Posted: Thu May 14, 2015 8:07 Post subject: NTP not working for clients behind DD-WRT Router
Hi,
I have a TP Link WR 1043ND router behind a Cisco cable modem. The router is running the newest DD-WRT but I tried also with 3 other versions from last year. There are 5 pcs connected to the router by gbit cable. 1 is running Linux Mint, 2 Win 7, 1 Win 8.1 and a Raspberry Pi. None of them are able to get the right time through NTP. The router itself works with NTP and gets the right time after every reboot.
There are only 3 options I figured out by now where NTP is working.
1) One of the Win 7 machines connects to a corporate VPN several times a day for work and if it's connected to the VPN NTP is working
2) The Win 8 machine is near the cable modem. If I unplug the pc from the router and put it directly into the cable modem NTP is working for this machine, too. (UPDATE: Proved to be wrong! See below)
3) On the Raspberry PI it is possible to update the time by "ntpdate -u pool.ntp.org", this seems to work because the -u option uses a different source port than UDP 123
It seems to me that something on DD-WRT is blocking UDP 123. I didn't know if I misconfigured something in the process so I did a factory reset but it didn't help. My next idea was to open port 123 completely by adding the firewall rules:
Code:
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
and enable logging to see what happens. This is from the logfile if I try several NTP server:
After reading your comment I did some retesting and put the original firmware on my router with no luck. Then I connected my pc with the cable modem directly again because it should have worked with the original firmware if it has been a DD-WRT issue. This didn't work either despite I tried the same thing 2 days ago and it worked. I don't know if it was luck or a false message on my Windows machine. I don't know.
I tried several NTP servers now directly connected to the cable modem and it did NOT work.
To see if it's not my pc I did setup a VPN connection to my workplace and it synced fine.
So I think it's safe to assume that my ISP is blocking UDP 123 as you suggested and this is not a DD-WRT problem.
The only thing I don't understand is why my router has the exact time? It shouldn't be able to sync itself or should it?
will the forwarding rule be one rule or will there need to be one per client that wants access? I tried to install the ntp daemon server and pointed my windows clients to use the router as the local ntp server to no avail, so I think the forwarding rule or rules will be the way to go. Would you mind giving an example of a rule where one of the windows ip is 123.456.789.0?
From the mixed stuff I had read, one of the opinions is that iptables rules aren't needed for the output port, which is the only type of port needed for ntp to sync properly(port 123 udp out). And another opinion I read says something something about bidirectionality of ntp.
Right now, I feel like this is the closest I've been to finding out since I feel with all the interfaces in a router, the best way to address this is with this forum.
I had also tried different permutations of disabling NAT and the firewall, but that had no impact, which struck me as very odd.(off/on, off/off, on/on, on/off).
Also, sometimes some of the clients successfully sync up when behind the router, and if then, they can even be off by an hour. But they ALWAYS sync up to the minute immediately upon connecting directly to the gateway/modem.
So I feel like I've exhausted my options short of I suppose actually learning how iptables rules work.