Surf SOHO MK3 - constant requests to #.pool.ntp.org

I have a Surf SOHO MK3 set up as a home router (SW version is 8.0.2). Because my internet connection is really poor (LTE 20/5 connection, which is really more like 5/1 because of the bad reception), I recently installed a rpi3 with pi-hole to help solve some slow browsing issues and cut down on the bandwidth usage (ad blocking).

Why is the MK3 literally flooding the bandwidth with request to #.pool.ntp.org servers? Look at the graphs below:

Link to bigger image: https://imgur.com/adXcOto

I’ve been though the settings twice now and cannot find a setting to turn this off (or at least limit it to a reasonable number, maybe 1 per minute or even less). Why is it doing this and how can I turn this off?

To get a better feel for whats going on, set an outbound firewall rule to allow and log every connection to port 123. Then Peplink can see how many minutes/seconds between each time request on your router vs. what they expect it to be.

2 Likes

Hello and Good Day aataqah

I just wanted to say…if cell signal is poor in your area, maybe a cell signal booster is an option for you. They are worth the money. In my profile picture you can see a Verizon AC791L cellular modem next to the cell signal booster.

Firewall rule is set up to log UDP connections to port 123:

I cleared both logs (SOHO and pi-hole) at the same time. Will report back a bit later.

Does the SOHO have an option to export the log? Or is is copy paste from the web admin only?

Unfortunately signal boosters are illegal in my country. I think the fine if they catch you is somewhere around 4000€.
The problem is not only bad reception, but also that my location is right in the middle of 4 towers, each equal distance away. The connections is then bouncing around the towers. The Huawei B315 which is used for the LTE modem does not have an option to lock on to a single tower. But thanks for the suggestion.

Ok, so after about 1 hour of monitoring (starting from cleared logs) pi-hole shows that requests to pool.ntp.org servers are the most frequent by far and that they are coming from the SOHO. Yet the event log in the SOHO web admin only shows a total of 44 events. Did I set up the firewall rule wrong?

pi-hole dashboard:

SOHO event log:

Mar 10 19:22:39 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.12 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=46213 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:22:32 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.8 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=58079 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:21:45 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=10136 PROTO=UDP SPT=60195 DPT=123 LEN=56 MARK=0x2
Mar 10 19:21:45 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.54.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=11068 PROTO=UDP SPT=62779 DPT=123 LEN=56 MARK=0x2
Mar 10 19:21:45 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.54.125 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=9822 PROTO=UDP SPT=49275 DPT=123 LEN=56 MARK=0x2
Mar 10 19:21:11 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.4 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=18643 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:17:17 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:b8:27:eb:66:2a:c3:08:00 SRC=192.168.50.98 DST=144.76.197.108 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=54251 DF PROTO=UDP SPT=60345 DPT=123 LEN=56 MARK=0x2
Mar 10 19:11:23 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=15364 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:11:23 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.54.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=29753 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:11:23 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.54.251 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=8850 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:10:29 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.0 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=455 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:05:33 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.12 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=30562 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:05:20 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.8 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=18590 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:03:58 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.4 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=27366 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 19:01:24 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=42581 PROTO=UDP SPT=53756 DPT=123 LEN=56 MARK=0x2
Mar 10 19:01:24 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.54.125 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=17511 PROTO=UDP SPT=49676 DPT=123 LEN=56 MARK=0x2
Mar 10 19:01:24 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.54.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=50411 PROTO=UDP SPT=60111 DPT=123 LEN=56 MARK=0x2
Mar 10 18:59:50 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:57:ca:3f:cf:88:08:00 SRC=10.42.99.200 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=56800 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:59:50 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:57:ca:3f:cf:88:08:00 SRC=10.42.99.200 DST=17.253.54.125 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=1503 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:59:50 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:57:ca:3f:cf:88:08:00 SRC=10.42.99.200 DST=17.253.54.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=38588 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:55:09 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.54.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=3407 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:55:09 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=11735 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:55:09 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.54.125 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=6208 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:52:38 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.0 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=31025 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:47:56 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.8 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=57445 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:47:38 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.12 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=45724 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:46:24 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.4 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=64168 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:43:09 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:b8:27:eb:66:2a:c3:08:00 SRC=192.168.50.98 DST=144.76.197.108 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=37546 DF PROTO=UDP SPT=40485 DPT=123 LEN=56 MARK=0x2
Mar 10 17:41:15 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=30950 PROTO=UDP SPT=62332 DPT=123 LEN=56 MARK=0x2
Mar 10 18:41:15 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.54.251 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=46225 PROTO=UDP SPT=52976 DPT=123 LEN=56 MARK=0x2
Mar 10 18:41:15 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:e4:59:e3:08:00 SRC=10.42.99.205 DST=17.253.54.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=45858 PROTO=UDP SPT=51990 DPT=123 LEN=56 MARK=0x2
Mar 10 18:38:36 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=56416 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:38:36 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.54.251 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=1077 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:38:36 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:6b:e8:9f:02:6f:08:00 SRC=10.42.99.201 DST=17.253.54.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=30662 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:34:52 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.0 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=9543 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:31:43 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:57:ca:3f:cf:88:08:00 SRC=10.42.99.200 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=35478 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:31:43 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:57:ca:3f:cf:88:08:00 SRC=10.42.99.200 DST=17.253.54.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=1572 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:31:43 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:4c:57:ca:3f:cf:88:08:00 SRC=10.42.99.200 DST=17.253.54.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=65040 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:30:52 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.8 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=41685 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:30:04 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.12 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=8038 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:28:18 Firewall: Allowed CONN=lan MAC=00:1a:dd:43:52:40:00:11:32:7e:0e:4b:08:00 SRC=192.168.50.6 DST=216.239.35.4 LEN=76 TOS=0x18 PREC=0xA0 TTL=63 ID=35004 DF PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:27:41 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:e4:e4:ab:4b:5b:ef:08:00 SRC=10.42.99.202 DST=17.253.52.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=35859 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:27:41 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:e4:e4:ab:4b:5b:ef:08:00 SRC=10.42.99.202 DST=17.253.54.253 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=43358 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
Mar 10 18:27:41 Firewall: Allowed CONN=vlan MAC=00:1a:dd:43:52:40:e4:e4:ab:4b:5b:ef:08:00 SRC=10.42.99.202 DST=17.253.54.251 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=4068 PROTO=UDP SPT=123 DPT=123 LEN=56 MARK=0x2
End of Log

Ok, so I played around some more with firewall rules and logging. I tried setting outbound firewall rules to block the domain pool.ntp.org, block udp requests to port 123, etc. but the number of requests does NOT drop.

I have no more ideas … why is the SOHO doing this and how to stop it?

@aataqah,

Do you configure the SOHO device as DNS proxy ?

Under LAN Settings:
image

If the setting is enabled, the LAN devices can configure the SOHO LAN as DNS server. This will make the SOHO work as the proxy from LAN DNS request.

Can you disable the DNS proxy settings ? Before disable the feature, make sure LAN device is not referring SOHO as DNS server.

1 Like

I was auditing my Surf SOHO running firmware 8.0.2. I makes Time of Day requests every 30 minutes. By “requests” I mean that I see four outbound connections using UDP to port 123 every 30 minutes. Each of these 4 connections is to a different IP address.