Add a rule like below, make sure it's above default masquerade rule
set service nat rule 5001 description NTP_ChangeSourceport set service nat rule 5001 destination port 123 set service nat rule 5001 log disable set service nat rule 5001 outbound-interface eth0 set service nat rule 5001 outside-address port 1024-65535 set service nat rule 5001 protocol udp set service nat rule 5001 type masquerade
It changes NTP source port to something above 1023, hoping your ISP only blocks your packets having source port UDP123