MikroTik RouterOS NTP Server: Distributing Time to LAN Clients

RouterOS Version: 7.x (v6 required separate NTP package) Difficulty: Beginner Estimated Time: 15 minutes

Overview

RouterOS includes a built-in NTP (Network Time Protocol) server that allows your router to distribute accurate time to LAN clients. The NTP server operates on UDP port 123 and supports unicast, broadcast, multicast, and manycast modes.

Critical prerequisite: The NTP server only becomes active when the local NTP client is synchronized. If the router’s own time isn’t accurate, it won’t serve time to clients.

Common use cases include:

Centralized time source - All LAN devices sync to the router
Isolated networks - Provide time when no internet access available
Reduce external queries - Clients sync locally instead of querying internet NTP servers
Consistent logging - Ensure all devices have synchronized timestamps

Key Concepts

Server Activation Requirement

The NTP server only activates when the NTP client status is either:

synchronized - Synced to an external NTP server
using-local-clock - Using the router’s internal clock (not recommended)

If the client shows any other status, the server ignores all NTP requests.

Server Modes

Mode	Description	Use Case
Unicast	Clients request time by sending packets to router’s IP	Default; most common for LAN
Broadcast	Router sends time to broadcast addresses periodically	Legacy devices
Multicast	Router sends time to multicast group 224.0.1.1	Specialized deployments
Manycast	Discovery-based mode for finding NTP servers	Auto-discovery scenarios

Stratum

Stratum indicates how many “hops” from a reference clock. The router’s stratum is always its upstream source stratum + 1. You cannot fake a lower stratum value.

Configuration Steps

Step 1: Configure and Verify NTP Client (Prerequisite)

The NTP server won’t work until the router itself has accurate time:

/system/ntp/client/set enabled=yes
/system/ntp/client/servers/add address=pool.ntp.org

Verify synchronization:

/system/ntp/client/print

Expected: status: synchronized

Wait for synchronization before proceeding. This may take a few minutes.

Step 2: Enable NTP Server

/system/ntp/server/set enabled=yes

Step 3: Verify Server Configuration

/system/ntp/server/print

Expected Output:

             enabled: yes
           broadcast: no
           multicast: no
            manycast: no
 broadcast-addresses:
                 vrf: main
      use-local-clock: no
  local-clock-stratum: 5
            auth-key:

Step 4: Distribute NTP Server via DHCP

Configure DHCP to tell clients where to find the NTP server:

/ip/dhcp-server/network/set [find] ntp-server=192.168.1.1

Replace 192.168.1.1 with your router’s LAN IP address.

Common Configuration Scenarios

Scenario 1: Basic LAN Time Server

Standard setup for home or small office:

# Ensure NTP client is working
/system/ntp/client/set enabled=yes
/system/ntp/client/servers/add address=pool.ntp.org

# Enable NTP server
/system/ntp/server/set enabled=yes

# Distribute via DHCP
/ip/dhcp-server/network/set [find] ntp-server=192.168.88.1

Scenario 2: NTP Server with Broadcast Mode

For legacy devices that don’t query NTP but listen for broadcasts:

/system/ntp/server/set enabled=yes broadcast=yes broadcast-addresses=192.168.1.255

Note: Use the subnet broadcast address (e.g., X.X.X.255 for /24 networks), not a host IP.

Scenario 3: Isolated Network (No Internet)

When no external NTP source is available, use the local clock as fallback:

/system/ntp/server/set enabled=yes use-local-clock=yes local-clock-stratum=10

Warning: The router’s internal CPU clock is unreliable. Time will drift significantly (minutes per day). Most MikroTik devices lack battery-backed RTC, so time resets to 1970 on power loss.

Set time manually if needed:

/system/clock/set date=jan/16/2026 time=14:30:00 time-zone-name=America/New_York

Scenario 4: DHCP Option 42 (Alternative Method)

Some clients prefer DHCP option 42 over the ntp-server field:

# Create DHCP option
/ip/dhcp-server/option/add name=ntp-server code=42 value="'192.168.1.1'"

# Assign to DHCP network
/ip/dhcp-server/network/set [find] dhcp-option=ntp-server

Important: Option 42 only accepts IP addresses, not domain names.

Scenario 5: NTP Server with Authentication

For environments requiring authenticated NTP:

# Create symmetric key
/system/ntp/client/keys/add id=1 key=mysecretkey

# Apply key to server
/system/ntp/server/set auth-key=1

Clients must be configured with the same key to authenticate.

Scenario 6: NTP Server in Specific VRF

Bind NTP server to a VRF:

/system/ntp/server/set enabled=yes vrf=customer1

Firewall Configuration

If using a restrictive firewall, allow NTP from LAN:

/ip/firewall/filter/add chain=input protocol=udp dst-port=123 src-address=192.168.1.0/24 action=accept comment="Allow NTP from LAN" place-before=0

Key point: NTP traffic to the router uses the input chain, not forward.

Verification

Check 1: Verify NTP Client Synchronized

/system/ntp/client/print

Expected: status: synchronized

Check 2: Verify NTP Server Enabled

/system/ntp/server/print

Expected: enabled: yes

Check 3: Check for Firewall Blocking

/ip/firewall/filter/print where dst-port=123

Expected: No blocking rules, or explicit allow rule for UDP 123.

Check 4: Test from Client

On a Linux client:

ntpdate -q 192.168.1.1

On Windows:

w32tm /stripchart /computer:192.168.1.1 /samples:3

Check 5: Check NTP Logs

/log/print where topics~"ntp"

Troubleshooting

Problem: “Clients can’t sync - connection refused or timeout”

Cause: NTP client not synchronized; server only activates when client is synced.

Solution:

Check NTP client status:
```
/system/ntp/client/print
```
If not synchronized, verify upstream NTP server is reachable:
```
/ping pool.ntp.org count=3
```
Wait for synchronization (may take several minutes)

Problem: “Firewall blocking NTP requests”

Cause: UDP port 123 blocked on input chain.

Solution:

/ip/firewall/filter/add chain=input protocol=udp dst-port=123 action=accept place-before=0

Problem: “Broadcast mode not reaching clients”

Cause: Invalid broadcast address (using host IP instead of broadcast).

Solution: Use proper subnet broadcast address:

# Wrong
/system/ntp/server/set broadcast-addresses=192.168.1.1

# Right
/system/ntp/server/set broadcast-addresses=192.168.1.255

Problem: “Windows clients reject NTP server”

Cause: Stratum too high (Windows requires stratum < 15).

Solution: Ensure upstream NTP source has reasonable stratum. Avoid using local clock with high stratum values.

Problem: “Time resets to 1970 after reboot”

Cause: Most MikroTik devices lack battery-backed RTC.

Solution:

Use NTP client for external sync (automatic after boot)

For isolated networks, consider a script to disable NTP server until synced:

/system/scheduler/add name=wait-for-ntp on-event="/delay 5m; /system/ntp/server/set enabled=yes" start-time=startup

Problem: “ISP blocking UDP port 123”

Cause: Some ISPs block NTP for DDoS mitigation.

Solution: Use NAT to translate source port:

/ip/firewall/nat/add chain=srcnat protocol=udp src-port=123 action=src-nat to-ports=1024-65535 out-interface=ether1-wan

Problem: “Clients get ‘Kiss of Death’ (KoD) response”

Cause: Router’s NTP client still synchronizing.

Solution: Wait for NTP client to fully synchronize. Check status:

/system/ntp/client/print

Common Pitfalls

1. Enabling Server Before Client Syncs

Wrong:

/system/ntp/server/set enabled=yes
# Client not configured - server won't respond

Right:

/system/ntp/client/set enabled=yes
/system/ntp/client/servers/add address=pool.ntp.org
# Wait for sync...
/system/ntp/server/set enabled=yes

2. Using Domain Name in DHCP Option 42

Wrong:

/ip/dhcp-server/option/add name=ntp code=42 value="'pool.ntp.org'"
# Option 42 only accepts IP addresses

Right:

/ip/dhcp-server/option/add name=ntp code=42 value="'192.168.1.1'"

3. Firewall Rule in Wrong Chain

Wrong:

/ip/firewall/filter/add chain=forward protocol=udp dst-port=123 action=accept
# NTP to router uses input chain, not forward

Right:

/ip/firewall/filter/add chain=input protocol=udp dst-port=123 action=accept

4. Relying on Local Clock for Production

Wrong:

/system/ntp/server/set enabled=yes use-local-clock=yes
# CPU clock drifts; no RTC battery

Right: Always use external NTP sync when possible. Local clock is emergency fallback only.

5. Expecting Low Stratum from GPS

Reality: MikroTik doesn’t support PPS (Pulse Per Second). GPS gives stratum 4 at best, not stratum 1. For stratum 1, use a dedicated NTP server with PPS support.

Key Properties Reference

Property	Type	Default	Description
`enabled`	yes/no	no	Enable NTP server
`broadcast`	yes/no	no	Enable broadcast mode
`multicast`	yes/no	no	Enable multicast mode
`manycast`	yes/no	no	Enable manycast mode
`broadcast-addresses`	IP list	-	Addresses for broadcast mode
`vrf`	VRF name	main	VRF for NTP traffic
`use-local-clock`	yes/no	no	Serve time from local clock
`local-clock-stratum`	integer	5	Stratum when using local clock
`auth-key`	key ID	none	NTP symmetric key for auth

Limitations

NTP server only one auth-key supported
Cannot achieve stratum lower than upstream + 1
Local clock unreliable (drift with temperature, no RTC battery)
Broadcast mode requires explicit broadcast addresses
DHCP option 42 requires IP address, not hostname

Version Differences

Version	Notes
v7	NTP integrated into core system; VRF support; NTP authentication
v6	Required separate NTP package; different menu path (`/system ntp-server`)

NTP Client (/system/ntp/client) - Must be synchronized for server to work
Clock (/system/clock) - System time and timezone
DHCP Server (/ip/dhcp-server) - Distribute NTP server to clients
Firewall (/ip/firewall) - May need rules for UDP 123

References

MikroTik NTP Documentation

Prerequisites

NTP Client - must be synchronized before server works

Network Services

DHCP Server - distribute NTP server address to clients
DNS Server - related network service

Security

Firewall Basics - allow UDP port 123 for NTP

Scheduler - time-based automation
Logging - accurate timestamps for log entries
Certificates - require accurate time for validation

MikroTik RouterOS NTP Server: Distributing Time to LAN Clients

MikroTik RouterOS NTP Server: Distributing Time to LAN Clients

Overview

Key Concepts

Server Activation Requirement

Server Modes

Stratum

Configuration Steps

Step 1: Configure and Verify NTP Client (Prerequisite)

Step 2: Enable NTP Server

Step 3: Verify Server Configuration

Step 4: Distribute NTP Server via DHCP

Common Configuration Scenarios

Scenario 1: Basic LAN Time Server

Scenario 2: NTP Server with Broadcast Mode

Scenario 3: Isolated Network (No Internet)

Scenario 4: DHCP Option 42 (Alternative Method)

Scenario 5: NTP Server with Authentication

Scenario 6: NTP Server in Specific VRF

Firewall Configuration

Verification

Check 1: Verify NTP Client Synchronized

Check 2: Verify NTP Server Enabled

Check 3: Check for Firewall Blocking

Check 4: Test from Client

Check 5: Check NTP Logs

Troubleshooting

Problem: “Clients can’t sync - connection refused or timeout”

Problem: “Firewall blocking NTP requests”

Problem: “Broadcast mode not reaching clients”

Problem: “Windows clients reject NTP server”

Problem: “Time resets to 1970 after reboot”

Problem: “ISP blocking UDP port 123”

Problem: “Clients get ‘Kiss of Death’ (KoD) response”

Common Pitfalls

1. Enabling Server Before Client Syncs

2. Using Domain Name in DHCP Option 42

3. Firewall Rule in Wrong Chain

4. Relying on Local Clock for Production

5. Expecting Low Stratum from GPS

Key Properties Reference

Limitations

Version Differences

Related Features

References

Related Topics

Prerequisites

Network Services

Security

Related System