Through much trial and error I found what seems like a bug involving CTF. The symptoms appear to suggest that timestamps on some packets are incorrect when CTF is enabled. This has side effects for software that use network time stamps to get the time, like NTP and Chrony. It may also be affecting my dnscrypt-proxy2, but I'm not positive of that yet.
The bug can be verified by enabling CTF and running tcpdump on the router. What you capture isn't important, just look at the timestamps. Some of the packets captured will have borked timestamps like this (see the packets with 00:00:00.xxxxxx timestamps):
These packets impair the functioning of NTP and/or Chrony so that clients cannot sync if one of the packets in the transaction is borked. Disabling CTF eliminates the problem.
Anyway, I would like to get this reported to Asus so I can enable CTF and have those applications functioning without issue on my router, but I'm not sure how to check for the issue on stock firmware.
The bug can be verified by enabling CTF and running tcpdump on the router. What you capture isn't important, just look at the timestamps. Some of the packets captured will have borked timestamps like this (see the packets with 00:00:00.xxxxxx timestamps):
Code:
00:00:00.857443 IP (tos 0x0, ttl 128, id 34890, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.127934 IP (tos 0x10, ttl 64, id 52196, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.137884 IP (tos 0x10, ttl 64, id 52197, offset 0, flags [DF], proto TCP (6), length 360)
00:00:00.857436 IP (tos 0x0, ttl 128, id 34891, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.147923 IP (tos 0x10, ttl 64, id 52198, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.157886 IP (tos 0x10, ttl 64, id 52199, offset 0, flags [DF], proto TCP (6), length 360)
00:00:00.857501 IP (tos 0x0, ttl 128, id 34892, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.167924 IP (tos 0x10, ttl 64, id 52200, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.177882 IP (tos 0x10, ttl 64, id 52201, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.180166 IP (tos 0x0, ttl 128, id 34893, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.187929 IP (tos 0x10, ttl 64, id 52202, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.197880 IP (tos 0x10, ttl 64, id 52203, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.200431 IP (tos 0x0, ttl 128, id 34894, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.207930 IP (tos 0x10, ttl 64, id 52204, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.210278 IP (tos 0x0, ttl 128, id 34895, offset 0, flags [DF], proto TCP (6), length 200)
14:59:42.210728 IP (tos 0x10, ttl 64, id 52205, offset 0, flags [DF], proto TCP (6), length 664)
14:59:42.217892 IP (tos 0x10, ttl 64, id 52206, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.219777 IP (tos 0x0, ttl 128, id 34896, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.227916 IP (tos 0x10, ttl 64, id 52207, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.237886 IP (tos 0x10, ttl 64, id 52208, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.240920 IP (tos 0x0, ttl 128, id 34897, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.247936 IP (tos 0x10, ttl 64, id 52209, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.257884 IP (tos 0x10, ttl 64, id 52210, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.259790 IP (tos 0x0, ttl 128, id 34898, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.267924 IP (tos 0x10, ttl 64, id 52211, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.277880 IP (tos 0x10, ttl 64, id 52212, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.280594 IP (tos 0x0, ttl 128, id 34899, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.287922 IP (tos 0x10, ttl 64, id 52213, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.297886 IP (tos 0x10, ttl 64, id 52214, offset 0, flags [DF], proto TCP (6), length 360)
00:00:00.857287 IP (tos 0x0, ttl 128, id 34900, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.307916 IP (tos 0x10, ttl 64, id 52215, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.317909 IP (tos 0x10, ttl 64, id 52216, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.320444 IP (tos 0x0, ttl 128, id 34901, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.327941 IP (tos 0x10, ttl 64, id 52217, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.337885 IP (tos 0x10, ttl 64, id 52218, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.339820 IP (tos 0x0, ttl 128, id 34902, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.347925 IP (tos 0x10, ttl 64, id 52219, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.357888 IP (tos 0x10, ttl 64, id 52220, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.361047 IP (tos 0x0, ttl 128, id 34903, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.367929 IP (tos 0x10, ttl 64, id 52221, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.377881 IP (tos 0x10, ttl 64, id 52222, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.379746 IP (tos 0x0, ttl 128, id 34904, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.387939 IP (tos 0x10, ttl 64, id 52223, offset 0, flags [DF], proto TCP (6), length 616)
14:59:42.397892 IP (tos 0x10, ttl 64, id 52224, offset 0, flags [DF], proto TCP (6), length 360)
14:59:42.400544 IP (tos 0x0, ttl 128, id 34905, offset 0, flags [DF], proto TCP (6), length 40)
14:59:42.406566 IP (tos 0x0, ttl 128, id 34906, offset 0, flags [DF], proto TCP (6), length 104)
14:59:42.407020 IP (tos 0x10, ttl 64, id 52225, offset 0, flags [DF], proto TCP (6), length 872)
These packets impair the functioning of NTP and/or Chrony so that clients cannot sync if one of the packets in the transaction is borked. Disabling CTF eliminates the problem.
Anyway, I would like to get this reported to Asus so I can enable CTF and have those applications functioning without issue on my router, but I'm not sure how to check for the issue on stock firmware.