What's new

AT&T FIber Network Blocks NTP - DNS Masquerade

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kryptto

Regular Contributor
Team,

How would I go about forwarding the NTP UDP packets from port 123 to a >1024 port. Looking for a starting point. http://www.att.com/gen/public-affairs?pid=20879

Other routers use masquerade, anything similar.

Any advice where to start? Thanks!
 
I'm struggling to understand what you are trying to achieve here.

The router will masquerade all outgoing LAN traffic by default. I can't believe that AT&T are actually blocking NTP in it's entirety otherwise their customers would be kicking up a fuss. And even if they were there would be nothing you could do about it on the router.
 
It looks like they are only blocking outbound traffic so you could test a masquerade rule from the command line and if it works put it in a nat-start script.

So from the routers command line just type:

Code:
iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random
 
Last edited:
It looks like they are only blocking outbound traffic so you could test a masquerade rule from the command line and if it works put it in a nat-start script.

So from the routers command line just type:

Code:
iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random

@colin, thanks for stalking me ;)

So that worked, I created a nat-start file using WinSCP (being descriptive here to teach others) a new file in the jffs/scripts/ directory called nat-start. Then added the following and saved it with all file properties = permissions equaling 0777.

Code:
#!/bin/sh
iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -p udp --sport 123 -j MASQUERADE --to-ports 49152-65535 --random

DONT forget a reboot of the router after adding this file.

This seems to work and want to pass along the knowledge you provided to other. Thanks again!

To be honest this is a draconian idea by an ISP to block outbound NTP since it is a standard WITHOUT publishing a NTP server inside their network to help their customers devices sync. NOT everyone uses just their cell phone, which will sync with cell towers, and a tablet or two that might have cell connectivity as well.

If this post can help anyone else that will be good. Seriously contemplating going back to my 100mb carrier Comcast over continuing to pay AT&T for 1gb fiber until they shift their thinking.

Posted as of 10/18/17 they are still continuing to block this service: https://forums.att.com/t5/AT-T-Fiber-Equipment/blocked-ports/m-p/5295640
 
I'm struggling to understand what you are trying to achieve here.

The router will masquerade all outgoing LAN traffic by default. I can't believe that AT&T are actually blocking NTP in it's entirety otherwise their customers would be kicking up a fuss. And even if they were there would be nothing you could do about it on the router.
 
Yes they're blocking it and have been since June of 2016 on Uverse. I run 3 Stratum-1 clocks here and dumped them as a provider after they refused to unblock my fixed IP block which they insisted wasn't blocked but had worked fine from the date of install some 6 years years earlier and just died. I worked with several folks from the NTP groups to gather evidence of the blocking and AT&T simply ignored it even when we narrowed it down to the exact router on their network. As far as kicking up a fuss most folks don't care as its outbound only blocking, ie source route blocking. Inbound its just fine.
 
@gkasica YUP

https://www.att.com/gen/public-affairs?pid=20879

Port 123/UDP: Network Time Protocol (NTP) is used to accurately synchronize computer time of day to a reference time server. Some aspects of Port 123 may be limited to minimize malicious use. Poorly-configured NTP servers can be used for Reflective DDOS attacks, and some devices provide NTP service inadvertently, which exacerbates the port’s malicious use.
 
Last edited:
SO, I wanted to do a post-mortem, I was having a couple of issues to be honest before posting this request. My NTP on ALL devices broke, (check) AND my DMZ+ configured Pace 5268AC AT&T U-verse gateway between my ASUS RT-AC87 was dropping internet connectivity. The WAN light every couple of minutes to 30-45 seconds would indicate the WAN connectivity was down and would turn RED and drop connectivity.

One of the errors logging into the RT-AC87 was that it hadnt sync'd with NTP, and its system time WAS WAY off. My previous experiences as a sys admin had always shown me too much time drift on a windows domain could cause huge issues. After Colin assisted me with this randomized port routing for NTP, the router corrected its time, and now my devices are all in sync. I have noticed the constant random dropping of WAN traffic from the Asus router has now stabilized.

Keeping my fingers crossed this one simple fix might be a huge weight off my back.

This is the best community for support and assistance!
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top