YazFi 4.4.9 and IOT device NTP access

[lokester]

Asus AC3100 flashed with Merlin 386.14_2 and Entware. Running stock NTP Server via router GUI and set to intercept all NTP requests. Have many ESP based IOT devices with 3rd party FW presently on Asus Guest Network 1 (with intranet access enabled) and been working rock solid for years - but still feel the need to better isolate these devices from the internet, so I have installed YazFi and set up Guest Network 2 with 1 ESP device and user script to allow 2 way communication to MQTT broker on main LAN.

Everything is working except the IOT device cannot get a NTP request. I have read "many" posts on this forum on similar if not same issue, but threads are 2+ years old with using older versions of YazFi. One post was near same as my problem where a recommendation was made but the OP never really responded back as to whether it solved his issue. Here is my YasFi config and my user script. I am unsure whether my DNS1 and DNS2 settings are correct, but I have tried many different combinations. FYI, I have changed my router LAN from the usual 192.168.1.1 to 172.16.85.1 for years now. On the user script, I need all devices on the YazFi network to be able to have 2 way access to the MQTT broker on Raspberry Pi on 172.16.85.146 and I have verified this part is working. The 2nd part of the script was a recommendation made for the NTP issue - this part is not working as my IOT devices report "No reply from 172.16.85.1".

#!/bin/sh

# these two lines allow IOT devices to have two way comms to Raspberry Pi when "One Way" is enabled
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 172.16.85.146 -j ACCEPT
# uncomment line below if "One Way" nor "Two Way" is enabled
# iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 172.16.85.146 -j ACCEPT

# next two lines allow IOT devices to sync to NTP Server
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 172.16.85.1 -p udp --dport 123 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 172.16.85.1 -p udp --dport 123 -j ACCEPT

 

[lokester]

Looking at Router log, I get the following error fairly regularly, maybe something to do with the NTP request.

Jan 10 12:02:00 kernel: br0: received packet on vlan1 with own address as source address

Going to take out the 2 rules for NTP in my user script and see if that message goes away.

 

[ColinTaylor]

Jan 10 12:02:00 kernel: br0: received packet on vlan1 with own address as source address

Not specifically related to NTP. A common message.

 

[lokester]

@CollinTaylor, you are correct as I am still getting the messages after taking those last 2 lines out of my user script and rebooting router.

Just added a 2nd device to the YazFi Guest 2 network. Joins network fine but this device cannot get NTP synch either. Gotta be something simple that I am missing.

 

[lokester]

Problem solved by going ahead and installing ntpMerlin addon. Did not really understand what this addon did vs the stock Asus NTP server, but it works with YazFi.
One hurdle cleared . . . now lets dig into YazFi a bit deeper.

 

[bennor]

Problem solved by going ahead and installing ntpMerlin addon.

Was writing up a post to ask if you had that installed when you posted that you installed it. The YazFi script checks for the ntpMerlin in the /jffs/scripts/nat-start file and will enable IPTables entries to pass NTP to YazFi Guest Networks. A portion of that code from the YazFi.sh file:

        ENABLED_NTPD=0
        if [ -f /jffs/scripts/nat-start ]; then
            if [ "$(grep -c '# ntpMerlin' /jffs/scripts/nat-start)" -gt 0 ]; then ENABLED_NTPD=1; fi
        fi

        if [ "$ENABLED_NTPD" -eq 1 ]
        then
            iptables -t nat "$ACTION" PREROUTING -i "$IFACE" -p udp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables -t nat "$ACTION" PREROUTING -i "$IFACE" -p tcp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables "$ACTION" "$FWRD" -i "$IFACE" -p tcp --dport 123 -j REJECT
            iptables "$ACTION" "$FWRD" -i "$IFACE" -p udp --dport 123 -j REJECT
            ip6tables "$ACTION" FORWARD -i "$IFACE" -p tcp --dport 123 -j REJECT
            ip6tables "$ACTION" FORWARD -i "$IFACE" -p udp --dport 123 -j REJECT
        else
            iptables -t nat -D PREROUTING -i "$IFACE" -p udp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables -t nat -D PREROUTING -i "$IFACE" -p tcp --dport 123 -j DNAT --to "$GuestNetIPaddr"."$(echo "$LAN_IPaddr" | cut -f4 -d'.')"
            iptables -D "$FWRD" -i "$IFACE" -p tcp --dport 123 -j REJECT
            iptables -D "$FWRD" -i "$IFACE" -p udp --dport 123 -j REJECT
            ip6tables -D FORWARD -i "$IFACE" -p tcp --dport 123 -j REJECT
            ip6tables -D FORWARD -i "$IFACE" -p udp --dport 123 -j REJECT
        fi
    done

Edit to add: Also note there is a dedicated discussion topic for YazFi:

YazFi - YazFi v4.4.9 [2025-Nov-08] - Enhanced AsusWRT-Merlin Guest WiFi Networks

Release Notes for YazFi v4.4.6 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/YazFi 1) FIXED: Problem where setting the "Allow Internet Access" option to "NO" was causing problems with...

www.snbforums.com

 

[lokester]

It seems I was a bit early in saying my problem was solved. As I started moving other IOT devices to YazFi network, the first 3 synched up to NTP just fine, but then I checked the next few and they would not sync. Same message from the device "No reply from 172.16.85.1". Then I went to one of the devices that had previously sync'd and restarted it, then it no longer syncs. Can someone confirm exactly what IP addresses should be set for DNS1 and DNS2 for my YazFi Guest Network 2. My main router LAN address is 172.16.85.1 and that is the address for the NTP Server that my IOT devices will look to. On my IOT devices, a typical IP will be 172.16.95.6 with Gateway 172.16.95.1 and Subnet Mask 255.255.255.0 Is this subnet mask correct? This is one of the devices that sync'd initially but now will not.

 

[bennor]

@lokester, as a troubleshooting step, leave the DNS fields blank in YazFi (if you haven't tired already) to see if that affects anything.
Another troubleshooting step is to reboot both the router AND the YazFi clients if you haven't done so already after making changes.
Check the wireless clients themselves for any hard coded settings like DNS or NTP. If the client is using hard coded DNS settings then one may need to use Asus-Merlin's DNS Director to route those clients to a different DNS server if one wants all their clients to use a specific DNS server.
If you are already using DNS Director, review your settings to ensure they're configured correctly. In recent Asus-Merlin firmware there was a slight change to the way DNS Director operates.
If you previously enabled the NTP option in the Asus-Merlin firmware prior to installing ntpMerlin then you may need to disable the Asus-Merlin firmware option and let ntpMerlin act as the sole local network time server.

And in case I missed it; is it only the YazFi wireless clients that have a problem obtaining a time sync from ntpMerlin?

If you think you have a problem with ntpMerlin configuration see the ntpMerlin discussion topic:

ntpMerlin - ntpMerlin v3.4.13 [2025-Dec-21] - NTP Time Server for AsusWRT Merlin

Release Notes for ntpMerlin v3.4.7 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/ntpMerlin 1) FIXED: Errors when loading the webGUI page on the 3006.102.x F/W version. 2) FIXED: Bug...

www.snbforums.com

 

[lokester]

@bennor, thanks for giving me ideas. YazFi does not allow leaving DNS fields blank, so was unable to try that. I have rebooted router and clients, again, no change. Regarding the clients, I am allowed to enter up to 3 NTP Servers, so I have 172.16.85.1, 172.16.95.1 and even some leftover ntp addresses that I did not bother changing. Here is a log output from one of the devices:

Notice the line that addresses the NTP Server that I did not bother changing to a local IP. I don't know exactly how all this works, but it appears that the DNS is working, just don't know if the NTP request is not getting to the server or the reply is not getting back to the client.

I looked at DNS Director, it does not show any YazFi clients in the drop down to select for redirecting.

Also, you asked about clients synching to NTP outside of YazFi, YES, they all synch no issues.
One last thing to mention - I am running a MESH system in that I have an AC68U mesh-node hardwired to the AC3100. I can take that out of the setup pretty easily if needed.

 

[bennor]

@bennor, .... so I have 172.16.85.1, 172.16.95.1 and even some leftover ntp addresses that I did not bother changing. Here is a log output from one of the devices:
...
One last thing to mention - I am running a MESH system in that I have an AC68U mesh-node hardwired to the AC3100. I can take that out of the setup pretty easily if needed.

Just an FYI if you didn't know, YazFi does not work on AiMesh clients. It's main router only meaning your YazFi clients must connect to the main router and not to the AiMesh node.

Input the router's IP address as DNS 1 and DNS 2 in YazFi.

You said previously that 172.16.95.1 is a Gateway. What device is 172.16.95.1? ISP modem or router or some other device?

And to confirm. If you connect a currently connected YazFi client to the main WiFi network (not YazFi) that WiFi client can sync the NTP?

If there really is some sort of NTP issue with YazFi then @Martinski, who is currently maintaining YazFi, would need to investigate and see what the issue may be and correct it if one is found.

PS: Since you mentioned AiMesh in your last post, it may help if you fully flesh out everything. Include any addon scripts other than YazFi you are using. Include any AiMesh information. Include any custom firewall/iptable entries you have created. What are the current NTP settings on the router and or ntpMerlin? Are there any other NTP servers running on the local network? More information the better for others to help diagnose what the possible issue might be.

 

[lokester]

Making progress. This morning I noticed the "Addons" tab that was added after installing ntpMerlin was no longer showing on the Router GUI. Going into AMTM, no response when trying to go into ntpMerlin. Rebooted everything again and Addons/ntpMerlin showing back up but still no synch with clients.

Went into ntpMerlin on GUI and changed "Timeserver" from NTPD to Chrony and my clients all started synching. Wow, not sure why but I will take it.

@bennor, thanks for your time - but let me keep plugging away while things are back on the rails.