Accessing NTP server on OpenWrt from bridged modem

I would like to access openwrt's NTP server from the bridged DSL modem so that the DSL stats show the correct time, and also retain the ability to access the modem to view these stats from the LAN. What would be the best way to do this?

Below is how I have that set up now:

config interface 'modem'
	option proto 'static'
	option ipaddr '192.168.254.15'
	option netmask '255.255.255.0'
	option device 'eth1'
	option delegate '0'
	option metric '0'
	option gateway '0.0.0.0'

This is added to the firewall WAN zone:

	list network 'modem'

Since the modem is part of WAN, like the rest of the internet, it can not access any ports unless you explicitly allow it. So you need to make a rule in the firewall for the modem to access the NTP server (which runs on port 123):

config rule
        option dest_port '123'
        option src 'wan'
        option target 'ACCEPT'
        list src_ip '<modem ip>'
        option name 'Allow-modem-NTP'

and tell the NTP client to also act as a server (using option enable_server '1', which I believe is off by default.)

And of course, configure the modem to request time from the NTP server at your router's internal IP.

I think that's pretty much the same config I tried first, except src_ip was .254.254, but I had no luck. The modem's IP is 192.168.254.254 and the interface I have created on openwrt to provide access is the one that uses 192.168.254.15. The openwrt lan is 192.168.2.1 and has the NTP server enabled and working for everything on the internal network, but the modem doesn't seem to be able to grab the date/time. Should the source be .254.15 or .254.254? I'm confused.

My tired brain is missing something... I just don't know what it is!

It must be .254

This is not needed, better remove it.
Verify that you can see the hits on the firewall and that ntp is listening on the wan interface.
iptables-save -c -t filter | grep NTP ; netstat -lnp | grep 123

modem date+time1215×878 70.2 KB

modem routes1218×644 65.5 KB

# iptables-save -c -t filter | grep NTP ; netstat -lnp | grep 123
[0:0] -A zone_wan_input -s 192.168.254.254/32 -p tcp -m tcp --dport 123 -m comment --comment "!fw3: Allow-modem-NTP"                                          -j ACCEPT
[0:0] -A zone_wan_input -s 192.168.254.254/32 -p udp -m udp --dport 123 -m comment --comment "!fw3: Allow-modem-NTP"                                          -j ACCEPT
udp        0      0 :::123                  :::*                                12739/ntpd

Firewall:

config rule
	option dest_port '123'
	option src 'wan'
	option target 'ACCEPT'
	option name 'Allow-modem-NTP'
	list src_ip '192.168.254.254'

Network:

config interface 'modem'
	option proto 'static'
	option ipaddr '192.168.254.15'
	option netmask '255.255.255.0'
	option device 'eth1'
	option delegate '0'
	option metric '0'

Here's what I got, but no dice
Anyone see what I'm missing? I'm assuming pointing to the .254.15 address should work, but correct me if I'm wrong.

There are no hits on the firewall, therefore nothing came to that port.
Start a tcpdump to see what is coming from the modem
tcpdump -i eth1 -vn host 192.168.254.254
Install it if you don't have it opkg update; opkg install tcpdump

This is what I got:

# tcpdump -i eth1 -vn host 192.168.254.254
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:01:27.324280 IP (tos 0xb8, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 307)
    192.168.254.254.1900 > 239.255.255.250.1900: UDP, length 279
16:01:27.342848 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.254.254 tell 192.168.254.254, length 46
16:01:28.335183 IP (tos 0xb8, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 370)
    192.168.254.254.1900 > 239.255.255.250.1900: UDP, length 342
16:01:28.353702 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.254.254 tell 192.168.254.254, length 46
16:01:29.344740 IP (tos 0xb8, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 298)
    192.168.254.254.1900 > 239.255.255.250.1900: UDP, length 270
16:01:29.362370 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.254.254 tell 192.168.254.254, length 46
16:01:30.354569 IP (tos 0xb8, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 307)
    192.168.254.254.1900 > 239.255.255.250.1900: UDP, length 279
16:01:30.372190 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.254.254 tell 192.168.254.254, length 46
16:01:31.366207 IP (tos 0xb8, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 366)
    192.168.254.254.1900 > 239.255.255.250.1900: UDP, length 338

I do however get quite a bit when viewing the modem's web interface from a PC on the network. I'm attempting to set up a syslog server on openwrt if possible or my PC if that proves difficult. Then Ill send logs there for easier viewing since the modem doesn't have a decent log viewer in the web interface, and is fairly locked down as far as connecting a serial UART.

This depends on the NTP client service implementation on the modem.
Perhaps it syncs time only once at startup when OpenWrt is not fully connected yet.
Try to force time sync on the modem while running tcpdump on OpenWrt.

This looks weird. The modem is asking for the mac address of itself.
Other than that there is nothing in the tcpdump showing any attempt of the modem to communicate with OpenWrt. No ARP, no NTP.

I've tried disabling/enabling the 'automatic time update' option multiple times as well as rebooting the modem, but I haven't found any kind of option to update the time on demand

I do have the files and a VM set up with everything needed to build a few generations old openwrt firmware for this modem, but unfortunately I don't yet have the knowledge or time to acquire the knowledge to successfully make/try it. Going by what I have here, are there any devs who can make an educated guess whether or not it would be a rough process to attempt? If someone can help me with this part I'm comfortable trying it on the spare I have, even if it has to be done via jtag.

rough-process-maybe1822×542 101 KB

What happens if you keep tcpdump running and restart the modem?

Also try to specify the following NTP servers:

Ill try tonight and find out

Out of curiosity, is it really worth the trouble (and potential risk of exposing your ntpd to the outside) just to make the modem show the correct time?

I've been using various ADSL, ADSL2 and VDSL2+vectoring modems over the last two decades, none of them ever required a correct time setting (it might be nicer to look at, but it's not functionally necessary - and how often do you expect to visit the modem's management interface in the first place?).

tl;dr: why bother?!

Why bother? Well, my ISP kept lying about certain aspects of the connection, namely about "A problem in the wires inside your (my) premises". There is an ongoing lawsuit which is why I like to keep records of the extremely low error rate so I can hold their backsides to the fire because they are a bunch of lying phalluses, if they dare try to deny that their neglected network is causing bandwidth issues

I can secure it in an isolated zone later once I get it to communicate properly since I don't need it to be accessible from outside of the network.

Why do I want to use this modem you ask? This one uses less power than the others I've tried, which is important because its powered through the 5v out on my raspberry pi's UPS hat with a boost converter to get the voltage up to 12v. In bridge mode it only pulls between 0.2-0.3A @12v. This and 4 18650 cells allow me to ride out just about any short power outages or disruptions