Hi,
My customers get private IP addresses which are translated to public addresses on the edge of the network. The translation is usually many private addresses to one public address using masquerade or srcnat actions.
In Poland network operators are obliged to keep information about IP address usage for one year in case of law infringements.
In case of src-nat it practically means keeping at least information about every established TCP session - source private IP and port and destination IP and port.
This is a well known situation, there also is a well known firewall filter rule which allows to log the TCP session info:
/ip firewall filter add action=log chain=forward connection-state=new protocol=tcp src-address=10.0.0.0/8
Example of a log entry for a single TCP session:
08:54:57 firewall,info forward: in:ether2_LAN out:ether1_UPLINK, src-mac 00:27:22:xx:xx:xx, proto TCP (SYN), 10.0.20.38:50173->213.180.x.x:443, len 60
The log entry contains the private IP and port, here: 10.0.20.38:50173.
The question is: how to find out, what port number is the connection translated to on the public side?
I know I can sniff it on a port mirror of the uplink using tcpdump, but maybe there’s a better solution.
Setting up the following ip firewall mangle rule:
/ip firewall mangle add action=log chain=postrouting connection-state=established protocol=tcp src-address=10.0.0.0/8
gives entries like this in the log:
09:14:26 firewall,info postrouting: in:(none) out:ether1_UPLINK, src-mac 00:13:ce:xx:xx:xx, proto TCP (ACK), 10.0.20.101:38290->173.194.x.x:80, NAT (10.0.20.101:38290->55.22.x.x:38290)->173.194.x.x:80, len 52
The part “NAT (10.0.20.101:38290->55.22.x.x:38290)” suggests, that the source port on the public side is the same, as on the public side, but it’s not that way. How does that work? How are the public ports allocated? Is there a way to log it?
Thanks,
jacek
