[SOLVED]How to enable NTP Sync for blocked devices?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt
PostPosted: Thu Mar 30, 2023 19:47    Post subject: [SOLVED]How to enable NTP Sync for blocked devices? Reply with quote
Hi;

I have blocked some devices from internet access because they don't need it except for NTP. How to allow NTP Sync through Port 123 for these devices?

Thanks!
_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5

Last edited by MomenMamdouh on Fri Mar 31, 2023 10:59; edited 1 time in total
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12881
Location: Netherlands
PostPosted: Thu Mar 30, 2023 20:52    Post subject: Reply with quote
Without further information e.g. what router, which build, which interfaces it concerns, current iptables etc. I can only give some general pointers:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt
PostPosted: Fri Mar 31, 2023 9:20    Post subject: Reply with quote
egc wrote:
Without further information e.g. what router, which build, which interfaces it concerns, current iptables, I can only give some general pointers:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command


Ok, consider the following:

Router model: Tplink archer C7 v2
Firmware: DD-WRT v3.0-r52189
Router IP: 10.0 0 1
Blocked devices IPs: 10.0 0.11 & 10.0.0.12
Policy: Deny internet access by using Access Restriction
Goal: to whitelist port 123 for enabling the blocked devices to ntp sync via the internet.
_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12881
Location: Netherlands
PostPosted: Fri Mar 31, 2023 9:35    Post subject: Reply with quote
MomenMamdouh wrote:
egc wrote:
Without further information e.g. what router, which build, which interfaces it concerns, current iptables, I can only give some general pointers:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command


Ok, consider the following:

Router model: Tplink archer C7 v2
Firmware: DD-WRT v3.0-r52189
Router IP: 10.0 0 1
Blocked devices IPs: 10.0 0.11 & 10.0.0.12
Policy: Deny internet access by using Access Restriction
Goal: to whitelist port 123 for enabling the blocked devices to ntp sync via the internet.


Try this:
Quote:
iptables -I FORWARD -s 10.0.0.11,10.0.0.12 -p udp --dport 123 -o $(get_wanface) -m state --state NEW -j ACCEPT

first try from CLI (telnet/Putty) and if it works place in Administration/Commands > Save Firewall

Check with:
iptables -vnL FORWARD


The IP addresses you are blocking appear to be in the routers own subnet, for IoT devices and other unsafe devices create a separate isolated subnet (aka Guest wifi).
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt
PostPosted: Fri Mar 31, 2023 10:58    Post subject: Reply with quote
egc wrote:

Try this:
Quote:
iptables -I FORWARD -s 10.0.0.11,10.0.0.12 -p udp --dport 123 -o $(get_wanface) -m state --state NEW -j ACCEPT

first try from CLI (telnet/Putty) and if it works place in Administration/Commands > Save Firewall

Check with:
iptables -vnL FORWARD



Thanks @egc for your valued support, I tried the above command and set the wan i/f to eth0 but it doesn't work directly, to make NTP sync works port 123 should be whitelisted as a source & dest.

the following lines did the job:

Code:
iptables -I FORWARD -p udp --dport 123 -j ACCEPT
iptables -I FORWARD -p udp --sport 123 -j ACCEPT

_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Back to top View user's profile Send private message
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2971
Location: Germany
PostPosted: Fri Mar 31, 2023 13:34    Post subject: Reply with quote
Are you sure that eth0 is the WAN interface?

I have my doubts.
Back to top View user's profile Send private message
MomenMamdouh
DD-WRT User


Joined: 19 Sep 2017
Posts: 150
Location: Egypt
PostPosted: Sat Apr 01, 2023 7:18    Post subject: Reply with quote
ho1Aetoo wrote:
Are you sure that eth0 is the WAN interface?

I have my doubts.


That's what is mentioned under "Interface Setup" section in Setup > Networking page.
_________________
Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum