Explore & discover

Helpful Links

Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Teacher

Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

I have a Pace 5268AC and have my own router behind it using DMZplus. The firmwware is versions are:

 

Hardware Version260-2173300
Software Version10.5.3.527171-att

 

I can't get any devices to sync time using NTP. This includes laptops, desktops, Raspberry Pis and other devices. This is causing me no end of issues as with devices so far out of sync SSL certs fail checks, services on Linux boxes hang etc.

 

I have searched everywhere and found references to others having issues but haven't found any soltuions. I have tried factory resetting the 5268AC and tried adjusting the "Strict UDP Session Control" setting in the Advanced firewall tab.

 

I find it hard to accept that no gigapower users are allowed to sync time, am I missing something? Is this a bug in the 5268AC? Any help would be very much appreciated.

 

Thanks!

6,714 Views
Message 1 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Thank you very much, let me try 

Message 61 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

@az5125

It works , it works.... awesome..

Thank you so much. Thanks everyone..

Got it work.. very cool :l

Message 62 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Capture.GIF

 

 

Message 63 of 67
Teacher

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

to set this up on Mikrotik,  you need

chain  srcnat

protocol udp

src port (NOT dst port)  123

action masquerade

to-ports  10000-20000

Minor nit: IANA recommends 49152 to 65535 ephemeral ports.  If you're going to rewrite the packet may as well do it with best practices in mind. Smiley Happy

 

Message 64 of 67
Tutor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

thanks  i will change it

Message 65 of 67
Contributor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Late to the party here, but with some datapoints for general reference.

 

I have ATT uVerse as provided by a reseller (sonic.net). My router is NVG589.

 

I run ntpsec.anastrophe.com stratum 1 on a Raspberry Pi. I have other servers on my network, so I'm just using NAT. I have numerous peers and clients. All traffic is source port 123, destination port 123.

 

Regular client applications cannot connect to my server, because they use unprivileged source ports. This traffic is being blocked upstream of me - from an offsite server:

 

13:40:23.790824 IP 10.125.75.117.49155 > 108.196.98.101.123: NTPv4, Server, length 3
13:40:31.087135 IP 10.125.75.117.49155 > 108.196.98.101.123: NTPv4, Server, length 3
13:40:31.123334 IP 12.122.136.185 > 10.125.75.117: ICMP host 108.196.98.101 unreachable - admin prohibited filter, length 76
13:40:57.974002 IP 10.125.75.117.65000 > 108.196.98.101.123: NTPv4, Server, length 3
13:40:58.010980 IP 12.122.136.185 > 10.125.75.117: ICMP host 108.196.98.101 unreachable - admin prohibited filter, length 76

 

Kind of a pain, but since I'm primarily interested in peering stratum 1, it's only a small population that's affected (though it would be nice if they could connect too).

 

Maybe this will help someone.

Message 66 of 67
Mentor

Re: Pace 5268AC in DMZplus blocks UDP 123 (NTP)?

Thanks for the update but I found a way have then using a 3rd party app
that took care of that.

Since then I relocated back to California and had to switch to Spectrum
400/20 internet as at&t's offering was pitiful DSL.

Note that the Spectrum service has been great and it didn't block any NTP
ports.
Message 67 of 67
Share this topic
Share this topic
Announcements...
Are you having trouble logging in? Is your email password not working? Let us show you how to Reset your Email Password using myAT&T!
Additional Support