ntpd on DSL behind Pace 5268AC?

[dschweisguth]

I have DSL and a Pace 5268AC. The Pace is in DMZ Plus mode, forwarding all traffic to my server. Most traffic works, but NTP does not: 'ntpdate time.sonic.net' says "no server suitable for synchronization found", and 'tcpdump port 123' on my server shows that no NTP packets are getting to my server.

'ntpdate -u whatever' does work, but that doesn't help me because I really want to run ntpd (which doesn't have the equivalent of ntpdate's -u), not ntpdate. (I know I could run ntpdate in cron, but that's jumpy.)

As an experiment, I set the Pace to explicitly forward port 123 to my server; that makes ntpdate work without -u. It's not a good fix, though, as I'd have to explicitly forward to every restricted port on my server.

Is there a way to unblock port 123 and still use DMZ Plus?

[drew.phillips]

Hi Dave,

I confirmed that the Pace itself is running an ntpd server on port 123 which interferes with the packets destined for your server behind the firewall.

Turning that off or forwarding port 123 and therefore preventing the Pace from syncing time could cause problems so personally I would advise against it.

You could also fully bridge the Pace so that your servers binds to the static IP and bypasses the Pace, but this would prevent Sonic from troubleshooting connection issues and we would require you to factory reset the modem in order to do any type of diagnostics or connectivity troubleshooting.

My suggestions are to get additional static IP's and assign your server a different IP address than the router, or switch to OpenNTPD which uses unprivileged ports for syncing. Static IP's beyond the 1 free do have an additional cost, so to me, OpenNTPD is the simplest and best alternative to keep everything fully supported.

I hope that helps.