router to mail.hamilton.com

hello,

I just installed my mikrotik CCR2004 16G 2S+PC router

in the log, i find such record that appear every minute

• router dropped - output: in:(unknown 0) out:sfp2-WAN, connection-state:new proto UDP, 192.168.5.111:123->173.255.241.249:123, len 76

173.255.241.249 resolve as mail.hamilton.com
why do the router try to connect UDP port 123 to mail.hamilton.com : on the web site : "Hamilton Communications is a private Internet service provider. We do not accept new customers. "

since it is suspect for me, in the mean time , I put a rules to drop the traffic from router to internet to this IP


thanks for your advice
nicolas

It’s 192.168.5.111 which is trying to get there.
UDP 123 is typically used for NTP protocol.

Check that device.

Impossible to state what is going on without seeing the config…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

As holvoe pointed out, there is traffic occurring that may not be wanted, but that is controlled by the config of which you are responsible.

thanks fr the answser
5.111 is the wan port of the router
regarder ntp, I just configure ntp client server as pool.ntp.org, so, nothing to do with hamilton.com

Sorry, its all opinion until evidence is provided …facts are needed,

pool.ntp.org points at a few IP addresses, where public NTP servers reside. Addresses, to which pool.ntp.org resolves, can vary with subsequent DNS queries.
And, again: the NTP servers arr volunteered by different organizations, many of them are (small or large) ISPs.

If you want to know whis organization runs NTP servers which your router uses as synchronization source, then don’t use pool.ntp.org … instead research your network neighbourhood, select a couple if NTP servers you trust and configure your router with them.

Config may help here, dunno. But ISP upstream may redirect NTP and/or DNS.

Might want to try at the Terminal:

:put [:resolve pool.ntp.org]

I suspect that will get you the same 173.255.241.249.

Be curious to see what DNS servers are getting used:

/ip/dns print ; /ip/dns/cache print where data=173.255.241.249

Just because reverse DNS gives you a different name is not too suprising, pool.ntp.org uses a variety of ISP/DCs as pool.ntp.org is a alias. One quick solution may be use a more specific pool.ntp.org servers like
0.pool.ntp.org
1.pool.ntp.org
or the geographic ones like 0.north-america.pool.ntp.org

Typically one has the following rules.

add chain=input action=accept comment=“Admin config access” src-address-list=Authorized ******
add chain=input action=accept comment="users to services: dst-port=53,123 protocol=udp in-interface-list=LAN
add chain=input action=accept comment="users to services: dst-port=53 protocol=tcp in-interface-list=LAN
add chain=input action=drop comment="Drop all else"

Where ****** Authorized is comprised of devices/subnets that Admin uses while local ( desktop,laptop,smartphone) using static DHCP leases and sometimes incoming remote vpn addresses.

++++++++++++++++++++++++++++++++++++++++++++++

If the ISP blocks port 123 then one adds an additional rule… ( copied from another post, not sure why there is a range of ports for to-ports, perhaps mkx can explain )
/ip firewall nat
add action=masquerade chain=srcnat comment="NTP NAT masquerade " dst-port=123 protocol=udp to-ports=12300-12390
.

Or if you really want control of it, go buy your own NTP server hardware and configure your router to use that. There are several ntp server products for not all that much money. Personally I am using a NTP200 from: https://centerclick.com/ntp/ I have been very happy with it for the past several years. Like most, it is using signals from GPS, GLONASS, Galileo, SBAS, and QZSS to derive a stratum 1 time reference.

Good to know kccc, I will email you to find out the exact time of a big earthquake or the impact of a nuclear weapon.
Wait, you may have shortwave, will give you a call over a repeater LOL