NTP problem with a TP-Link camera

Description

Logs in my TP-Link Tapo camera show that it's failing to sync its clock via NTP. Their support said that my OpenWrt router is probably blocking it, because it works if the camera is connected to a different network (such as mobile 4G via phone hotspot). However, all other devices in this LAN can sync time successfully, and only the camera is failing. Any ideas?

Details

• The router is TP-Link Archer c6 v3 running OpenWrt 22.03.2
• The camera is TP-Link Tapo c200
• These addresses appear in the configuration file below, but are definitely not related to the camera: 192.168.1.106 (server ipv4), 192.168.1.108 (desktop ipv4), ::dea6:32ff:fe9c:c7ca/::ffff:ffff:ffff:ffff (server ipv6), ::b62e:99ff:fee9:cc51/::ffff:ffff:ffff:ffff (desktop ipv6)

root@router1:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option name 'http'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.106'
	option dest_port '80'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option name 'https'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.106'
	option dest_port '443'
	option proto 'tcp'
	option target 'DNAT'

config redirect
	option name 'tor-orport'
	option src 'wan'
	option src_dport '9001'
	option dest 'lan'
	option dest_ip '192.168.1.106'
	option dest_port '9001'
	option proto 'tcp udp'
	option target 'DNAT'

config redirect
	option name 'rdp'
	option src 'wan'
	option src_dport '3389'
	option dest 'lan'
	option dest_ip '192.168.1.108'
	option dest_port '3389'
	option proto 'tcp udp'
	option target 'DNAT'

config rule
	option name 'http'
	option src 'wan'
	option proto 'tcp udp'
	option dest 'lan'
	option dest_ip '::dea6:32ff:fe9c:c7ca/::ffff:ffff:ffff:ffff'
	option dest_port '80'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'https'
	option src 'wan'
	option proto 'tcp udp'
	option dest 'lan'
	option dest_ip '::dea6:32ff:fe9c:c7ca/::ffff:ffff:ffff:ffff'
	option dest_port '443'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'tor-orport'
	option src 'wan'
	option proto 'tcp udp'
	option dest 'lan'
	option dest_ip '::dea6:32ff:fe9c:c7ca/::ffff:ffff:ffff:ffff'
	option dest_port '9001'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'rdp'
	option src 'wan'
	option proto 'tcp udp'
	option dest 'lan'
	option dest_ip '::b62e:99ff:fee9:cc51/::ffff:ffff:ffff:ffff'
	option dest_port '3389'
	option family 'ipv6'
	option target 'ACCEPT'

The default OpenWrt firewall does not block outbound connections, so NTP requests should work just fine (they do on all my desktops). If I'm not mistaken, you just added port forwardings, but did not alter the behavior of the firewall.

I would try to do a packet capture using tcpdump on the OpenWrt device and trigger an NTP request from the camera. I haven't done this for ages, so I'm sorry, I can't provide you with the necessary command.

You can set ntp as server and redirect any request from lan to it:

uci del system.ntp.enabled
uci set system.ntp.enable_server='1'
uci set system.ntp.interface='lan'
uci del system.ntp.server
uci add_list system.ntp.server='pool.ntp.org'

uci set firewall.ntp_lan123=redirect
uci set firewall.ntp_lan123.target='DNAT'
uci set firewall.ntp_lan123.name='NTP (lan, 123)'
uci set firewall.ntp_lan123.src='lan'
uci set firewall.ntp_lan123.src_dport='123'
uci set firewall.ntp_lan123.proto='udp'
uci set firewall.ntp_lan123.dest_port='123'
uci commit

in your DHCP server configuration set on your advanced tab in the network interface section 42,[ip address of NTP server]

So if your main router is both offering DHCP and NTP services and it's IP is 192.168.1.10 go into your interface advanced section, edit the interface, DHCP, advanced, then add 42,192.168.1.10 into the DHCP options section. Remember to click on the + sign and save/apply.

Make sure you have NTP services running on your main router by going to system/time sync and making sure Provide NTP server is checked.

Like this, dhcp parameter for ntp:

uci del dhcp.lan.dhcp_option
uci add_list dhcp.lan.dhcp_option='42,192.168.1.1'
uci commit

What is 42?

... then add 42,192.168.1.10 into the DHCP options section.

Google is your friend:
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml

This firewall redirect solved the problem. The camera picked up the correct time almost immediately after reloading the firewall. Thanks.

So I wonder why is this not done by default? Clearly TP-Link expects this to be set on all routers. Bad design on their part?

Here's my current [working] settings for future reference - only the added/modified parts:

/etc/config/firewall

config redirect
        option name 'ntp'
        option target 'DNAT'
        option src 'lan'
        option src_mac '<camera_mac_address>'
        option src_dport '123'
        option proto 'udp'
        option dest_port '123'

/etc/config/dhcp

config dhcp 'lan'
       option dhcp_option '42,192.168.1.1'

/etc/config/system

config timeserver 'ntp'
        option enabled '1'
        list server '0.openwrt.pool.ntp.org'
        list server '1.openwrt.pool.ntp.org'
        list server '2.openwrt.pool.ntp.org'
        list server '3.openwrt.pool.ntp.org'
        option enable_server '1'

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.