Joining the pool kills my Internet

#1

Ok so I tried every possible way to make my server pool member, but every time I join the server my whole internet crashes !

Then, I must scheduled my server for deletion in order the system to remove my server.

I am using Linksys E4200 with DDWRT(I tried with different router it is the same).

From what I can see is there is too much connection and the router’s connection table is getting full and then simple begin to drop packets.

I even tried with different speed on pool server management but it is still the same, even with the lowest one.

Its like every opened UDP connection reaming open, I have tried every possible way to solve this, but without luck, and I am out of ideas.

Have someone dealt with this or similar issue ?

#2

EDIT

I did not know how I missed this obvious settings. I am getting sleepy I gues :slight_smile:

I think with this I will solve the problem, but tommorow, now I am to tired to think.

I will report the results

EDIT:

Unfortunately timeout settings do not help. I am out of options.

#3

You are using connection tracking. Turn it off for UDP/123 traffic in both directions (just doing that in one direction isn’t enough) on any stateful device in your traffic path - this includes your system firewall if you have one, and almost certainly your router. If you are using NAT (this includes port mapping), don’t - most forms of NAT imply connection tracking on the device doing that translation. If your router isn’t capable of excluding NTP traffic from connection tracking (most typical home routers can’t easily do this), then you will need a new router.

The reason that this is a problem is that the NTP pool is extremely diverse, and you’ll see a very large number of client IPs in a short period of time. NTP is stateless (one request packet, one reply packet, that’s it), but to most forms of connection tracking, it looks like a newly created connection flow that ought to be tracked. This means CPU usage (watching for reply packets), RAM usage (storing the state of the ‘connection’ for each client IP), and more CPU usage (timing out connection state and removing it from memory). While that’s acceptable for a small number of clients, a pool NTP server can easily see requests from hundreds of thousands of unique client IPs within a short timespan, which will cripple many connection-tracking devices due to insufficient resources to handle the load (and sometimes poorly optimised software as well).

#4

Yes I realized that, but unfortunately UDP timeout it did not help.

It was suggested by user Miroslav Licvar on group com.protocol.time that I try followoing rules for UDP tracking:

iptables -t raw -I PREROUTING -p udp -m udp --dport 123 -j CT --notrack
iptables -t raw -I OUTPUT -p udp -m udp --sport 123 -j CT --notrack

But it did not work also. Maybe these iptables command do not work on DDWRT.

I am out of option, for now I cannot join the pool.

#5

Yes I realized that, but unfortunately UDP timeout it did not help.

That’s because UDP timeout is intended to adjust the timeout for removing tracked flows. It’s not the right setting to adjust for solving your problem.

It was suggested by user Miroslav Licvar on group com.protocol.time that I try following rules for UDP tracking…

Those rules are intended for use on your NTP server, not on your router. To properly exclude your NTP traffic from connection tracking, you will also need an additional rule in the PREROUTING table with --sport 123 in order to catch the reply packets from your server.

I notice that those rules do not contain your server’s IP address at all - that’s OK, but do bear in mind that omitting the IP means you are turning off tracking for all NTP packets, rather than just NTP traffic relating to your server.

…But it did not work also.

Can you clarify what you mean by that? What, specifically, happened (or didn’t happen) to indicate that there was an issue with those commands?

#6

When I commit iptables rules in DDWRT router I get this:

Commands are not showing any errors but they are not in iptables list. Maybe they cannot be issued in DDWRT version of the router.

#7

What does iptables -t raw -L show?

If you run echo $? immediately after each iptables command, what is the output?

#8

root@life-router:~# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CT udp – anywhere anywhere udp dpt:ntp CT notrack

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CT udp – anywhere anywhere udp spt:ntp CT notrack

#9

That output means that those iptables rules were applied successfully. If you add an additional rule to the PREROUTING chain to disable tracking for the reply packets (and assuming you aren’t attempting to use NAT for the NTP traffic), that should be sufficient to resolve the issue with your router.