NetTime Setup with Firewalls

[SteveN1]

I've got my three cameras positioned, mounted and tested; so far so good, however I have observed that the time on all three seem to be drifting from that shown in NetTime. At first I thought it was a firewall problem, so I turned off the Windows firewall and after 10 minutes (the default sync time), they were all correct.

Great, problem solved, so I thought. After re-enabling the firewall with an exception to allow NetTime, they are drifting again. So it seems that perhaps the Windows firewall hasn't allowed the nettime executable after all.

How are you guys handling time sync, NetTime and the Windows firewall?

 

[bike_rider]

why are you syncing to your local machine and not a network time source?

 

[SteveN1]

Because the camera network does not have access to the internet, only the Blue Iris PC, and it is syncing to a network time source

 

[Walrus]

Check to make sure windows hasn't set your network adapter to public instead of private.
When you say you allowed NetTime through the firewall, did you specifically allow port 123 through the firewall?

 

[Valiant]

There is an option in the settings to "Allow other computers to sync to this computer". If you tick/check that option, the cameras can sync to your internal network. From the timesynctool web site FAQ-

"I have configured NetTime to provide time to other systems, but it's not working: Ensure that the Windows Time Service is disabled along with any other NTP servers that may be running. Also, make sure that the Windows Firewall, and other firewalls, aren't bloicking the incoming connections to NetTime. "

 

[SteveN1]

I have that option ticked, and the cameras can sync with NetTime ... when the firewall is turned off. When it is turned back on again, the clocks start drifting. This happens despite me adding the NetTime executable to the allowed list of the Windows firewall.

So it seems like the Windows 10 firewall, despite being told to allow NetTime, is not doing so. I'm trying to confirm if anyone else has seen this behavior and if so, are there any workarounds.

 

[Valiant]

That doesn't make sense. Do your cameras have synchronised time to your nettime PC ?, if so seems the nettime is working ok.

The firewall will only disallow external connections to the internet, in which case Nettime will show that sync has failed.

(I stand to be corrected, perhaps the firewall is blocking incoming connections)

 

[Walrus]

I have that option ticked, and the cameras can sync with NetTime ... when the firewall is turned off. When it is turned back on again, the clocks start drifting. This happens despite me adding the NetTime executable to the allowed list of the Windows firewall.

So it seems like the Windows 10 firewall, despite being told to allow NetTime, is not doing so. I'm trying to confirm if anyone else has seen this behavior and if so, are there any workarounds.

Again I ask, when you say you allowed NetTime through the firewall, did you specifically allow port 123 UDP through the firewall? It isn't enough to just allow the executable.
Also, again check that the network adapter hasn't been set to public.

 

[Valiant]

Because the camera network does not have access to the internet, only the Blue Iris PC, and it is syncing to a network time source

Excuse the silly question, have you configured the new NTP settings on each camera to point to the net time machine?

What cameras are they and is your timezone correct ?

 

[IAmATeaf]

Again I ask, when you say you allowed NetTime through the firewall, did you specifically allow port 123 UDP through the firewall? It isn't enough to just allow the executable.
Also, again check that the network adapter hasn't been set to public.

^ This. That is all I do to get all my cameras to sync to my BI PC which has NetTime installed.

 

[bp2008]

I just add a firewall rule for UDP port 123, all network types (private, public, domain) and don't associate it with any particular process.

I do the same for my Blue Iris web server port, except it is TCP (not UDP).

 

[looney2ns]

why are you syncing to your local machine and not a network time source?

Because this is best practice.

 

[bp2008]

Because this is best practice.

The local machine IS the network time source

Particularly in situations where you've blocked the cameras from accessing the internet (also best practice), it will be the only available network time source!

 

[SteveN1]

Setting the firewall access by port instead of application seems to have done it. Thanks all. Will monitor for a few days and hopefully declare success by next week.

 

[bike_rider]

Because this is best practice.

Well, it is certainly a practice.

I have a professional aversion to the phrase "best practice" because it shuts down alternative discussions.

 

[IAmATeaf]

Well, it is certainly a practice.

I have a professional aversion to the phrase "best practice" because it shuts down alternative discussions.

What alternative methods are there if the cams have no access to the internet? With Dahua you can sync them to the host that as far as I know that’s a manual process so there is potential for the cams to drift.

 

[looney2ns]

What alternative methods are there if the cams have no access to the internet? With Dahua you can sync them to the host that as far as I know that’s a manual process so there is potential for the cams to drift.

 

[SkyLake]

You have to make a Inbound firewall rule in the windows firewall for the NetTimeService executable.

Not the NetTime one.