Problem with Intercept NTP client requests

[Magister]

For a long time now I have this option "Intercept NTP client requests" set to enabled, and all my devices basically are using the router as NTP server.

But, one of my new device, a TP-Link tapo C200 webcam, cannot update its date/time if this option is enabled. I have to disabled it for it to acquire right time.

How can I add a rule in the firewall/iptables for this particualr device to not have its port 123 be intercepted?

 

[Magister]

oh god iptables... I played with it 10 years ago and remember it is nightmarish, but I know I needed to dive in it again to fix my problem

So I checked in firewall.c how the rule is added, then googled a bit to find how to filter a particular MAC address for this rule not to apply, then how to use the right custom script to put new rule.

I created a /jffs/scripts/nat-start containing:

#!/bin/sh

# in case of, delete old generic rule that forward all NTP
iptables -t nat -D PREROUTING -i br0 -p udp -m udp --dport 123 -j REDIRECT --to-port 123

# basically the same rule except we filter TP-Link camera using non standard protocol on port 123
iptables -t nat -A PREROUTING -i br0 -p udp -m udp --dport 123 -j REDIRECT --to-port 123 -m mac ! --mac-source 34:60:F9:xx:xx:xx

It seems to work, it deletes the old rule and insert this new one.

Q to pro here, is this looking ok? Is this the right way to do it? Should I use br0 interface or another one?

 

[sluzza]

I'm not a pro, I'm afraid, but I'd be interested to see this working. I have a CCTV unit that I don't want to grant internet access but it needs access to an NTP server. I usually use Merlin's f/w as it allows NTP interception but the latest f/w from Asus has a couple of undocumented CVEs and some other security-type fixes so I'm on that instead at the mo'.

Running your script from the ssh prompt reports: "iptables: No chain/target/match by that name." Which version of the f/w are you running?

 

[ColinTaylor]

Running your script from the ssh prompt reports: "iptables: No chain/target/match by that name." Which version of the f/w are you running?

The first command will produce that error message because you're not using Merlin. The second command is fairly pointless in your case because you're not running an NTP server on your router (because you're not using Merlin).

 

[Magister]

I'm not a pro, I'm afraid, but I'd be interested to see this working. I have a CCTV unit that I don't want to grant internet access but it needs access to an NTP server. I usually use Merlin's f/w as it allows NTP interception but the latest f/w from Asus has a couple of undocumented CVEs and some other security-type fixes so I'm on that instead at the mo'.

Running your script from the ssh prompt reports: "iptables: No chain/target/match by that name." Which version of the f/w are you running?

Yeah the first command tries to remove a rule, if it does not exist in your setup you have this warning, it's normal.

 

[vlord]

For a long time now I have this option "Intercept NTP client requests" set to enabled, and all my devices basically are using the router as NTP server.

But, one of my new device, a TP-Link tapo C200 webcam, cannot update its date/time if this option is enabled. I have to disabled it for it to acquire right time.

How can I add a rule in the firewall/iptables for this particualr device to not have its port 123 be intercepted?

I had an issue a while ago with NTP where my router wouldn't update. I changed over to chrony and my ntp sync issues magically disappeared. Try switching and see if your devices will sync locally. Much easier than playing with iptables.

 

[Magister]

My issue seems to be that TPLink is using a non-standard or not-supported protocol on the port 123 to get its date/time, so I bypass the redirect

 

[vlord]

My issue seems to be that TPLink is using a non-standard or not-supported protocol on the port 123 to get its date/time, so I bypass the redirect

I have a TP Link lightbulb that attempts sync with an NTP server but have it redirected to my router's chrony server with no issues.