On 2019-01-25 Adam Thompson wrote:
IIRC a handful of "important" NTP servers are whitelisted, e.g. time.windows.com and the equivalent from Apple. The source port
I tried time.windows.com, as a first check no dice. No major ntp server I can think of goes through.
limitation is specifically because only full-fledged NTP server implementations were vulnerable, and they must by definition use port 123. The block only exists for ADSL/VDSL/FTTH customers AFAIK. Business fibre and SHDSL customers are expected to run firewalls that work. -Adam
The customer is VDSL business, low-ish end plan, but not fibre. Yes, one would think they'd not block 123 for business. This plan does *not* block SMTP port 25. What a strange world MTS dwells in that 25 is open but 123 is not.
On 2019-01-25 John Lange wrote:
Might be worth going through the pain of opening a ticket to see if you can get an official answer. I believe the CRTC regulations prevent them from arbitrarily manipulating, blocking, or shaping the network traffic without disclosing what they are doing.
The staff will contact MTS so we'll see. I did find a web page that showed all the ports MTS blocks, and 123 wasn't on there. Probably out of date though (still said MTS). As for ISP companies not blocking without disclosing... wouldn't hold my breath on that one.
On 2019-01-25 Gilles Detillieux wrote:
I had an issue with NTP port 123 being blocked when switching from MTS's phone-line based ADSL service to their fibre based "VDSL" service several years ago (well before the Bell takeover). Colin is
Ah, that might be it! It may not have broken when Bell took over, it may have broken when the company switched to VDSL. It was around the same time I think (give or take 2 years, grin). Weird I didn't notice until now... I guess the RTCs were so good it took this long to lose a whole 1-2 minutes and cause me to notice.
Apparently the only solution is to use MTS's own NTP server. I think it's ntp.mts.net, but I'm not at home now so I can neither check my
ntp.mts.net also does not work. If you do have their official ntp server name somewhere, please dig it up for me as that would be super handy if they decide to block my current workaround trick too!
Thanks all!