So we have a Netscreen 5 unit, running an older 5.0 firmware. It seems that it locks up after a few days and stops passing RTP (Real time protocol, UDP) packets in either direction. About to upgrade….
Author: james
SIP and Netscreen Firewalls
VoIP using SIP and RTP is a cool thing, but can be somewhat of a pain to get working from behind a firewall (NAT) device. First, an overview of the protocol:
- SIP
- TCP port 5060 (typically) to set up calls – Session Initalisation Protocol
- RTP
- UDP random ports 10,000 – 30,000 for call data (audio, video, etc) – Real Time Protocol
The problem is thus: when an RTP packet is sent from a gateway (eg, an Asterisk box) to a register from behind a NAT, then naturally the packet headers need modification as normal for a NAT. However, the SIP protocol contains data in the payload – including IP addres(es) (the ‘Via’ option).
For perfect use, this would need to update the packet payload to be modified. Looks like Netfilter in Linux is on the way to doing this with two kernel modules: ip_conntrack_sip and ip_nat_sip: see here.
However, pay lots of money for a Netscreen, and it doesn’t do this, despite having a ‘SIP ALG’ – according to Juniper support, the manufacturers of the Netscreen.
*sigh*
Reliable (High Availability) networking with Linux
In a word: Bonding. See Nick Ferrier’s post to Debian-Administration. Grab my check_bonding.pl script from my Subversion respository so you can monitor your links. Get two managed switches (I like the DLink DGS-3324SR gigabit switches). Enable MSTP (Multiple vlan Spanning Tree Protocol) on ports 1, 2, 23 and 24, and disable spanning tree on all other ports; patch ports 23 to 1 on the next switch, and 24 to 2 on the next so you have two links between each switch. Plug your two interfaces into any of the other ports (3-22) on each switch. End of story.
UML and NTPL ate my bind, mysql, etc.
So, Running a combination of testing and unstable on my Bytemark UML instance, and over the course of time, the NTPL libraries started to turn up in /lib/tls. Turns out that UML and NTPL are incompatible: every binary I used that utilised threads, such as MySQL, Bind9, Nslookup, all segfault when these libraries are accesible.
Googling around shows that NTPL support doesnt work under UML: the work around is to rename the /lib/tls directory (eg, /lib/tls.disable) so that it can’t be found.
Back from Aus
Just stepped in from our trip back to Aus to get married. Had a fantastic time, but just shy of three week’s wasn’t enough time to get everthing done that we had to do. Hamilton Island was amazing. Pictures to follow in a few days.