Explore & discover

Helpful Links

Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Announcements...
Are you having trouble logging in? Is your email password not working? Let us show you how to Reset your Email Password using myAT&T!
Teacher

Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

I have a Pace 5268AC and have my own router behind it using DMZplus. The firmwware is versions are:

 

Hardware Version260-2173300
Software Version10.5.3.527171-att

 

I can't get any devices to sync time using NTP. This includes laptops, desktops, Raspberry Pis and other devices. This is causing me no end of issues as with devices so far out of sync SSL certs fail checks, services on Linux boxes hang etc.

 

I have searched everywhere and found references to others having issues but haven't found any soltuions. I have tried factory resetting the 5268AC and tried adjusting the "Strict UDP Session Control" setting in the Advanced firewall tab.

 

I find it hard to accept that no gigapower users are allowed to sync time, am I missing something? Is this a bug in the 5268AC? Any help would be very much appreciated.

 

Thanks!

6,865 Views
Message 1 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Not that I am aware of. The problem folks folks without firewalls that do port level masquerading will be that modern operating systems like Windows (7/8/10), OS X, Linux (most distros use NTPD by default) and many IoT devices will source their NTP queries on UDP 123 and therefore be blocked. This is what originally brought me here, I had a Ubiquity UniFi USG and it apparently didn't do port level masquerading whereas pfSense does. I am still playing with the USG to see if I can get it to also do the masquerading.

 

I am not familiar with modern consumer routers like ASUS and Netgear so I am not sure if they perform the port level masquerading. As you don't seem to have any issues with your ASUS I would bet that it is doing this for you.

Message 16 of 67
ACE - Expert

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Most TCP client programs don't specify the source port when they open it, they just let the OS assign an available port.  NTP daemons operating in "symmetric mode" would send packets with a source port of 123 by just using their listening port. Per the NTP RFC however, in "asymmetric mode" the source port would be a dynamic port.  I'm not an expert on NTP, so maybe symetric is the default mechanism, but seems strange to me, but if the NTP client doesn't use the 123 port, then there is no need for any firewall or router to masquerade the source port.

I don't know whether the ASUS always modifies the source port or only modifies the source port when necessary to prevent ambiguity (i.e. when there is already an outbound connection using that port) when performing the NPAT operation.  I should throw wireshark on there and take a look.  If it doesn't always do it, and only does it to prevent conflict, then it shouldn't be reliable enough to allow it to function.

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 17 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Hardware Version:  260-2173300
Software Version:  10.5.3.527283-att

 

I wouldn't be so quick to dismiss it being an issue with the Pace 5268AC or at least an incompatibility between the Pace and your router in DMZ+.

I upgraded to Gigapower this past week (on 1/19/2017).  Prior to the upgrade, I had an Arris NVG589 supplied by AT&T with my personal router in DMZ+.  My router and other devices were able to sync time through NTP without any issues or special effort on my part.

 

After upgrading to Gigapower, now having the Pace 5268AC with my personal router still in the same DMZ+ configuration,  NTP appears to be broken on my network.  My Netgear router cannot sync time. Other devices cannot sync time.

 

So, it appears to have something to do with the Pace 5268AC or some incompatibility between it and my Netgear router.

Message 18 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Just as a quick note.  I took my Netgear router out of DMZ+ and it started syncing time again.  Put the router back into DMZ+ and it couldn't sync time.  Regardless, the 5286AC is maintaining accurate time for itself.  So I'm wondering if ATT has the 5286AC syncing time externally using some configuration consumers can't see/touch.  I'm also wondering if internal NTP requests are some how being captured by the 5286AC and handled when DMZ+ is not set.  Once DMZ+ is set and all the traffic passes through, the 5286AC can't intervene in the NTP requests and so NTP sync fails.  Just some thoughts.

Message 19 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

I have confirmed that if you initiate a UDP connection with a source port of 123, it will be blocked while using this AT&T box (PACE 5268AC) in DMZ+ mode. If you have the ability, you can use your own NAT service rule to rewrite the packet to use a non 123 source port (again, destination UDP/123 is totally fine, it's only when the packet leaves with a source port of UDP/123).

Message 20 of 67
Contributor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

@ATTU-verseCare so is there any exception/remedy to this? I can't seem to find any way for the Pace to act like an NTP server and if we can't sync from KNOWN GOOD servers then....

what should we do? We can't reasonably be expected to spin up pfSense routers to get around this.

Message 21 of 67

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

All - I am having the same problem.  I am trying to setup a ASUS RT-N66R behing my ATT Pace 5268AC and am not able to synce to any NTP servers.  @ATTU-verseCare  This is causing problems such as connectivity issues for certain things.  Please provide a solution ASAP as I may need to cancel my service and switch back to Charter as I never had problems putting my own router behind


@jake6956 wrote:

@ATTU-verseCare so is there any exception/remedy to this? I can't seem to find any way for the Pace to act like an NTP server and if we can't sync from KNOWN GOOD servers then....

what should we do? We can't reasonably be expected to spin up pfSense routers to get around this.



 my Charter Modem.  

 

Thanks for any and all advice!

Message 22 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

(I hope thread necromancy is allowed here.  My apologies if it's not.)

 

New AT&T U-verse customer here and ran into this problem myself tonight.  I've been involved in the NTP Community for a long time and I know exactly why AT&T did this -- Google "NTP reflection attack" -- but still, not cool.  Not cool at all.  This breaks the reference NTP implementation.  NTP is a critical protocol, blocking it breaks all manner of important stuff, some of it life essential.  Smiley Sad

 

AT&T really should rethink this particular port block.  The reflection attacks are not as big of a problem as they were a few years ago.  They were only a problem with bad ntpd configurations, which weren't that common, and in any event ntpd was patched years ago.

 

FWIW, you can bypass this if your router is Linux based:

  

iptables -t nat -I POSTROUTING -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random

This will mangle the source port of outgoing ntp packets to use the IANA ephemeral port range.

 

 

Message 23 of 67
Contributor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

I am also an AT&T Gigapower customer having this exact issue in DMZ+ mode.  My Ubiquity USG cannot set the proper date/time which is causing me multiple issues.  This is a really bad case of taking a hatchet to a problem when a scalpel is more appropriate.  Please AT&T reconsider blocking port 123!

Message 24 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Hey,

 

You can find a solve for the Ubiquiti USG here (note this is for the USG Pro4, you will have to change the interface listed and possibly the rule number for the non Pro USG).

 

The good news is with this fix it will also resolve the issue for all gear on your network, not just the USG!

 

Hope this helps.

Message 25 of 67
Mentor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

I am also having this annoying problem with the same gateway. I am using Windows 10 Pro and an ASUS RT-AC3200 router. The Gateway is set to DMZ+ (closest thing to bypass mode).

 

I cannot find a way to do port forwarding on the output side using this router so that I can get to the NTP server on a port other that the blocked port 123.

 

Can some one guide me through the process on this Windows based computer and ASUS router? 

Message 26 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)

DST Port (Destination Port) 123 is not blocked.

SRC Port (Source Port) 123 is blocked, ostensibly to prevent you from
running a server which may be vulnerable to amplification attacks, not a
client, but many clients (including the reference implementation!) use 123
as both a SRC and DST port.....

The only way to work around this when rolling your own router is to get the
router to mangle the SRC port. I posted sample rules earlier to do this
with Linux based routers. It may not be possible with your router, at
least with stock firmware, that’s someone who is more familiar with ASUS
will have to answer.
Message 27 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

May I ask, which ntp servers are you using. I am struggling with this issue, more than a year. Before when I had att dsl line, didn't have this issue.

Now,  none of ntp servers I tried is working. Maybe att has own ntp servers?

Message 28 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

There are no internal AT&T NTP servers as far as I know and you can not access any external ones when using DMZ+ Mode on the 5268AC.

 

You have two options:

  1. Have your router masquerade the traffic before it leaves your network so it isn't dropped by the 5268AC. This has been discussed earlier in this thread. The problem here is some routers won't have the capability to do this. pfSense, Ubiquiti USG, Ubiquiti Edgerouter etc can but consumer routers like Netgear, Asus etc may not.
  2. Call AT&T and have them replace your 5268AC with another gateway. I currently have a BGW210 and it doesn't seem to have this issue.
Message 29 of 67

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

You also have a third option that I use... If you have a VPN subscription like PIA (PrivateInternetAccess) I've found this bypasses whatever blocking that is occurring on the PACE and works fine to update my machines. I do this every few months to keep my PC's updated and bypass all the frustration with other work arounds. This might not work for all scenarios you might need but it is another option.

Message 30 of 67
Share this topic
Share this topic
Additional Support