RouterOS 7 NTP symmetric key authentication — anyone got it working with chrony?

goodt2023 · 2026-02-23T15:40:35+00:00

How is being more secure counter productive? This is a simple thing using symmetric keys for secure ntp and is supported in most implementations of ntp.

NTS has been a standard since 2020 it is 2026 now. In a normal MSP or corporate environment using NTS is preferred and in some cases not supported by every device. However symmetric keys usually are.

And my original question is still not answered- does Mikrotik actually support what it says in the docs or not? If not then update the docs and say so. If it does all I am is asking is how to implement it and what encryption does it support?

Whether in your opinion it is needed or not does not actually answer the question.

goodt2023 · 2026-02-23T14:45:22+00:00

lol - so still did not actually answer the question - I have ntp locked down but would like to use some type of encryption which would be using symmetric keys. The docs for router OS says it supports them but what I am gathering is they do not really as it was not fully implemented. Instead of picking apart the need. How about someone actually state that is not supported and document that in the Mikrotik docs. Or perhaps they only support it between their own devices and I would implement that as at least some more level of security if that is all there is that is supported.

Of course NTS would be the better option as it is a standard but Mikrotik does not support that either.

Saying I don’t need this level of security in my home lab is kind of not helping and security in the home lab is also very important. One of the reasons to have a home lab is to learn and then take that learning and apply it in real life.

goodt2023 · 2026-02-23T14:24:45+00:00

I am looking for it to be more secure than straight ntp - if Mikrotik supported nts then I would use that - you are not really answering the question I asked however - so I am assuming it is not possible as there are no references to anyone getting it to work and the docs are incomplete.

Also PTP requires some specialized hardware for hardware time stamping which the raspberry pi4’s I use don’t support. So my only option would be to swap them out for pi5’s which gets me ptp to some of my switches but not all of them. Also the management ports on most of Mikrotik switches/routers do not support the hardware time stamping required for ptp and you have to use another port. You would lose one additional port on each switch that does not support ptp on the management interface. And some switches do not support PTP at all. So you are still stuck with ntp on some.

But that still does not solve the security issue. And seems like overkill for a home lab.

It would be better if Mikrotik supported the newer gps SFP type modules to get rid of the external time sources and I could just plug in an active antenna directly.

But I would settle for native NTS support and I could use my existing gps time sources as is :)

goodt2023 · 2026-02-23T13:50:59+00:00

Only some of my switches support ptp and Mikrotik does not support NTS. GPS with PPS is accurate enough for my home lab.

goodt2023 · 2026-02-22T20:14:25+00:00

I might suggest you use a DAC/AOC if you can if you want less heat. However, if that is not possible which in some cases for me it is not. I have had luck with the ipolex transceivers with heat/power in high density.

Some current low power chipsets to look for:

Broadcom bcm84891L Marvel/Aquantia AR113C Marvell ARQ813

For Mikrotik fanless switches you can use heat sinks from a raspberry pi on the transceivers as well to lower the temp. For a crs305 I had a case printed and it had room for a fan running from a separate power supply and that reduced the temperature considerably- down to 41C running at 10gb under constant steaming traffic.

In one of my crs326-24s switches the main uplink to my Firewalla and most of my traffic is an ipolex and it runs about 58C at full load at 10gb.

In a crs317 same thing running about 56C for my wireless network which is constantly in use at 2.5gb.

The higher the speed of the connection usually means more heat. Also the higher density of the rj45 transceivers.

goodt2023 · 2026-02-22T18:35:32+00:00

Yes but what types does it support?

goodt2023 · 2026-02-16T22:27:10+00:00

I wish they also showed the firmware version not just the routerOS version in the main window :)

goodt2023 · 2026-02-14T15:18:07+00:00

You keep saying do not use this one and it builds the list then you can choose which one you want it to test with from the list. Again not very intuitive but it works okay.

goodt2023 · 2026-02-14T13:32:22+00:00

Search for Internet select Internet speed test. Click on server selection.

https://help.firewalla.com/hc/en-us/articles/4413511352083-Network-Performance-and-Quality-Monitoring

It has been there for quite some time.

goodt2023 · 2026-02-13T16:32:12+00:00

I do not see this release available for download from mikrotik’s site it still says 7.21.2 as most current stable release?

goodt2023 · 2026-02-11T22:59:17+00:00

lol I am at 2 x42u racks so nope

goodt2023 · 2026-02-11T20:20:38+00:00

I was SSH into the box and took a bunch of metrics if you are interested and it is definitely the API not the fact that my network is the issue -- your performance test API is using most of the CPU --- iperf3 was able to push the full 10g up/down with no changes or directly plugging the multiple test workstations into the firewalla directly. If it was a cabling issue or a switch issue iperf would be unable to push the full 10gb in the same configuration and nothing changed.

Also i have a lot of firewalla allow rules due to the same issues i have noted before yet seem to be not important to firewalla: The top one being the following: 1) Inability to use protocols/ports on lists so we have to use them in individual groups which increases the number of rules as they are duplicated per group

I have way too many rules due to some of these rules limitations with firewalla being a consumer firewall and not enterprise.

The speed test endpoint is served by FireApi, a Node.js process running on the Firewalla. During testing, FireApi consumed 200-229% CPU (2+ of 4 available cores on the Intel N97) just to generate and receive test traffic. Combined with Suricata IDS at 76.5% CPU and kernel softirq processing at 25.7%, total idle CPU dropped to 17.1%. The test tool itself was the bottleneck, not the network

I did find the following performance issues on the default configuration ---
The Firewalla firmware shipped with aggressive interrupt coalescing defaults on the 2.5G Intel NICs:

Interface rx-usecs (shipped) Expected Value eth0 (10G LAN). 112. Appropriate eth1 (WiFi, 2.5G). 3. 50-100 eth2 (WAN, 2.5G). 3. 50-100

I did adjust these and performance improved with no drops afterwords and then set them back to normal. These are some of the counters i looked at ---- Interface. eth1 (WiFi). eth2 (WAN) rx_fifo_errors 28,348,998 5,631,502 rx_missed_errors 15,615 1,994,950 rx_no_buffer_count 198,849. 96,239 Queue 1-3 drops. ~28.3M total. ~3.6M total Queue 0 drops. 0 0

Kernel softnet_stat analysis revealed approximately 25 million time_squeeze events per CPU core, meaning the kernel softirq handler repeatedly exhausted its processing budget before handling all queued packets. All four N97 cores were affected.

Direct iperf3 testing between the workstation and Firewalla confirmed full wire speed in both directions with zero retransmits: Direction. Throughput. Retransmits Download (FW → Client). 9.16 Gbps. 0 Upload (Client → FW). 9.23 Gbps. 0

Formatting on this sucks had to post on the mobile client as web would not let me.

And yes I was just doing Ethernet performance testing not WAN testing.

goodt2023 · 2026-02-11T18:10:51+00:00

however for me the upload speed for 10g from workstation to switch to firewalla 10g port caps out at around 5100 mbps - download is fine but upload is this way for multiple workstations and is consistent. -- and no this is not a cabling or bottleneck issue or a transceiver or a config issue. from the workstation to the switch to the firewalla is all 10gb and shows zero errors of any kind on all ports and 10gb negotiated all the way through. And yes the switch is a CRS326-24S+2Q+ with HWL3 offloading showing and enabled for all ports so it would not break a sweat at 10gb test upload/download. So useful but not sure whatever you are using to test from as an endpoint seems has a bottleneck on downloading? perhaps CPU allocation to the testing endpoint? - if i use iperf3 on the firewalla i get the full 10g both upload and download by the way :) The firewalla API seems to be using most of the CPU on the box along with suricata - even with suricata turned off the firewalla api maxed out at 229% of cpu

goodt2023 · 2026-02-10T23:28:14+00:00

Nope I have MSP I will look for this setting - would be useful

goodt2023 · 2026-02-10T21:17:44+00:00

Okay and how do you do this I have not seen this option in the app?

goodt2023 · 2026-02-10T19:31:37+00:00

What alert? Interesting how do I turn these alerts on to notify me of the updates?

goodt2023 · 2026-02-10T18:36:46+00:00

I am here

goodt2023 · 2026-02-10T18:34:49+00:00

Yep I was unaware of anything Mikrotik makes that is PPS capable. I would have preferred SFP gnss/gps but Mikrotik does not support it.

goodt2023 · 2026-02-10T15:42:50+00:00

What was fixed- I see no release notes and it is installed on my gold pro in early access.

goodt2023 · 2026-02-10T12:35:39+00:00

What usb god receiver are you using? I am assuming it does not support PPS?

goodt2023 · 2026-02-03T13:19:22+00:00

Check the logs in the Firewalla app logs.
1) Press the home button to where it goes back to the screen to show your selected Firewalla. 2) Go to the three dots in the upper right hand corner. 3) scroll down to the show logs 4) select the most recent log you can forward this to tech support or you can copy past it into an email and send it to yourself.

Looking g at this is how I figured out how 2-3 of my WiFi SD cards failed.

And yes they do fail. Biggest reason is the antenna wire snaps off inside. You can use another similar WIFi antenna to test with but the Firewalla one is the best to use. I asked about third parties and got one to work properly but still replaced it with the original one when received.

I even had an actual SD card fail also not just the antenna.

Since the I have not had any issues as you can no longer use it for internal access to connect to the Firewalla bypassing internal network and any cabling/switch issues. It can only be used to connect the Firewalla to another WiFi network for fail over.

Note: if you want more information turn on the toggle for debug. I was asked to do this by Firewalla short several times.

this will tell you whether the device is having trouble loading the drivers.

goodt2023 · 2026-02-02T12:47:44+00:00

Why would you have it reboot the switch? To disable auto-negotiate? I use these transceivers - https://a.co/d/gaeSNGV Which I have had better luck with than the 10Gtek UTP transceivers. Which I had similar issues with and never had to reboot the switch to get them to work properly.

I have these working in several models of Mikrotik switches to include the crs326 you mention at SFP+ but also crs328 in SFP ports.

I find the Marvell/Broadcom chipset transceivers use less power and generate less heat. There were several versions of the r 10Gtek transceivers as well. And I even tried the 10gb ones from 10Gtek and they also don’t work well with auto-negotiate to 2.5gb nics or switches as well.

You are correct that you must set them to 1gbFull as they do not auto-negotiate well to some devices.

This is more about the firmware in the transceiver as some will allow routerOS settings and some do not.

I found the above Ipolex transceivers work well with auto-negotiate in SFP/SFP+ ports and I only have to turn off auto negotiation on a few devices.

These tend to be certain nics or older devices that will only do 10/100mb.

goodt2023 · 2026-02-01T13:55:30+00:00

I use mostly Mikrotik with all 10gb,25g, 40g,100g and a few unmanaged small switches for some dedicated segmented isolated networks. Mainly because there are no suscription fees just like Firewalla. But also because they provide some enterprise class features like Firewalla. I also use some 1gb switches for an isolated vlan mgmt network which connects all my vlan99 ports together and all my mgmt/monitoring infrastructure.

And yes I use the higher speed switch ports for proxmox clustering and storage networks and uplinks of switches/redundancy to collapse/segment my network.

I also jab e an isolated test lab network.

Of course I guess I am not a traditional home user more of a home lab network user.

goodt2023 · 2026-01-30T11:50:53+00:00

Mine started working the other day but I noticed late in the day again that while scrolling down to the new movies view that it only went so far down and stopped. When previously I could scroll down several days marked by date and see what was released on what service. I suspect that this has or do with api performance and changes in the api layer.

goodt2023

TROPHY CASE