What's new

YazFi Guest network cannot access NTP server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kspmtrp

New Around Here
Hi,

I have configured a guest network for IoT devices with the following settings:

1634044010609.png


When I try to access the Router's NTP server from a Windows machine connected to this guest WIFI network (192.168.2.0) it gives me an error. The command I use to check it is:
Code:
w32tm /stripchart /computer:192.168.2.1

But if I connect this machine to a non-guest network (192.168.1.0) it works:
Code:
w32tm /stripchart /computer:192.168.1.1

DNS lookups using 192.168.2.1 are working.

I don't want any device to access Internet (ping home) nor other LAN so I have the following custom rule:
Code:
iptables -I YazFiFORWARD -i wl0.2 -o vlan603 -j DROP

I tested to remove all custom rules, even temporary removing "Client Isolation", but it never works.

Am I missing something?
 
You would still have to use computer:192.168.1.1 as that is where the NTP server is. Unlike DNS YazFi doesn't create any more instances of the NTP server (AFAIK).

That said, you'd probably have to create a firewall rule that allowed the guest devices access to 192.168.1.1 on UDP port 123.
 
Sorry, I haven't been able to test it until today. I've just added a new rule, but it doesn't work either.

This is the fragment after executing "iptables --list -v"

Code:
Chain YazFiFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       192.168.1.1          0.0.0.0/0            udp spt:123
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.1          udp dpt:123
 1501  280K DROP       all  --  wl0.2  vlan603  0.0.0.0/0            0.0.0.0/0
 
I tested many things without luck. Any idea is welcomed.
One suggestion. Try installing and running Jack's ntpMerlin add-on script and using the NTPD time server setting in that script.
https://www.snbforums.com/threads/ntpmerlin-v3-x.68508/
https://github.com/jackyaz/ntpMerlin

If I'm reading the YazFi script code right. There is some coding (look for the "ENABLED_NTPD" entries) in the main YazFi script that may allow NTP traffic through when using that ntpMerlin script in conjunction with the YazFi script.
 
Sorry, I haven't been able to test it until today. I've just added a new rule, but it doesn't work either.

This is the fragment after executing "iptables --list -v"

Code:
Chain YazFiFORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       192.168.1.1          0.0.0.0/0            udp spt:123
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.1          udp dpt:123
1501  280K DROP       all  --  wl0.2  vlan603  0.0.0.0/0            0.0.0.0/0
Since 192.168.1.1 is a local ip you probably need to put this rule in YazFiINPUT instead of YazFiFORWARD.
As ntp is a local process on the router, in probably works to put in 192.168.2.1, you shouldn't have to mix in your lan subnet.

//Zeb
 
One suggestion. Try installing and running Jack's ntpMerlin add-on script and using the NTPD time server setting in that script.
https://www.snbforums.com/threads/ntpmerlin-v3-x.68508/
https://github.com/jackyaz/ntpMerlin

If I'm reading the YazFi script code right. There is some coding (look for the "ENABLED_NTPD" entries) in the main YazFi script that may allow NTP traffic through when using that ntpMerlin script in conjunction with the YazFi script.
Have you tried it with Jack's chrony implementation?
 
I've just tried to install ntpMerlin, but it requires Entware, that also requires an USB drive to be inserted. If it is possible I would like to avoid it.

I've added an YazFiINPUT rule (marked with green in the screenshot), but it is still failing (testing with 192.168.1.1 and 192.168.2.1). I noticed that there was an existing rule (marked in blue) probably added by YazFi. I also noticed that the value of the field `pkts` increases with every test I execute, so it seems it is being applied.

EDIT: the `pkts` value that is being increased with every test is the one of the second line (with a 63 value in the screenshot)

1636484702795.png
 
Last edited:
Check what interface(s) the ntp server is listening on. On my router it only listens on br0 so I don't think it will accept requests coming from wl0.2.

Rich (BB code):
# ps w | grep ntp
 2342 admin     3844 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p time.cloudflare.com -p time.windows.com -l -I br0
31533 admin     5436 S    grep ntp

# /usr/sbin/ntp -?
/usr/sbin/ntp: invalid option -- '?'
BusyBox v1.25.1 (2021-08-06 17:47:26 EDT) multi-call binary.

Usage: ntp [-dnqNwtl -I IFACE] [-S PROG] [-p PEER]...

NTP client/server

        -d      Verbose
        -n      Do not daemonize
        -q      Quit after clock is set
        -N      Run at high priority
        -w      Do not set time (only query peers), implies -n
        -t      Trust network and server, no RFC-4330 cross-checks
        -S PROG Run PROG after stepping time, stratum change, and every 11 mins
        -p PEER Obtain time from PEER (may be repeated)
                If -p is not given, 'server HOST' lines
                from /etc/ntp.conf are used
        -l      Also run as server on port 123
        -I IFACE Bind server to IFACE, implies -l
 
Check what interface(s) the ntp server is listening on. On my router it only listens on br0 so I don't think it will accept requests coming from wl0.2.

Rich (BB code):
# ps w | grep ntp
2342 admin     3844 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p time.cloudflare.com -p time.windows.com -l -I br0
31533 admin     5436 S    grep ntp

# /usr/sbin/ntp -?
/usr/sbin/ntp: invalid option -- '?'
BusyBox v1.25.1 (2021-08-06 17:47:26 EDT) multi-call binary.

Usage: ntp [-dnqNwtl -I IFACE] [-S PROG] [-p PEER]...

NTP client/server

        -d      Verbose
        -n      Do not daemonize
        -q      Quit after clock is set
        -N      Run at high priority
        -w      Do not set time (only query peers), implies -n
        -t      Trust network and server, no RFC-4330 cross-checks
        -S PROG Run PROG after stepping time, stratum change, and every 11 mins
        -p PEER Obtain time from PEER (may be repeated)
                If -p is not given, 'server HOST' lines
                from /etc/ntp.conf are used
        -l      Also run as server on port 123
        -I IFACE Bind server to IFACE, implies -l
Just checked on my router running YazFi and all guest networks I have enabled are on br0:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.244bfebcd7d8       yes             eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        wl0.1
                                                        wl1.1
                                                        wl1.2
I don't have that specific interface enabled but I would guess it would be in there too.

I'm not an expert in bridges and subnets so I dont really know how it gets tied together with mixing different subnets in the same bridge.

Bind would not nessicarely mean it only listens to this subnet, or? But it really sounds that you are right.

//Zeb
 
Sorry, I don't know how YazFi works internally because I've never used it. But normally traffic from isolated guests is dropped from the bridge interface which is why it has to be referred to by its interface name (e.g. wl0.1).

As an experiment try running ntp without the interface option.

Rich (BB code):
# ps w | grep ntp
2342 admin     3844 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p time.cloudflare.com -p time.windows.com -l -I br0

# killall /usr/sbin/ntp
# killall ntp

# /usr/sbin/ntp -t -S /sbin/ntpd_synced -p time.cloudflare.com -p time.windows.com -l
EDIT: Don't killall the full pathname. It will kill the process and all other processes that use that file.
 
Last edited:
Just downloaded ntp app to test on my system and can confirm the same problem as @kspmtrp.
I can also confirm that @ColinTaylor fix to start ntp without -I br0 makes ntp work for ALL guest networks under yazfi, even those with no access to lan or router local process.

Hope @kspmtrp has the same results.

//Zeb

Edit:
Code:
killall /usr/sbin/ntp
didn't work for me, had to use:
Code:
killall ntp
 
Last edited:
i haven't used the built-in ntp server in forever, I use chrony (and before that, entware ntpd)
iptables seems to indicate the packets are hitting the allow rule on input, so the ntp server should be getting them :/
 
I can confirm it works; from the guest network 192.168.2.0 works with both 192.168.1.1 and 192.168.2.1.

Is there a way to make this change permanent? It don't see a way to customize the config file for the ntp daemon: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-config-files
The easy way would be to just put your commands in:
Code:
/jffs/scripts/services-start

That would included to kill the ntp process and start a new one.

The more advanced way would be to scrape the current command using "ps w | grep ntp" and subtract the "-I br0" from it then kill it and start again. This way you could still use the gui to change server for example.
You would have to put this in /jffs/scripts/service-event-end
Code:
if [ "$1" = "start" ] || [ "$1" = "restart" ] && [ "$2" = "ntp" ]; then
# WhateverYouWantToDo
fi

Good luck!

//Zeb
 
An alternative approach to Zeb's might be to try and keep the NTP traffic on the bridge. Effectively, not isolating just UDP port 123.

There may already be something in YazFi that does this pin-holing. If not, as an experiment try entering this command and seeing if the PC can now connect to the router's NTP server.
Code:
ebtables -t broute -I BROUTING -p IPv4 --ip-proto udp --ip-dst 192.168.1.1 --ip-dport 123 -j ACCEPT
 
I tried @ZebMcKayhan advanced solution (NOTE: for my system I needed to replace 'ntp' with 'ntpd') with a service-event-end script that does the following steps:
  1. From the result of a 'ps', gets the current ntp command, excluding the grep command and stores it into a variable
  2. Remove -I br0 from that variable and stores it into a another variable
  3. Kills ntp process
  4. Starts the ntp process using the contents of the variable at step 2 as the commandline.

The code is this:
Code:
if [ "$1" = "start" ] || [ "$1" = "restart" ] && [ "$2" = "ntpd" ]; then
        ntpCommand=$(ps | grep [^]]/usr/sbin/ntp | grep -o '/.*$')
        ntpCommandModified=$(echo $ntpCommand | sed "s/ -I br0//g")
        killall ntp
        eval "$ntpCommandModified"
fi

When I restart the router, the result of a 'ps' is a process whose commandline is truncated:
Code:
/usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.or

But it works if I test the script calling it manually like this
Code:
/jffs/scripts/service-event-end start ntpd

To debug this weird behavior I've added the following line at the beginning of the "if":
Code:
ps | grep ntp >> /jffs/scripts/log.txt

After restarting the router, the log.txt contains the result already truncated:
Code:
 2462 root   3420 S    /bin/sh /jffs/scripts/service-event-end start ntpd
 2463 root   3772 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.or
 2467 root   3420 S    grep ntp

It is very strange. I don't know why this is happening.


I also tried @ColinTaylor approach but when I execute this command nothing happens. If I list all the rules after executing the command it still shows everything empty:

Code:
> ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

For the time being, I left the proposed "basic" solution and it is working, but if would preferred one of the other approaches:
Code:
killall ntp
/usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.org -l
 
I tried @ZebMcKayhan advanced solution (NOTE: for my system I needed to replace 'ntp' with 'ntpd') with a service-event-end script that does the following steps:
  1. From the result of a 'ps', gets the current ntp command, excluding the grep command and stores it into a variable
  2. Remove -I br0 from that variable and stores it into a another variable
  3. Kills ntp process
  4. Starts the ntp process using the contents of the variable at step 2 as the commandline.

The code is this:
Code:
if [ "$1" = "start" ] || [ "$1" = "restart" ] && [ "$2" = "ntpd" ]; then
        ntpCommand=$(ps | grep [^]]/usr/sbin/ntp | grep -o '/.*$')
        ntpCommandModified=$(echo $ntpCommand | sed "s/ -I br0//g")
        killall ntp
        eval "$ntpCommandModified"
fi

When I restart the router, the result of a 'ps' is a process whose commandline is truncated:
Code:
/usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.or

But it works if I test the script calling it manually like this
Code:
/jffs/scripts/service-event-end start ntpd

To debug this weird behavior I've added the following line at the beginning of the "if":
Code:
ps | grep ntp >> /jffs/scripts/log.txt

After restarting the router, the log.txt contains the result already truncated:
Code:
 2462 root   3420 S    /bin/sh /jffs/scripts/service-event-end start ntpd
2463 root   3772 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.or
2467 root   3420 S    grep ntp

It is very strange. I don't know why this is happening.


I also tried @ColinTaylor approach but when I execute this command nothing happens. If I list all the rules after executing the command it still shows everything empty:

Code:
> ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

For the time being, I left the proposed "basic" solution and it is working, but if would preferred one of the other approaches:
Code:
killall ntp
/usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.org -l
Check what command you get before the text processing... perhaps the services-end script are executed too fast and/or more instances are changing this command after. Perhaps a
Code:
sleep 1
Needs to be put before you read the process to make sure all changes have already been made.

Just an idea to try?

//Zeb
 
To debug this weird behavior I've added the following line at the beginning of the "if":
Code:
ps | grep ntp >> /jffs/scripts/log.txt

After restarting the router, the log.txt contains the result already truncated:
Code:
 2462 root   3420 S    /bin/sh /jffs/scripts/service-event-end start ntpd
2463 root   3772 S    /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.or
2467 root   3420 S    grep ntp

It is very strange. I don't know why this is happening.
try
Code:
ps   -w    | grep ntp >> /jffs/scripts/log.txt
 
try
Code:
ps   -w    | grep ntp >> /jffs/scripts/log.txt
Didn't realize that ps without the -w gets truncated, wierd!
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# ntpCommand=$(ps | grep [^]]ntp | grep -o '/.*$')
admin@RT-AC86U-D7D8:/tmp/home/root# echo $ntpCommand
/sbin/ntpd_synced -p pool.ntp.org -p time.nis
admin@RT-AC86U-D7D8:/tmp/home/root# ntpCommand=$(ps -w | grep [^]]ntp | grep -o '/.*$')
admin@RT-AC86U-D7D8:/tmp/home/root# echo $ntpCommand
/sbin/ntpd_synced -p pool.ntp.org -p time.nist.gov -l -I br0

//Zeb
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top