Prerequisites
Section titled “Prerequisites”- NTP Client - must be synchronized before server works
Network Services
Section titled “Network Services”- DHCP Server - distribute NTP server address to clients
- DNS Server - related network service
Security
Section titled “Security”- Firewall Basics - allow UDP port 123 for NTP
Related System
Section titled “Related System”- Scheduler - time-based automation
- Logging - accurate timestamps for log entries
- Certificates - require accurate time for validation