How to configure Chrony time server in GL.iNet router and redirect LAN clients’ sync requests?

Router
1

Hello,

As a company focused on network security, GL.iNet is committed to providing users with a more robust underlying architecture.
Beginning with firmware v4.8.3, we have made a major upgrade to the system time synchronization component:
Chrony (chronyd) is now officially introduced as the default time service, replacing the traditional ntp service (sysntpd), which has shown its limitations under modern security standards.

This improvement enhances the security of Internet time synchronization by adding support for the NTS (Network Time Security) protocol, building a stronger defensive barrier for users' network environments.

The NTP component has been deprecated. In response to earlier community discussions about NTP server configuration and redirection requirements, this guide will be updated and adapted based on the Chrony component.

Tutorial:

  1. SSH to router

  2. Check whether the router system time is correct

    date
# If the time is incorrect, you can trigger it manually:
/etc/init.d/chronyd restart

  3. Edit the Chrony configuration to enable the time server, please modify [Router LAN IP] according to your LAN IP

    echo "allow [Router LAN IP]" >> /etc/chrony/chrony.conf
# For example, allow all clients in the 192.168.8.0/24 subnet to synchronize time from Chrony
echo "allow 192.168.8.0/24" >> /etc/chrony/chrony.conf

  4. Restart Chrony to apply the above new configuration

    /etc/init.d/chronyd restart

  5. Check the port 123 status

    netstat -uln | grep 123

    Bruce_2026-03-27_12-20-32

  6. Configure the firewall to redirect time requests from LAN clients to the router's time server.
    There are two kinds of firewall implementations: some use iptables, others use nft (fw4).
    How to tell which is used? Judge with simple/non-rigorous method:

    cat /etc/os-release | grep "RELEASE"

    If the OpenWrt version is ≥ 23, then using nft (fw4); if it is < 23, it generally using iptables.

    • If your firmware uses iptables, please modify [Router LAN IP] according to your LAN IP
    echo "iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to-destination [Router LAN IP]:123" >> /etc/firewall.user
# If your LAN IP range is different, please modify accordingly
# For example, redirect the time request from LAN to Router LAN IP, 192.168.8.1
echo "iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to-destination 192.168.8.1:123" >> /etc/firewall.user
    • If your firmware uses nftables, please modify dest_ip= according to your LAN IP
    uci add firewall redirect
uci set firewall.@redirect[-1].name='Redirect-LAN-NTP'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='123'
uci set firewall.@redirect[-1].dest_port='123'
uci set firewall.@redirect[-1].proto='udp'
uci set firewall.@redirect[-1].target='DNAT'
# Please modify the next line to match your router's LAN IP (default: 192.168.8.1)
uci set firewall.@redirect[-1].dest_ip='192.168.8.1' 
uci commit firewall
  • Whether using iptables or nftables (fw4), execute after making above changes.
    /etc/init.d/firewall restart

    When restarting the firewall you may see print such as "invalid"; as long as they don't mention "error," that's normal.

  1. Verify that the redirection is working.
    Test using PowerShell on Windows PC on the LAN side. Even if you specify a non-existent IP or Google address, if the result is returned, it means that it is redirected from the router.

    w32tm /stripchart /computer:123.123.123.123 /dataonly /samples:3

w32tm /stripchart /computer:www.google.com /dataonly /samples:3

    Bruce_2026-03-27_14-48-23
    Bruce_2026-03-27_14-48-23829×439 13.7 KB

    • Optional: Capture packets using the tcpdump to verify that the LAN client's time requests are being redirected by the router to own host, where time synchronization is provided by Chrony.
    opkg update && opkg install tcpdump
tcpdump -i any port 123 -n

    (The router LAN subnet in this example is 192.168.5.0/24, test PC IP is 192.168.5.117)

    Bruce_2026-03-27_14-27-12
    Bruce_2026-03-27_14-27-121422×743 104 KB

    Bruce_2026-03-27_16-47-55
    Bruce_2026-03-27_16-47-552024×582 100 KB

-end

Reminder: Please note that all commands involving the [Router LAN IP] must be updated to match your actual IP address. Do not simply copy and paste the commands without replacing the placeholder.

2 Likes
How to configure the GL.iNet router as an NTP server and redirect all LAN clients NTP request?
2

Thanks for the tutorial, these are very helpful for setting up new features and local time serving is important when running an internal CCTV system with no internet access.

Setup went smoothly but I ran into a problem verifying, it was because I was trying to verify from a computer that was connected to a VPN and the router (unsurprisingly) cannot intercept VPN traffic. Leaving this comment here in case it helps someone in the future when they search and find this result.

3

Glad to hear that works in your scenario!

And this will help other users check whether the clients are being run a VPN software.

Many thanks!

4

Hi, thanks for tutorial. Have several question:

Flint 2 v4.8.3. Chrony was absent - installed manually. Does it depend on model which version supports chrony by default?

Having duplicates

iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 891 packets, 241K bytes)
 pkts bytes target     prot opt in     out     source               destination
   50  3800 DNAT       udp  --  br-lan any     anywhere             anywhere             udp dpt:ntp to:192.168.x.1:123
    0     0 DNAT       udp  --  br-guest any     anywhere             anywhere             udp dpt:ntp to:192.168.y.1:123
    0     0 DNAT       udp  --  br-lan any     anywhere             anywhere             udp dpt:ntp to:192.168.x.1:123
    0     0 DNAT       udp  --  br-guest any     anywhere             anywhere             udp dpt:ntp to:192.168.y.1:123

cat /etc/firewall.user
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to-destination 192.168.x.1:123
iptables -t nat -A PREROUTING -i br-guest -p udp --dport 123 -j DNAT --to-destination 192.168.y.1:123

Can it be related to my configuration for guest network also?

cat /etc/chrony/chrony.conf
# Load UCI configuration
confdir /var/etc/chrony.d

# Load NTP servers from DHCP if enabled in UCI
sourcedir /var/run/chrony-dhcp

# Log clock errors above 0.5 seconds
logchange 0.5

# Don't log client accesses
noclientlog

# Mark the system clock as synchronized
rtcsync

# Record the clock's drift
driftfile /var/run/chrony/drift

Save NTS keys and cookies
ntsdumpdir /var/run/chrony
# allow 192.168.x.1
allow 192.168.x.0/24
# allow 192.168.y.1
allow 192.168.y.0/24

Thanks

5

Truly sorry, the Flint2/MT6000 v4.8.3 does not yet support chronyd, but sysntpd.

Please first upgrade your Flint2 to the latest firmware v4.8.4, and configure it with this guide.

If you have to stay on v4.8.3, please refer to this guide:

6

Some of us don’t have a Windows PC or Powershell.

Is there a bash or zsh command that will do w32tm /stripchart /computer:123.123.123.123 /dataonly /samples:3

?

7

Since the time synchronization services of open source systems may be different, it may depend on what service is used in your system.

For example:

ntpdate -q 123.123.123.123
chronyd -Q 'server 123.123.123.123 iburst'