What's new

How to unblock UDP port 123 and NTP time sync

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

MWGlidden

Occasional Visitor
Devices on my network work as expected most of the time. I've dealt with the occasional tough-to-understand issue, included an inability to use Google Assistant on smart speakers. Today, a colleague tested my Internet connection using an LAN device and told me this.

"The raspberry pi was failing to sync with time servers, so its clock was wrong... I tracked it down to UDP port 123, which is used for NTP time sync, being somehow blocked. This is pretty uncommon, so I’m wondering if there’s a firewall somewhere with some really conservative rules in place."

I've used asuswrt-merlin for years and this is the first time that a possible blocked NPT port came up. Skynet and Diversion are running, so perhaps one of them did so? I can't recall ever changing my router's port settings by hand. Searching the SNB forums for blocked NTP ports failed to find others with this issue.

Current versions, per AMTM.

Code:
amtm 3.4 FW               by thelonelycoder
RT-AX58U (armv7l) FW-386.7 @ 192.168.1.1
Diversion                 v4.3.2
Skynet                    v7.2.8

Checked my Administration tab for its NTP settings.

basic_config.jpg


Pinging time.nist.gov from a terminal window failed 100%, pinging time.google.com succeeded 100%, and pinging dns.msftncsi.com failed 100%.

Recommendation where to start with this?
 
Devices on my network work as expected most of the time. I've dealt with the occasional tough-to-understand issue, included an inability to use Google Assistant on smart speakers. Today, a colleague tested my Internet connection using an LAN device and told me this.

"The raspberry pi was failing to sync with time servers, so its clock was wrong... I tracked it down to UDP port 123, which is used for NTP time sync, being somehow blocked. This is pretty uncommon, so I’m wondering if there’s a firewall somewhere with some really conservative rules in place."

I've used asuswrt-merlin for years and this is the first time that a possible blocked NPT port came up. Skynet and Diversion are running, so perhaps one of them did so? I can't recall ever changing my router's port settings by hand. Searching the SNB forums for blocked NTP ports failed to find others with this issue.

Current versions, per AMTM.

Code:
amtm 3.4 FW               by thelonelycoder
RT-AX58U (armv7l) FW-386.7 @ 192.168.1.1
Diversion                 v4.3.2
Skynet                    v7.2.8

Checked my Administration tab for its NTP settings.

View attachment 45071

Pinging time.nist.gov from a terminal window failed 100%, pinging time.google.com succeeded 100%, and pinging dns.msftncsi.com failed 100%.

Recommendation where to start with this?

Just because something isn't pingable doesn't mean it isn't up. Plenty of things block ICMP to prevent the most basic DDOS attacks. Time.nist.gov replies to NTP fine but is not pingable.

Personally I like to use pool.ntp.org for time. Or if you want to make sure it uses the US, you can use us.pool.ntp.org but they use GEO IP database to return you a local server which should be pretty reliable.

One way to test NTP, if in windows
w32tm /stripchart /computer:us.pool.ntp.org /samples:5

replace us.pool.ntp.org with whatever you want to test.

If you get more than 1 or 2 error results. something is blocking it, but it isn't the default asus router. The NTP settings in the router don't impact your LAN (unless you tell it to intercept NTP), by default those only tell the router where to get its own time from. You may have to troubleshoot skynet and diversion it is possible one of those is blocking it for some reason, since they are both designed to block things. Note occasional errors/lack of response are normal with UDP, that's why it is referred to as an unreliable protocol, but out of 5 you should get at least 3 or 4 responses.
 
Last edited:
Devices on my network work as expected most of the time. I've dealt with the occasional tough-to-understand issue, included an inability to use Google Assistant on smart speakers. Today, a colleague tested my Internet connection using an LAN device and told me this.

"The raspberry pi was failing to sync with time servers, so its clock was wrong... I tracked it down to UDP port 123, which is used for NTP time sync, being somehow blocked. This is pretty uncommon, so I’m wondering if there’s a firewall somewhere with some really conservative rules in place."

I've used asuswrt-merlin for years and this is the first time that a possible blocked NPT port came up. Skynet and Diversion are running, so perhaps one of them did so? I can't recall ever changing my router's port settings by hand. Searching the SNB forums for blocked NTP ports failed to find others with this issue.

Current versions, per AMTM.

Code:
amtm 3.4 FW               by thelonelycoder
RT-AX58U (armv7l) FW-386.7 @ 192.168.1.1
Diversion                 v4.3.2
Skynet                    v7.2.8

Checked my Administration tab for its NTP settings.

View attachment 45071

Pinging time.nist.gov from a terminal window failed 100%, pinging time.google.com succeeded 100%, and pinging dns.msftncsi.com failed 100%.

Recommendation where to start with this?
My 10 cents worth, ‘enable local NTP server‘ = yes.
‘Intercept client NTP requests’ = yes.
See how you go.:)
 
My 10 cents worth, ‘enable local NTP server‘ = yes.
‘Intercept client NTP requests’ = yes.
See how you go.:)

Worth a shot - though if skynet or diversion are blocking it, probably still would (never know, maybe that will bypass them somehow). I prefer to get time direct from the source (pun unintentional).
 
Devices on my network work as expected most of the time. I've dealt with the occasional tough-to-understand issue, included an inability to use Google Assistant on smart speakers. Today, a colleague tested my Internet connection using an LAN device and told me this.

"The raspberry pi was failing to sync with time servers, so its clock was wrong... I tracked it down to UDP port 123, which is used for NTP time sync, being somehow blocked. This is pretty uncommon, so I’m wondering if there’s a firewall somewhere with some really conservative rules in place."

I've used asuswrt-merlin for years and this is the first time that a possible blocked NPT port came up. Skynet and Diversion are running, so perhaps one of them did so? I can't recall ever changing my router's port settings by hand. Searching the SNB forums for blocked NTP ports failed to find others with this issue.

Current versions, per AMTM.

Code:
amtm 3.4 FW               by thelonelycoder
RT-AX58U (armv7l) FW-386.7 @ 192.168.1.1
Diversion                 v4.3.2
Skynet                    v7.2.8

Checked my Administration tab for its NTP settings.

View attachment 45071

Pinging time.nist.gov from a terminal window failed 100%, pinging time.google.com succeeded 100%, and pinging dns.msftncsi.com failed 100%.

Recommendation where to start with this?
If the RPI is the only device with the wrong time, did you check the time zone setting in the PI?
 
My 10 cents worth, ‘enable local NTP server‘ = yes.
‘Intercept client NTP requests’ = yes.
See how you go.:)

I've made this change and will indeed see how things go! Not sure yet how to unblock UDP port 123. Any thoughts there?
 
If the RPI is the only device with the wrong time, did you check the time zone setting in the PI?

The PI's part of a test rig run by a colleague who already worked around the blocked UDP port 123. I'd like to understand how it got blocked in the first place, as I can't recall doing anything that would block it myself. :eek:
 
I've made this change and will indeed see how things go! Not sure yet how to unblock UDP port 123. Any thoughts there?
I can't think why specifically UDP port 123 outgoing would be blocked. It's not something the router would normally do. I suspect that it's the destination IP address rather than the port that Skynet is blocking.
 
I can't think why specifically UDP port 123 outgoing would be blocked. It's not something the router would normally do. I suspect that it's the destination IP address rather than the port that Skynet is blocking.
Sounds like the issue I was having where the destination ip address would get blocked by skynet because the destination from the pool happened to be deemed malicious by skynet.
 
I'm a native English speaker and also missed what the pun might be! Your XKCD link is perfect for this situation.

An NTP server is also called a Time Source.

I said I like to get my time direct from the source. "Direct from the source" is a saying, but in this case also a literal, since I don't want to proxy my NTP, I want to pull it right from the time source.
 
The PI's part of a test rig run by a colleague who already worked around the blocked UDP port 123. I'd like to understand how it got blocked in the first place, as I can't recall doing anything that would block it myself. :eek:

The router isn't blocking it, most likely skynet or diversion are to blame.

Test out several different NTP sources using the commands I provided (from windows command prompt) and see if you get responses from some but not others. If so it probably isn't the port that is blocked but some of the IPs.
 
The router isn't blocking it, most likely skynet or diversion are to blame.

Test out several different NTP sources using the commands I provided (from windows command prompt) and see if you get responses from some but not others. If so it probably isn't the port that is blocked but some of the IPs.

I'm running Mac, so went with similar Unix calls (nc). Each one to several time sources via port 123 returns 0 (success). I let my colleague know that these tests are getting through, so we'll see if there's something wrong with the PI itself.
 
An NTP server is also called a Time Source.

I said I like to get my time direct from the source. "Direct from the source" is a saying, but in this case also a literal, since I don't want to proxy my NTP, I want to pull it right from the time source.
Thanks.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top