How to log nat translation ?

boris67 · December 11, 2006, 8:00am

If I have a Mikrotik box with source nat such as:

ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; added by setup
10.10.10.3/24 10.10.10.0 10.10.10.255 ether1
1 192.168.145.101/24 192.168.145.0 192.168.145.255 ether2

ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether2 src-address=40.40.40.0/24
action=masquerade

My clients are 40.40.40.x/24 behind ether1, and they go out ether2 with 192.168.145.101 ip address.
I need to log all mappings 40.40.40.x:portA --> 192.168.145.101:portB because I want to trace it.
I tryied with:

ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ether2 src-address=40.40.40.0/24
action=log

but I can see only 40.40.40.x:portA --> public destination ip addr:portB,
so I haven't mapping 40.40.40.x:portA --> 192.168.145.101:portB logged.

Thanks

boris67 · December 11, 2006, 11:50am

There’s no way to do this ?

Thanks

normis · December 11, 2006, 12:05pm

the job of masquerading is to hide the machine behind a public address. the whole idea for this is to make it impossible to do what you want

boris67 · December 11, 2006, 12:19pm

Masquerading job should be to hide private IP behind public IP EXTERNALLY … I expect MT (natting) router should show me “nat table”, with information I need, as almost all router do … isn’t it ?

Thanks
Boris

normis · December 11, 2006, 12:21pm

what exactly do you expect to see in this table? please clarify

boris67 · December 11, 2006, 12:32pm

nat table should be:

Note: “public IP address” is the same for all (masqueranding)

private IP address_1:port_A → public IP address:port_B
private IP address_2:port_C → public IP address:port_D
private IP address_3:port_E → public IP address:port_F
private IP address_4:port_G → public IP address:port_H

For example, if some client of mine goes to web site with public IP address 30.30.30.30:80, client (natted) public IP and port will be “public IP address:some_port”, but I need to know what is real private IP address and port doing web access … only nat table can give this information.

Thanks

normis · December 11, 2006, 12:51pm

what do you understand with port in this case? ethernet port? you have many? how do you determine which clients use which ethernet port? I am really sure that you are looking in the wrong place to solve a simple problem

janisk · December 11, 2006, 1:19pm

boris should start with MT ROS basic configuration and networking basics, everything is nice and tidy in MT manual. hope he can find it. no offense.

so we can talk here using same terms and terminology

boris67 · December 11, 2006, 1:40pm

Guys,

I’m talk about TCP/UDP port … what’s more basic on networking world than this ?

normis · December 11, 2006, 1:45pm

well Doh, this is already there. it’s called torch. open winbox and run torch on the local interface. you will see where each local ip connects.

boris67 · December 18, 2006, 10:26am

I mean I need a “masquerading-table” such as in this link http://hasenstein.com/linux-ip-nat/diplom/node4.html#SECTION00042300000000000000
Also, in this post
http://forum.mikrotik.com/t/question-on-nat-and-routing-mark/4412/1

cmit was talking about:

“The router is keeping a table of src-natted connections so it can do the reverse mapping (of incoming response packets) without further config. That’s the way all standard masquerading devices work.”

I mean that table of src-natted connections.
Does it exist in MT a way to log/view/report/print such a table ?

Thanks.
Boris

normis · December 18, 2006, 10:29am

use torch, it does the same thing. if it lacks some feature, please write which one. you are able to see the src-address, the dst-address and the ports. what else is missing?

janisk · December 18, 2006, 10:32am

table exist but not in accessible way, at least the way you want to access it - try torch like normis said.

boris67 · December 18, 2006, 11:05am

Thanks Guys,

torch (and packet sniffer) show me what I want.
Does exist a way to log such information ?
I mean that in my country, as an ISP, we are forced by law to trace and log every single user session (but absolutely not session content), so I need to trace/log for every user session:

source (private) user IP address and (private) TCP/UDP port,
source-natted (public) user IP address and (public) TCP/UDP port,
destination (public) IP address and (public) TCP/UDP port.

Thanks again all you guys

boris67 · December 18, 2006, 4:47pm

Please, can you help me ?

thanks

changeip · December 18, 2006, 5:52pm

can you use the netflow data for this? traffic-flow

Sam

boris67 · December 20, 2006, 3:00pm

Does it exist a way to send output of

ip → firewall → connection → print → detail

to a syslog server ?

thanks.

tgrand · December 20, 2006, 4:00pm

Go to hotspot/Hosts, there is a mascerade table there.

boris67 · December 20, 2006, 9:07pm

Thanks tgrand, but I don’t need (and I don’t want) hotspot on that device … it’s an MKTK firewall behind Internet router … I only need to collect info about PAT table into a syslog server to trace and store user sessions as in my previous post

marxin · October 9, 2013, 10:43pm

Long time no answer, is there any new feature in RouterOS that can help people to log all connections (with reply src-reply-address and dst-reply-address)?