NTP with time1.google.com not working
-
I'm using my "Reolink Video Doorbell PoE"....
And having problems with NTP syncing. I tried internally and externally (time1.google.com) but it doesn't help in any way..
All my firewall ports (UDP/123) are open (VLANS, WAN,.....).. But every time I try to sync it fails...
I have 6 cameras:- 5 HIKVISON
- 1 REOLINK DOORBELL
All CAM settings are identical (same VLAN, same gateway, same DNS, same NTP server time1.google.com ...)
- The only difference are the static IP's of course but in the same subnet x.x.60.y)
If I test NTP sync on HIKVISION it works fine, but with REOLINK it allways fails...
Can someone suggest what to try more... I pretty much tried everything (package capturing,... )
And I'm not newbie in NETWORKING!0View 14 replies-
@ebaruk_673045617504343 I tried it on RLC-511WA and it did synchronize. Try to capture a Wireshark trace at the egress of the router.
First I checked it from PC as illustrated below.
C:\>w32tm /stripchart /computer:time1.google.com /dataonly /samples:5
Tracking time1.google.com [216.239.35.0:123].
Collecting 5 samples.
The current time is 13/03/2024 11:27:11.
11:27:11, +01.3657866s
11:27:14, +01.3664224s
11:27:16, +01.3666259s
11:27:18, +01.3672233s
11:27:20, +01.3593511s -
Very strange. When I set the NTP server on a Reolink camera to time1(dot)google(dot)com, it synchronizes correctly.
(When I set the NTP server to garbage(dot)com, it fails - as it should because that is not an NTP server.)
I agree that capturing the actual packets is the best way forward. Either the doorbell sends the request using port 123 or it doesn't.
Mention of VLAN in the problem description "raises a flag" for me. Reolink cameras are like most consumer devices. They have no concept of VLAN tagging. What sort of network are these cameras part of? -
@crimp-on_62210811129 Thanks for the reply... I have dedicated VLAN for all cameras and doorbel....
And it works without no problems with oteh 5 cameras (HIKVISON)... I just can't imagane that a network camera/doorbell in YEAR 2023/4
can't work in VLAN based network.... Since there is only the GATEWAY which counts here and the port is simple "access port" only ...
This would still have to work as charm... -
My thought is that "if everything is set up correctly", then the Reolink Doorbell should perform NTP just like every other device. (The forum is not flooded with posts complaining that, "my doorbell doesn't know what time it is!") The question about network architecture is simply because most consumer networking products do not provide VLAN capability. My "guess" is that there are managed switches involved and that the Reolink doorbell is connected to one of them and that switch port is defined to be in a specific VLAN. There is a gateway somewhere that connects that VLAN to the internet.
Would it be possible, for example, to temporarily place the Reolink doorbell in the default VLAN that has internet access? (like most other devices).
In a way, it is fortunate that the Reolink doorbell is a PoE model, which makes it much easier to capture the port 123 traffic to/from the doorbell. (I have found that capturing communications with WiFi devices a lot more difficult than 'wired' devices. -
@ebaruk_673045617504343 It should not be an issue as this is normally done at the switch level. The only issue is that the client won't work on a private network unless it is on the same subnet as the camera. Of course one can do source NAT and it will work.
Reolink cams don't operate at layer 2. -
I agree that this is a very strange situation.
- The Reolink Client must be able to communicate with the doorbell camera because it is able to open the Network Settings, navigate to Advanced, NTP, and change the NTP server to time1(dot)google(dot)com. Then the user can navigate to Maintenance, Date & Time, and select Synchronize. (I do not have a Reolink doorbell, so I am assuming that the settings menu is approximately similar to the RLC cameras.)
- When the user attempts to synchronize, the response is Failure. We have both verified that Reolink cameras are able to use the Google time server.
- Thus, how can it not work? One explanation might be that the Reolink Doorbell simply does not perform NTP lookup. That seems absurd because customers would be going crazy complaining about their doorbell cameras not displaying the correct time. The only explanation I can see is that the NTP packets (UDP, port 123) are either (a) not going from the camera to the time server or (b) the responses are not coming back. UDP is a connectionless protocol.
- If I were to investigate this situation, I would connect the Reolink Doorbell to a managed switch so that I could mirror the port and capture every packet that goes to and from the Doorbell with Wireshark. (That is why Ethernet devices are so much easier to work with than WiFi devices.)
- Once it can be documented how the NTP packets are failing, then the investigation can move toward what is blocking them.
-
@crimp-on_62210811129
I have done package capturing for all of this ... As attached below...
Maybe some clue on this ?
If I compere my HIKVISION (which all 5 work as charm..) with the reolink REOLINK.
There are 2 main differences NTP version (HIK = 4, REO =3) And the source port which it seems very strange using the same...
IMPORTANT:
How can serious manufacturer could in 2024 justify that ther products might not work in VLAN enviroment...?
Simply this should nut even be a subject...
THANK YOU SO MUCH for HELP --> I really appreciate it.
10_0_60_21_REOLINK_NTP_FIREWALLS_OFF_001.pcapng
10_0_60_11_HKV_NTP_001.pcapng
Filters_001.txt
-
@ebaruk_673045617504343 There is no response from the NTP server. Check your fw rule when the inbound traffic has destination port 123. It should work from both ntp clients v3 and v4. Reolink is using an old NTP client which is using the "symmetric" (peer-to-peer) mode. Peers in symmetric mode use 123 as the source port, so inbound replies will likewise have 123 as the destination port.
Select another NTP server from the camera drop down menu and capture another trace. -
Wireshark captures that the Reolink camera sends out NTP requests and no NTP responses come back.
There must be something different about the way the Reolink camera is being networked that is stopping the NTP responses from getting through to the camera.
Is this camera on the same switch as the other cameras and the port based VLAN is defined the same way? -
@joseph_1979 Thank You for the response...
I tried 10 different servers (from the list down or others..) and always the same feedback (no response).
Like I already explainded... I disabled my WAN and VLAN firewall rules.. For the testing purposes
all ports were open (UDP 123 in/local/...)... I changed all my general primary "DROP" rules to ALLOW...
But still not working as it should be... The thing is that I'm not a newbie when it comes to networks and I also
reviewed this with the people who do this more professionally.. But all my tries were not sucessful...
So even if I OPEN all my ports or ALLOW (UDP 123 in all directions)... Nothing actually happens...
Which doesn't make sense.. Since I'm sure there would be many topics here if this was generally a failure....
So I'm well aware there is something specific in my case .. Just can't figure it out... And running out of ideas... -
@crimp-on_62210811129
YES everything is exactlly the same: I have 6 ports on the same switch (dedicated swith ports for POE supply and on same VLAN 60) which all have the same settings:- VLAN setup (VLAN 60)
- Same firewall rules (WAN IN/LOCAL, VLAN 60 IN/LOCAL UDP 123 open)
- Even if I release/didable firewall rules (for the testing purposes...)
Even if I switch two physical ports on my SWITCH -->
- The HIKVISION will work on the previous REOLINK physical PORT
- The REOLINK will again FAIL on the physical PORT where HIKVISION works just fine...
-
@ebaruk_673045617504343 So this is for all the NTP servers. Just a quick test. Connect the Reolink camera to the router port and try again.
-
@joseph_1979
Thanks for the reply again....
I will try this ASAP.... I think the main problem is this "peer-to-peer" concept which in combination of my VLANS just doesent work as it should...
Question on loud... WHY does REOLINK still uses this OUTDATED solution ?
Any plans they will change this ? -
@ebaruk_673045617504343 I have no idea. I am a customer like you. You may submit your query to their support on support(@)reolink(dot)com
They are using a number of old modules. -
@joseph_1979
I understand... I tried already...
But they don't want to deal with it and they just reply that their device is not ment to work in "VLAN environment"...As unbelievable as it is .... That is the honestly what they... at the end replied me in the year 2024...
P.S.
Once again thank You for Your time...
-
@ebaruk_673045617504343 Yes, no layer 2. But the switch should remove the VLAN tagging and so it should work.
