NTP port to WAN

[Laxarus]

Hello,
Device: RT-AC5300
Firmware: 384.19
For a couple of days, I've been trying with limited success. At the end, I would like to ask help from the super nice community here.
I have been trying to connect the NTP server on my router with my bridged DSL modem.
DSL modem is in bridge mode and connected to WAN port of AC5300.

On the WAN side, router gets static ip:
192.168.0.2
and the modem gets 192.168.0.1

Now,
Asus-merlin has a NTP server built-in with UDP port 123.
So, in theory, if you set modem NTP settings to remote server with the "static ip of the router (192.168.0.2)" and arrange the router to port forward "external udp port 123" coming from "modem static ip (192.168.0.1)" to "internal udp port 123 of the router local ip should work.
However, I couldn't get it to work. I also tried disabling and enabling firewall.

The thing that confuses me is I set-up a NTP server on my network with a different device with LAN ip, and I managed to get it to work by port forwarding to that device.
This is the working setup.

But if I change internal ip address to 192.168.1.1, it fails.

and this is my interface output:

7: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN qlen 1000
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
14: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
27: ppp0: <POINTOPOINT,MULTICAST,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
    inet 100.85.235.11 peer 100.85.128.1/32 brd 100.85.235.11 scope global ppp0
28: tun11: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 10.10.100.10 peer 10.10.100.9/32 scope global tun11
29: tun13: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 10.8.0.3/24 brd 10.8.0.255 scope global tun13

I am thinking maybe firmware is blocking incoming connections from WAN.

 

[eibgrad]

Accessing the *router* over the WAN is *NOT* (technically) a port forward. You merely open the port. A port forward, by definition, means some device behind the router. Now as a courtesy, I know some routers (e.g., dd-wrt) will accept the router's WAN ip as a target in port forwarding, then make any necessary adjustments. But I don't know if Merlin works the same.

 

[Laxarus]

Accessing the *router* over the WAN is *NOT* (technically) a port forward. You merely open the port. A port forward, by definition, means some device behind the router. Now as a courtesy,

You might be right, but what about internal and external ports? I mean can an incoming connection from WAN port 123 can be forwarded to router's LAN port 80? Though, I fail to see how useful that would be (Maybe for security reasons to avoid known ports?).

Another thing is from Administration - System, you can enable WAN HTTPS access with a specific port. So, it is basically opening a port on the router for that specific port and forwarding that to internal port 80.
But it is hard coded just for webui.
Maybe, I can take a look at the source and see how it is doing that. Though, I don't know how to find that in the source.

I know some routers (e.g., dd-wrt) will accept the router's WAN ip as a target in port forwarding, then make any necessary adjustments. But I don't know if Merlin works the same.

Apparently, merlin firmware doesn't accept router's own ip for forwarding as I cannot reach router from the modem. Maybe, there is an another aspect to be considered.

Let me rephrase it my question then, how can I open a specific WAN port for the router for a specific ip address from interface br0?
I am pretty sure you can do it with iptables, but iptables are so confusing for me. Most of the time, I don't know what I am doing when manipulating iptables.

 

[eibgrad]

Is it even necessary to access it from br0? For all I know, the ntp server is listening on all network interfaces, including the WAN (that's often the case w/ services; what actually prevents access from some of those network interfaces is the firewall). And if that's the case, a simple INPUT rule would do the trick.

# allow access to time server on *all* network interfaces
iptables -I INPUT -p udp --dport 123 -j ACCEPT

 

[eibgrad]

P.S. Or else limit it to the modem (192.168.0.1).

iptables -I INPUT -s 192.168.0.1 -p udp --dport 123 -j ACCEPT

 

[Laxarus]

P.S. Or else limit it to the modem (192.168.0.1).

iptables -I INPUT -s 192.168.0.1 -p udp --dport 123 -j ACCEPT

It still doesn't work.
Weird,
even after
iptables -I INPUT -s 192.168.0.1 -p udp --dport 123 -j ACCEPT
INPUT chain shows blank
iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 107K packets, 121M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  tun13  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12000 to:192.168.1.23:80
    0     0 VSERVER    all  --  *      *       0.0.0.0/0            100.85.72.205
    4   304 VSERVER    all  --  *      *       0.0.0.0/0            192.168.0.2

Chain INPUT (policy ACCEPT 2538 packets, 220K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1911 packets, 156K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1477 packets, 108K bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      tun13   192.168.1.0/24       0.0.0.0/0
  247 14680 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0
1526  102K PUPNP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
  208 12050 MASQUERADE  all  --  *      ppp0   !100.85.72.205        0.0.0.0/0
    1    52 MASQUERADE  all  --  *      eth0   !192.168.0.2          0.0.0.0/0
  464 53835 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24
    0     0 MASQUERADE  all  --  *      tun13   0.0.0.0/0            0.0.0.0/0

Chain DNSFILTER (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain DNSVPN1 (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain DNSVPN3 (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (2 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:192.168.1.1:8443
    0     0 DNAT       tcp  --  *      *       192.168.0.1          0.0.0.0/0            tcp dpt:514 to:192.168.1.41:514
    4   304 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0
    4   304 TRIGGER    all  --  *      *       0.0.0.0/0            0.0.0.0/0            TRIGGER type:dnat match:0 relate:0

Chain VUPNP (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:37777 to:192.168.1.23:37777
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:37778 to:192.168.1.23:37778

I saw the VSERVER chain that opens up the 8443 port and tried to use that but this also didn't work.

iptables -t nat -I VSERVER -s 192.168.0.1 -p udp --dport 123 -j DNAT --to-destination 192.168.1.1:123

I can see it in the chain but router still doesn't respond for NTP calls.

 

[Jack Yaz]

It still doesn't work.
Weird,
even after
iptables -I INPUT -s 192.168.0.1 -p udp --dport 123 -j ACCEPT
INPUT chain shows blank
iptables -t nat -L -n -v

you need to look at the filter table, not nat.

iptables -nvL

 

[Laxarus]

you need to look at the filter table, not nat.

iptables -nvL

Thanks for the tip. Like I said, iptables are confusing for me.

Though, I tried that
iptables -I INPUT -s 192.168.0.1 -p udp --dport 123 -j ACCEPT

This doesn't seem to work.
Just to be sure, I disabled Firewall and secure upnp.
The port doesn't seem to be open.

netstat -lnu | grep 123

gives
udp 0 0 :::123 :::*

when I look at the input chain, I see the ports:

Chain INPUT (policy ACCEPT 1715 packets, 303K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   228 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:123

Now, I am suspicious of my modem. However, it seems to work OK with another NTP server device if I port forward it from the UI. This is weird.
Maybe FW has different rules regarding NTP.
Your suggestion was spot on as they seemed to solve this problem with the same method.

how to open a port to router itself?

I have monit installed through entware on the router, and I want to access it via my DDNS:2812, but it will not work. I already went to my port forwarding and said external 2812 internal 2812 to internal IP 192.168.1.1, but I suspect that this does not work for the router IP which is...

www.snbforums.com