I have to log all tcp connections with date & time.
CPEs have static private ip addresses.
What do you suggest between mirror all traffic “after” main router with smart switch and Pc and
enable single logging into each cpe to remote web server?
Which is the best and efficient way?
Don’t mirror anything. Use RouterOS logging and a syslog daemon on a server.
Enable logging on the NATing rule (in RouterOS 6.20) or in older RouterOS versions add a rule:
/ip fire filter add chain=forward proto=tcp connection-state=new action=log
and move it to the top of the list.
You will also have to confugure a remote logging action (in system->logging->actions) and add a loggine rule, which will apply the remote action to topic “firewall”.
In the syslog messages you will see the parameters of the connections (date, time, source address and port, destination address and port).
someone says enabling RouterOS logging into each CPE will be heavy on user connection speed.
Is it true?
Have you tried calea package?
no. what are its advantages than syslog?
Don’t know. But seems to be developed for the purpose you are asking about. I have never needed this, just trying to point you in the way you could try.
Logging all tcp connection inside would be definitely heavy. I would try remote logging to check its influence first. It is free and simply reachable so you will get an overview how it would look like in real with all devices and users involved.
maybe I did not make myself clear.
I mean Enable Remote Logging on each CPE will be heay on user bandwith?
I’d like to know if there’s any disadvantage with remote logging
Do not enable remote logging on each CPE, it makes no sense.
Enable logging on your edge router, the one, that’s doing the NAT.
Which router? the one closest to the customer’s router?
router should log into a dedicated server?
On the router, which is translating the CPE private addresses to public addresses.
Yes, log to a remote server with a large disk or a matrix.
Remote or local server possibly with raid1 I guess
Any idea about files size?
In my case it was 100 GB of cleartext logs per 1000 customers yearly.
When packed with ZIP using strong compression the amount went down to about 6 GB.
Enable logging on the edge router (the one that faces public interface) could be a problem if CPE private addresses are assigned by DHCP server of Access Point and they are in a different private lan network? Will I identify customers by its own RouterOS identity name?