Bug 12756

Summary: IPS drops Unbound traffic from an IPFire located behind another IPFire
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: NEW --- QA Contact: Arne.F <arne.fitzenreiter>
Severity: Major Usability    
Priority: - Unknown - CC: michael.tremer, stefan.schantl
Version: 2   
Hardware: all   
OS: All   

Description Peter Müller 2022-01-04 17:43:48 UTC 
As discussed in https://wiki.ipfire.org/devel/telco/2022-01-03, I am raising a bug for investigating into this issue. It appears to have been around for a long time, particularly affecting IPFire users behind a slow internet connection, running another ("nested") IPFire behind it.

In such cases, Suricata seems to block necessary Unbound traffic after a little while (within minutes?), causing DNS not to work properly anymore on the second machine. Unfortunately, nothing is logged.

Arne is observing this in his environment.
Comment 1 Peter Müller 2022-01-04 17:44:57 UTC 
@Stefan: I vaguely remember you mentioned being able to force Suricata logging such packets/incidents. If this is correct, could you tell us what you did and/or maybe help Arne investigating on this? Thanks.