Author
Message
MomenMamdouh DD-WRT User Joined: 19 Sep 2017 Posts: 150 Location: Egypt
Posted: Thu Mar 30, 2023 19:47 Post subject: [SOLVED]How to enable NTP Sync for blocked devices?
Hi;
I have blocked some devices from internet access because they don't need it except for NTP. How to allow NTP Sync through Port 123 for these devices?
Thanks! _________________ Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5 Last edited by MomenMamdouh on Fri Mar 31, 2023 10:59; edited 1 time in total
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Thu Mar 30, 2023 20:52 Post subject:
Without further information e.g. what router, which build, which interfaces it concerns, current iptables etc. I can only give some general pointers:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
MomenMamdouh DD-WRT User Joined: 19 Sep 2017 Posts: 150 Location: Egypt
Posted: Fri Mar 31, 2023 9:20 Post subject:
Ok, consider the following:
Router model: Tplink archer C7 v2
Firmware: DD-WRT v3.0-r52189
Router IP: 10.0 0 1
Blocked devices IPs: 10.0 0.11 & 10.0.0.12
Policy: Deny internet access by using Access Restriction
Goal: to whitelist port 123 for enabling the blocked devices to ntp sync via the internet. _________________ Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Fri Mar 31, 2023 9:35 Post subject:
MomenMamdouh wrote:
Ok, consider the following:
Router model: Tplink archer C7 v2
Firmware: DD-WRT v3.0-r52189
Router IP: 10.0 0 1
Blocked devices IPs: 10.0 0.11 & 10.0.0.12
Policy: Deny internet access by using Access Restriction
Goal: to whitelist port 123 for enabling the blocked devices to ntp sync via the internet.
Try this:
Quote: iptables -I FORWARD -s 10.0.0.11,10.0.0.12 -p udp --dport 123 -o $(get_wanface) -m state --state NEW -j ACCEPT
first try from CLI (telnet/Putty) and if it works place in Administration/Commands > Save Firewall
Check with:
iptables -vnL FORWARD
The IP addresses you are blocking appear to be in the routers own subnet, for IoT devices and other unsafe devices create a separate isolated subnet (aka Guest wifi). _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
MomenMamdouh DD-WRT User Joined: 19 Sep 2017 Posts: 150 Location: Egypt
Posted: Fri Mar 31, 2023 10:58 Post subject:
egc wrote:
Try this:
Quote: iptables -I FORWARD -s 10.0.0.11,10.0.0.12 -p udp --dport 123 -o $(get_wanface) -m state --state NEW -j ACCEPT
first try from CLI (telnet/Putty) and if it works place in Administration/Commands > Save Firewall
Check with:
iptables -vnL FORWARD
Thanks @egc for your valued support, I tried the above command and set the wan i/f to eth0 but it doesn't work directly, to make NTP sync works port 123 should be whitelisted as a source & dest.
the following lines did the job:
Code: iptables -I FORWARD -p udp --dport 123 -j ACCEPT
iptables -I FORWARD -p udp --sport 123 -j ACCEPT
_________________ Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 2971 Location: Germany
Posted: Fri Mar 31, 2023 13:34 Post subject:
Are you sure that eth0 is the WAN interface?
I have my doubts.
Back to top
MomenMamdouh DD-WRT User Joined: 19 Sep 2017 Posts: 150 Location: Egypt
Posted: Sat Apr 01, 2023 7:18 Post subject:
ho1Aetoo wrote: Are you sure that eth0 is the WAN interface?
I have my doubts.
That's what is mentioned under "Interface Setup" section in Setup > Networking page. _________________ Routers:
TP-Link Archer C7 v2-(EU)
TP-Link WR840n v3
TP-Link WR740n v5
Back to top