How to map external address:port to internal IP number

wadestownschooladmin · May 28, 2015, 2:13am

Please excuse my question which clearly displays my ignorance!

In New Zealand we have a new law about copyright theft, that concerns itself in particular, with peer-to-peer file sharing.

I am told that my obligation as network administrator is “Ensure you can map an external IP address to internal users”.

This worries me. All our outgoing traffic uses our single external IP address. How can I map the traffic AS SEEN FROM THE INTERNET SIDE OF THE FIREWALL to an internal IP address?

Using Winbox if I look under IP-Firewall-Connections then I can see Src.Address:Port and Dst.Address:Port but that doesn’t show me how those requests look to the destination host. Where can I find that information about how the router translates the requests to use the single external IP address ?

Does this information also get logged?

Thank you.

rextended · May 29, 2015, 1:24am

wadestownschooladmin:

Please excuse my question which clearly displays my ignorance!

In New Zealand we have a new law about copyright theft, that concerns itself in particular, with peer-to-peer file sharing.

I am told that my obligation as network administrator is “Ensure you can map an external IP address to internal users”.

This worries me. All our outgoing traffic uses our single external IP address. How can I map the traffic AS SEEN FROM THE INTERNET SIDE OF THE FIREWALL to an internal IP address?

Using Winbox if I look under IP-Firewall-Connections then I can see Src.Address:Port and Dst.Address:Port but that doesn’t show me how those requests look to the destination host. Where can I find that information about how the router translates the requests to use the single external IP address ?

Does this information also get logged?

Thank you.

You must use one syslog to store all connection history.

Install this:
http://www.snmpsoft.com/syslogwatcher/syslog-server.html
or search similar for linux etc.

Create the address list lista_ip_clienti and put inside that list all the internal IP used to your clients

/ip firewall filter
add action=log chain=forward connection-state=new src-address-list=lista_ip_clienti
add action=log chain=forward connection-state=related log-prefix=RELATED src-address-list=lista_ip_clienti
add action=log chain=forward protocol=ipv6 src-address-list=lista_ip_clienti
add action=log chain=forward protocol=gre src-address-list=lista_ip_clienti
add action=log chain=forward protocol=ipsec-esp src-address-list=lista_ip_clienti
add action=log chain=forward protocol=ipsec-ah src-address-list=lista_ip_clienti

/system logging action
:global gatewayip value=1.2.3.4
:global syslogip value=5.6.7.8
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog target=remote
add bsd-syslog=yes name=LogServerEmergency remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=emergency target=remote
add bsd-syslog=yes name=LogServerAlert remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=alert target=remote
add bsd-syslog=yes name=LogServerCritical remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=critical target=remote
add bsd-syslog=yes name=LogServerError remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=error target=remote
add bsd-syslog=yes name=LogServerWarning remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=warning target=remote
add bsd-syslog=yes name=LogServerNotice remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=notice target=remote
add bsd-syslog=yes name=LogServerInfo remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=info target=remote
add bsd-syslog=yes name=LogServerDebug remote=$syslogip src-address=$gatewayip syslog-facility=local1 syslog-severity=debug target=remote

On your system/logging on “info” add !firewall or you fill all the RB logs with firewall log.

/system logging
set 0 action=memory disabled=no prefix=INFO topics=info,!ppp,!pppoe,!pptp,!firewall,!system
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
add topics=critical
add action=LogServerCritical topics=critical
add action=LogServerError topics=error
add action=LogServerWarning topics=warning
add action=LogServerNotice topics=pppoe,info,!debug
add action=LogServerInfo topics=firewall,info,!debug
add prefix=ACCOUNT topics=account,!manager,!pppoe,!debug
add prefix=MANAGER topics=manager,!debug
add prefix=PPPoE topics=pppoe,!info,!debug
add prefix=RADIUS topics=radius,!debug
add prefix=SYSTEM topics=system,!account,!critical,!error,!warning,!debug
add prefix=PPTP topics=pptp,!debug
add prefix=PPP topics=ppp,!pppoe,!debug

Now, if needed, you can know exactly what users use that port on that time.

P.S.: Remember to sync the clock with a stable source…

pukkita · May 29, 2015, 11:27am

Depending on your network size, sending either syslog or traffic-flow to an ELK instance (Elasticsearch, Logstash, Kibana) would be a more scalable approach.