The home network has been a journey since we moved in. I have recently joined up the last bits of the network, and I now have a Netgear SRX5308 Prosafe firewall between the three house wired networks, and the outside world.
Well it kind of worked, but still had problems with the phones, which mostly worked but sometimes struggled with DNS, and SIP timeouts, and the service de-registering from its peers.
Struggled for a day with this, doing Wireshark traces and so on, and then eventually found something odd. I couldn't see the activity from UDP packets on the inside showing on the outside.
And then, I found this snippet on a web site somewhere:
I had just installed a new Netgear SRX5308 VPN/Firewall in our network
(5 VLANs, about 70 users and around 200 devices total). Everything
seemed to be working fine, but — randomly and intermittently — new
connections would be slow or time out. So users would experience web
pages loading slowly, or failing to load at all, but then working again
on a second try, etc.
Netgear support couldn't help much with it,
so I did more of my own diagnosis, and eventually found that it was
related to DNS lookups slowing down or failing intermittently when going
through the firewall; if I was outside the firewall, everything was
fine.
I then found the solution myself: to uncheck the "Block
UDP flood" on the "Attack Checks" configuration of the firewall
settings. Since I deactivated it, everything has been working fine.
I
then went back and looked in Netgear's documentation — apparently, the
"Block UDP flood" option, which is enabled by default, triggers when it
has 20 or more simultaneous UDP connections from a single LAN-side
client. And of course, DNS works over UDP port 53, so we were seeing
intermittency whenever we got to >20 DNS requests at the same time
from a client. (And, in fact, the current manual acknowledges this in a
note on p. 136 — which is in the firewall rules section and
unfortunately not referenced in the Attack Checks section).
The
reason I think this is likely a common problem: 20 simultaneous
connections is WAY TOO LOW for modern browsers and network usage; an
single average webpage can load material from its own server, 2-4 social
networks, various sources for Javascript libraries, fonts, CSS, etc.,
and CDN servers for images — all of which require DNS lookups. You could
easily get to 20 on a single page, even without accounting for stuff
the computer is doing in the background that might involve DNS lookups
or other uses of UDP.
I have made the change on the firewall now, and since then the https://www.sipgate.co.uk/ service doesn't reregister, or deregister every 20 seconds; DNS lookups are more stable, and things are feeling a lot more snappy.
AND all the phones seem to work now - result!
No comments:
Post a Comment