NetTime Setup with Firewalls

SteveN1 · Aug 9, 2019

I've got my three cameras positioned, mounted and tested; so far so good, however I have observed that the time on all three seem to be drifting from that shown in NetTime. At first I thought it was a firewall problem, so I turned off the Windows firewall and after 10 minutes (the default sync time), they were all correct.

Great, problem solved, so I thought. After re-enabling the firewall with an exception to allow NetTime, they are drifting again. So it seems that perhaps the Windows firewall hasn't allowed the nettime executable after all.

How are you guys handling time sync, NetTime and the Windows firewall?

bike_rider · Aug 9, 2019

why are you syncing to your local machine and not a network time source?

SteveN1 · Aug 9, 2019

Because the camera network does not have access to the internet, only the Blue Iris PC, and it is syncing to a network time source

Walrus · Aug 9, 2019

Check to make sure windows hasn't set your network adapter to public instead of private.
When you say you allowed NetTime through the firewall, did you specifically allow port 123 through the firewall?

Valiant · Aug 9, 2019

There is an option in the settings to "Allow other computers to sync to this computer". If you tick/check that option, the cameras can sync to your internal network. From the timesynctool web site FAQ-

"I have configured NetTime to provide time to other systems, but it's not working: Ensure that the Windows Time Service is disabled along with any other NTP servers that may be running. Also, make sure that the Windows Firewall, and other firewalls, aren't bloicking the incoming connections to NetTime. "

SteveN1 · Aug 9, 2019

I have that option ticked, and the cameras can sync with NetTime ... when the firewall is turned off. When it is turned back on again, the clocks start drifting. This happens despite me adding the NetTime executable to the allowed list of the Windows firewall.

So it seems like the Windows 10 firewall, despite being told to allow NetTime, is not doing so. I'm trying to confirm if anyone else has seen this behavior and if so, are there any workarounds.

Valiant · Aug 9, 2019

That doesn't make sense. Do your cameras have synchronised time to your nettime PC ?, if so seems the nettime is working ok.

The firewall will only disallow external connections to the internet, in which case Nettime will show that sync has failed.

(I stand to be corrected, perhaps the firewall is blocking incoming connections)

Walrus · Aug 9, 2019

SteveN1 said:
I have that option ticked, and the cameras can sync with NetTime ... when the firewall is turned off. When it is turned back on again, the clocks start drifting. This happens despite me adding the NetTime executable to the allowed list of the Windows firewall.

So it seems like the Windows 10 firewall, despite being told to allow NetTime, is not doing so. I'm trying to confirm if anyone else has seen this behavior and if so, are there any workarounds.

Again I ask, when you say you allowed NetTime through the firewall, did you specifically allow port 123 UDP through the firewall? It isn't enough to just allow the executable.
Also, again check that the network adapter hasn't been set to public.

Valiant · Aug 9, 2019

SteveN1 said:
Because the camera network does not have access to the internet, only the Blue Iris PC, and it is syncing to a network time source

Excuse the silly question, have you configured the new NTP settings on each camera to point to the net time machine?

What cameras are they and is your timezone correct ?

IAmATeaf · Aug 9, 2019

Walrus said:
Again I ask, when you say you allowed NetTime through the firewall, did you specifically allow port 123 UDP through the firewall? It isn't enough to just allow the executable.
Also, again check that the network adapter hasn't been set to public.

^ This. That is all I do to get all my cameras to sync to my BI PC which has NetTime installed.

bp2008 · Aug 9, 2019

I just add a firewall rule for UDP port 123, all network types (private, public, domain) and don't associate it with any particular process.

I do the same for my Blue Iris web server port, except it is TCP (not UDP).

looney2ns · Aug 9, 2019

bike_rider said:
why are you syncing to your local machine and not a network time source?

Because this is best practice.

bp2008 · Aug 9, 2019

looney2ns said:
Because this is best practice.

The local machine IS the network time source

Particularly in situations where you've blocked the cameras from accessing the internet (also best practice), it will be the only available network time source!

SteveN1 · Aug 9, 2019

Setting the firewall access by port instead of application seems to have done it. Thanks all. Will monitor for a few days and hopefully declare success by next week.

bike_rider · Aug 10, 2019

looney2ns said:
Because this is best practice.

Well, it is certainly a practice.

I have a professional aversion to the phrase "best practice" because it shuts down alternative discussions.

IAmATeaf · Aug 10, 2019

bike_rider said:
Well, it is certainly a practice.

I have a professional aversion to the phrase "best practice" because it shuts down alternative discussions.

What alternative methods are there if the cams have no access to the internet? With Dahua you can sync them to the host that as far as I know that’s a manual process so there is potential for the cams to drift.

looney2ns · Aug 10, 2019

IAmATeaf said:
What alternative methods are there if the cams have no access to the internet? With Dahua you can sync them to the host that as far as I know that’s a manual process so there is potential for the cams to drift.

SkyLake · Aug 10, 2019

You have to make a Inbound firewall rule in the windows firewall for the NetTimeService executable.

Not the NetTime one.

Search

NetTime Setup with Firewalls

SteveN1

Young grasshopper

bike_rider

Young grasshopper

SteveN1

Young grasshopper

Walrus

Getting comfortable

Valiant

Pulling my weight

SteveN1

Young grasshopper

Valiant

Pulling my weight

Walrus

Getting comfortable

Valiant

Pulling my weight

IAmATeaf

Known around here

bp2008

looney2ns

bp2008

SteveN1

Young grasshopper

bike_rider

Young grasshopper

IAmATeaf

Known around here

looney2ns

SkyLake

Getting comfortable