YazFi 4.4.9 and IOT device NTP access

[lokester]

Asus AC3100 flashed with Merlin 386.14_2 and Entware. Running stock NTP Server via router GUI and set to intercept all NTP requests. Have many ESP based IOT devices with 3rd party FW presently on Asus Guest Network 1 (with intranet access enabled) and been working rock solid for years - but still feel the need to better isolate these devices from the internet, so I have installed YazFi and set up Guest Network 2 with 1 ESP device and user script to allow 2 way communication to MQTT broker on main LAN.

Everything is working except the IOT device cannot get a NTP request. I have read "many" posts on this forum on similar if not same issue, but threads are 2+ years old with using older versions of YazFi. One post was near same as my problem where a recommendation was made but the OP never really responded back as to whether it solved his issue. Here is my YasFi config and my user script. I am unsure whether my DNS1 and DNS2 settings are correct, but I have tried many different combinations. FYI, I have changed my router LAN from the usual 192.168.1.1 to 172.16.85.1 for years now. On the user script, I need all devices on the YazFi network to be able to have 2 way access to the MQTT broker on Raspberry Pi on 172.16.85.146 and I have verified this part is working. The 2nd part of the script was a recommendation made for the NTP issue - this part is not working as my IOT devices report "No reply from 172.16.85.1".

#!/bin/sh

# these two lines allow IOT devices to have two way comms to Raspberry Pi when "One Way" is enabled
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 172.16.85.146 -j ACCEPT
# uncomment line below if "One Way" nor "Two Way" is enabled
# iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 172.16.85.146 -j ACCEPT

# next two lines allow IOT devices to sync to NTP Server
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 172.16.85.1 -p udp --dport 123 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 172.16.85.1 -p udp --dport 123 -j ACCEPT

 

[lokester]

Looking at Router log, I get the following error fairly regularly, maybe something to do with the NTP request.

Jan 10 12:02:00 kernel: br0: received packet on vlan1 with own address as source address

Going to take out the 2 rules for NTP in my user script and see if that message goes away.

 

[ColinTaylor]

Jan 10 12:02:00 kernel: br0: received packet on vlan1 with own address as source address

Not specifically related to NTP. A common message.

 

[lokester]

@CollinTaylor, you are correct as I am still getting the messages after taking those last 2 lines out of my user script and rebooting router.

Just added a 2nd device to the YazFi Guest 2 network. Joins network fine but this device cannot get NTP synch either. Gotta be something simple that I am missing.

 

[lokester]

Problem solved by going ahead and installing ntpMerlin addon. Did not really understand what this addon did vs the stock Asus NTP server, but it works with YazFi.
One hurdle cleared . . . now lets dig into YazFi a bit deeper.

 

[bennor]

Problem solved by going ahead and installing ntpMerlin addon.

Was writing up a post to ask if you had that installed when you posted that you installed it. The YazFi script checks for the ntpMerlin in the /jffs/scripts/nat-start file and will enable IPTables entries to pass NTP to YazFi Guest Networks. A portion of that code from the YazFi.sh file:

        ENABLED_NTPD=0
        if [ -f /jffs/scripts/nat-start ]; then
            if [ "$(grep -c '# ntpMerlin' /jffs/scripts/nat-start)" -gt 0 ]; then ENABLED_NTPD=1; fi
        fi

        if [ "$ENABLED_NTPD" -eq 1 ]
        then
            iptables -t nat "$ACTION" PREROUTING -i "$IFACE" -p udp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables -t nat "$ACTION" PREROUTING -i "$IFACE" -p tcp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables "$ACTION" "$FWRD" -i "$IFACE" -p tcp --dport 123 -j REJECT
            iptables "$ACTION" "$FWRD" -i "$IFACE" -p udp --dport 123 -j REJECT
            ip6tables "$ACTION" FORWARD -i "$IFACE" -p tcp --dport 123 -j REJECT
            ip6tables "$ACTION" FORWARD -i "$IFACE" -p udp --dport 123 -j REJECT
        else
            iptables -t nat -D PREROUTING -i "$IFACE" -p udp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables -t nat -D PREROUTING -i "$IFACE" -p tcp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables -D "$FWRD" -i "$IFACE" -p tcp --dport 123 -j REJECT
            iptables -D "$FWRD" -i "$IFACE" -p udp --dport 123 -j REJECT
            ip6tables -D FORWARD -i "$IFACE" -p tcp --dport 123 -j REJECT
            ip6tables -D FORWARD -i "$IFACE" -p udp --dport 123 -j REJECT
        fi
    done

Edit to add: Also note there is a dedicated discussion topic for YazFi:

YazFi - YazFi v4.4.9 [2025-Nov-08] - Enhanced AsusWRT-Merlin Guest WiFi Networks

Release Notes for YazFi v4.4.6 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/YazFi 1) FIXED: Problem where setting the "Allow Internet Access" option to "NO" was causing problems with...

www.snbforums.com

 

[lokester]

It seems I was a bit early in saying my problem was solved. As I started moving other IOT devices to YazFi network, the first 3 synched up to NTP just fine, but then I checked the next few and they would not sync. Same message from the device "No reply from 172.16.85.1". Then I went to one of the devices that had previously sync'd and restarted it, then it no longer syncs. Can someone confirm exactly what IP addresses should be set for DNS1 and DNS2 for my YazFi Guest Network 2. My main router LAN address is 172.16.85.1 and that is the address for the NTP Server that my IOT devices will look to. On my IOT devices, a typical IP will be 172.16.95.6 with Gateway 172.16.95.1 and Subnet Mask 255.255.255.0 Is this subnet mask correct? This is one of the devices that sync'd initially but now will not.

 

[bennor]

@lokester, as a troubleshooting step, leave the DNS fields blank in YazFi (if you haven't tired already) to see if that affects anything.
Another troubleshooting step is to reboot both the router AND the YazFi clients if you haven't done so already after making changes.
Check the wireless clients themselves for any hard coded settings like DNS or NTP. If the client is using hard coded DNS settings then one may need to use Asus-Merlin's DNS Director to route those clients to a different DNS server if one wants all their clients to use a specific DNS server.
If you are already using DNS Director, review your settings to ensure they're configured correctly. In recent Asus-Merlin firmware there was a slight change to the way DNS Director operates.
If you previously enabled the NTP option in the Asus-Merlin firmware prior to installing ntpMerlin then you may need to disable the Asus-Merlin firmware option and let ntpMerlin act as the sole local network time server.

And in case I missed it; is it only the YazFi wireless clients that have a problem obtaining a time sync from ntpMerlin?

If you think you have a problem with ntpMerlin configuration see the ntpMerlin discussion topic:

ntpMerlin - ntpMerlin v3.4.13 [2025-Dec-21] - NTP Time Server for AsusWRT Merlin

Release Notes for ntpMerlin v3.4.7 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/ntpMerlin 1) FIXED: Errors when loading the webGUI page on the 3006.102.x F/W version. 2) FIXED: Bug...

www.snbforums.com