Windows ntp sync issues on Asus TM-AC1900 with Merlin 380.58

[cuekay]

Hello. I have been having issues with my windows based workgroup (not domain) issuing timeouts when trying to sync with the ntp time servers (time.windows.com, time.nist.gov, pool.ntp.org, etc). The thing is when I leave all else alone (windows firewall, gateway settings) and instead connect to my gateway rather than the router, the computer syncs just fine. I had tried to add the following iptables rules to the router:

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

When I tried to use the port-forwarding feature, adding items didn't stick even upon clicking "Apply". I had even disabled the firewall using the web gui and the sync attempts would timeout.

But I also noticed that the firmware can or does serve as a local ntp server. If so, how can I bypass this so that I can reach out to the ones out in the world? Or if it's more recommended for a LAN, how can I setup the ntp server in the firmware so that I can just have my host computers sync to that? I tried syncing to the local ip address of the router (192.168.1.1) but that timed out as well.

I also found a thread that reports the same thing except with dd-wrt. I'm wondering if wrt'ish firmware is plagued with these issues or if incidentally the OP of the other thread and I are just poor and configuring this awesome firmware. Thanks!

 

[RMerlin]

1) The default policy is to allow ALL traffic to go out, so there's no need for configuring anything in the OUTPUT chain. If you are getting blocked, then it's most likely done by something running on your computer, not by the router. Check any rules you might have in your security software.

2) No, the router cannot act as an ntp server.

 

[cuekay]

Hi Merlin. First of all, thank you so much for building this. It's been nothing short of amazing since I fired it up on day one. When I try to be polite, it ends up backfiring on me as I get very verbose and annoying and while my terseness can come off as being rude, I figured it's the lesser of two evils. So I apologize if my original post came off as too critical.

I did really basic troubleshooting to identify the source of the issue and I'm pretty sure I'm missing some basic understanding on how to do it, so I'll just walk through my process:

1. connect HOST to TM-AC1900(with Merlin) with ethernet cable. Try to sync time using Windows' internet time settings GUI. Outcome: message: "An error occurred while Windows was synchronizing with time.nist.gov. This operation returned because the timeout period expired."

2. connect HOST to 2Wire 5268AC FXN gateway with same ethernet cable only disconnecting from TM-AC1900 end to move to 2Wire gateway. Try to sync time using Windows' internet time settings GUI. Outcome: The clock was successfully synchronized with time.nist.gov on 4/26/16 at 11:01 PM.

3. connect HOST wirelessly by tethering to LG G2 cell phone. Try to sync time using Windows' internet time settings GUI. Outcome: The clock was successfully synchronized with time.nist.gov on 4/26/16 at 11:01 PM.

4. connect HOST to TM-AC1900(with Merlin). Set "Firewall -> Enable Firewall" on Merlin web GUI to "no". Try to sync time using Windows' internet time settings GUI. Outcome: message: "An error occurred while Windows was synchronizing with time.nist.gov. This operation returned because the timeout period expired."

Of the three scenarios, only number 1 and 4, both of which involves the router with no other factors that I'm aware of yielded timeouts. Despite my attempts at being as systematic as possible, I'm guessing that the issue is just plain oversight on my part as is obvious, I'm not all not computer literate and I'd be grateful for any guidance that can be offered by anyone.

 

[RMerlin]

Try a different NTP server, to rule out a few possibilities. One thing that might change between your different scenario is that your ISP might be giving you a different IP. I don't know if that NTP server allows/rejects connections based on the source IP or not, trying a different NTP server would rule that possibility out.

Also check if the server resolves to the same IP in all cases (nslookup time.nist.gov).

Do not disable the router firewall, as it might create other issues (I'm not 100% sure NAT works at all with the firewall disabled).

 

[DrPozo]

how can I setup the ntp server in the firmware

I bought a Raspberry Pi, installed Linux on it, and then configured the NTP server. Then I configured my RT-AC68U router to intercept any NTP request on the local network and redirect it to the Pi's NTP server (192.168.1.22). Here's a firewall rule to do that:

/jffs/scripts/nat-start

#!/bin/sh
/usr/sbin/iptables -t nat PREROUTING -i br0 -s 192.168.1.0/24 -p udp --dport 123 -j DNAT --to-destination 192.168.1.22

My Raspberry Pi supports the latest Linux version 4.1.19. All Asus routers run the very old NSA friendly, Linux version 1.1.11. That's why an NTP server cannot be done on the router.

CORRECTION: Asus router (ARM) use Linux 2.6.36.4

 

[RMerlin]

I bought a Raspberry Pi, installed Linux on it, and then configured the NTP server. Then I configured my RT-AC68U router to intercept any NTP request on the local network and redirect it to the Pi's NTP server (192.168.1.22). Here's a firewall rule to do that:

You could also run an ntpd on the router itself - it's fairly a low overhead process. I assume ntpd must be available on Entware.

 

[john9527]

You could also run an ntpd on the router itself - it's fairly a low overhead process. I assume ntpd must be available on Entware.

An SMTP server is also available in busybox.....I enabled it and offer it as an option in my fork. Biggest piece of work was getting it inserted into the services startup and adding it to the watchdog. Oh, and making sure it didn't start before the router time was set

 

[ColinTaylor]

You could also run an ntpd on the router itself - it's fairly a low overhead process. I assume ntpd must be available on Entware.

I think kvic also created a version of ntpd for the router: http://www.snbforums.com/threads/ntp-daemon-for-asuswrt-merlin.28041/

 

[cuekay]

awesome. Thanks everyone for your feedback. I'll look into installing kvic's ntpd server and try that out for now and report back with results.

 

[cuekay]

I just wanted to report back on this as I've been laboring away but have yet to get any signs of improvement -- I had tried the following two solutions recently and probably some other ones in the interim:

1) set up a linux machine to be the ntp server which can reliably run "ntpdate -s pool.ntp.org" and added Dr. Pozo's script to my jffs directory using the ip address of the linux machine (192.168.1.15) instead.

2) installed kvic's ntpd server and tried directing my windows system's "time servers" to the router(192.168.1.1)

3) played with the variety of servers local to my area referring to this: https://support.ntp.org/bin/view/Servers/StratumOneTimeServers

I had found another report of this, except with regards to dd-wrt, so I'm sure how related this would be: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=282981&highlight=

One thing I realize I didn't clarify on was that I have linux clients in my LAN that sync just fine. It's just Windows ones that are problematic when connected to the LAN ports on the Asus. I'm not sure if this is related to Windows's time syncing working with SNTP, which from what I've gathered is a rougher version of the NTP protocol.

I also have the time zone of the Windows machines set to my actual local time zone but I'm not sure if I should set the time zone to UTC instead? Thanks!