Hayling Island

Hayling Island

Friday, June 21, 2019

Have we fixed the phones ?

The home network has been a journey since we moved in. I have recently joined up the last bits of the network, and I now have a Netgear SRX5308 Prosafe firewall between the three house wired networks, and the outside world.

Well it kind of worked, but still had problems with the phones, which mostly worked but sometimes struggled with DNS, and SIP timeouts, and the service de-registering from its peers.

Struggled for a day with this, doing Wireshark traces and so on, and then eventually found something odd. I couldn't see the activity from UDP packets on the inside showing on the outside.

And then, I found this snippet on a web site somewhere:

I had just installed a new Netgear SRX5308 VPN/Firewall in our network (5 VLANs, about 70 users and around 200 devices total). Everything seemed to be working fine, but — randomly and intermittently — new connections would be slow or time out. So users would experience web pages loading slowly, or failing to load at all, but then working again on a second try, etc.

Netgear support couldn't help much with it, so I did more of my own diagnosis, and eventually found that it was related to DNS lookups slowing down or failing intermittently when going through the firewall; if I was outside the firewall, everything was fine.

I then found the solution myself: to uncheck the "Block UDP flood" on the "Attack Checks" configuration of the firewall settings. Since I deactivated it, everything has been working fine.

I then went back and looked in Netgear's documentation — apparently, the "Block UDP flood" option, which is enabled by default, triggers when it has 20 or more simultaneous UDP connections from a single LAN-side client. And of course, DNS works over UDP port 53, so we were seeing intermittency whenever we got to >20 DNS requests at the same time from a client. (And, in fact, the current manual acknowledges this in a note on p. 136 — which is in the firewall rules section and unfortunately not referenced in the Attack Checks section).

The reason I think this is likely a common problem: 20 simultaneous connections is WAY TOO LOW for modern browsers and network usage; an single average webpage can load material from its own server, 2-4 social networks, various sources for Javascript libraries, fonts, CSS, etc., and CDN servers for images — all of which require DNS lookups. You could easily get to 20 on a single page, even without accounting for stuff the computer is doing in the background that might involve DNS lookups or other uses of UDP.


I have made the change on the firewall now, and since then the https://www.sipgate.co.uk/ service doesn't reregister, or deregister every 20 seconds; DNS lookups are more stable, and things are feeling a lot more snappy.

AND all the phones seem to work now - result! 

No comments:

Post a Comment