AT&T FIber Network Blocks NTP - DNS Masquerade

[kryptto]

Team,

How would I go about forwarding the NTP UDP packets from port 123 to a >1024 port. Looking for a starting point. http://www.att.com/gen/public-affairs?pid=20879

Other routers use masquerade, anything similar.

Any advice where to start? Thanks!

 

[ColinTaylor]

I'm struggling to understand what you are trying to achieve here.

The router will masquerade all outgoing LAN traffic by default. I can't believe that AT&T are actually blocking NTP in it's entirety otherwise their customers would be kicking up a fuss. And even if they were there would be nothing you could do about it on the router.

 

[kryptto]

From this post: https://forums.att.com/t5/AT-T-Fibe...AC-in-DMZplus-blocks-UDP-123-NTP/td-p/5014592

So I found this from the post link above:

You can find a solve for the Ubiquiti USG here (note this is for the USG Pro4, you will have to change the interface listed and possibly the rule number for the non Pro USG).

The good news is with this fix it will also resolve the issue for all gear on your network, not just the USG!

 

[ColinTaylor]

It looks like they are only blocking outbound traffic so you could test a masquerade rule from the command line and if it works put it in a nat-start script.

So from the routers command line just type:

iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random

 

[kryptto]

It looks like they are only blocking outbound traffic so you could test a masquerade rule from the command line and if it works put it in a nat-start script.

So from the routers command line just type:

iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random

@colin, thanks for stalking me

So that worked, I created a nat-start file using WinSCP (being descriptive here to teach others) a new file in the jffs/scripts/ directory called nat-start. Then added the following and saved it with all file properties = permissions equaling 0777.

#!/bin/sh
iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random

DONT forget a reboot of the router after adding this file.

This seems to work and want to pass along the knowledge you provided to other. Thanks again!

To be honest this is a draconian idea by an ISP to block outbound NTP since it is a standard WITHOUT publishing a NTP server inside their network to help their customers devices sync. NOT everyone uses just their cell phone, which will sync with cell towers, and a tablet or two that might have cell connectivity as well.

If this post can help anyone else that will be good. Seriously contemplating going back to my 100mb carrier Comcast over continuing to pay AT&T for 1gb fiber until they shift their thinking.

Posted as of 10/18/17 they are still continuing to block this service: https://forums.att.com/t5/AT-T-Fiber-Equipment/blocked-ports/m-p/5295640

 

[gkasica]

I'm struggling to understand what you are trying to achieve here.

The router will masquerade all outgoing LAN traffic by default. I can't believe that AT&T are actually blocking NTP in it's entirety otherwise their customers would be kicking up a fuss. And even if they were there would be nothing you could do about it on the router.

 

[gkasica]

Yes they're blocking it and have been since June of 2016 on Uverse. I run 3 Stratum-1 clocks here and dumped them as a provider after they refused to unblock my fixed IP block which they insisted wasn't blocked but had worked fine from the date of install some 6 years years earlier and just died. I worked with several folks from the NTP groups to gather evidence of the blocking and AT&T simply ignored it even when we narrowed it down to the exact router on their network. As far as kicking up a fuss most folks don't care as its outbound only blocking, ie source route blocking. Inbound its just fine.

 

[kryptto]

@gkasica YUP

https://www.att.com/gen/public-affairs?pid=20879

Port 123/UDP: Network Time Protocol (NTP) is used to accurately synchronize computer time of day to a reference time server. Some aspects of Port 123 may be limited to minimize malicious use. Poorly-configured NTP servers can be used for Reflective DDOS attacks, and some devices provide NTP service inadvertently, which exacerbates the port’s malicious use.

 

[kryptto]

SO, I wanted to do a post-mortem, I was having a couple of issues to be honest before posting this request. My NTP on ALL devices broke, (check) AND my DMZ+ configured Pace 5268AC AT&T U-verse gateway between my ASUS RT-AC87 was dropping internet connectivity. The WAN light every couple of minutes to 30-45 seconds would indicate the WAN connectivity was down and would turn RED and drop connectivity.

One of the errors logging into the RT-AC87 was that it hadnt sync'd with NTP, and its system time WAS WAY off. My previous experiences as a sys admin had always shown me too much time drift on a windows domain could cause huge issues. After Colin assisted me with this randomized port routing for NTP, the router corrected its time, and now my devices are all in sync. I have noticed the constant random dropping of WAN traffic from the Asus router has now stabilized.

Keeping my fingers crossed this one simple fix might be a huge weight off my back.

This is the best community for support and assistance!