Syslog to log NAT/CGN-Nat translations

I hope somebody knows to the answer to the question I am asking.

Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ?

Like many ISPs and WISPs , we get copyright notices which state somebody at an IP address downloaded something with some additional basic data.
I have a need to log time-stamped nat translations , so that I can locate what inside natted customer did what and where to with what protocol and what outside IP address was used.
This info is needed only to locate the customer and notify the customer to stop downloading copyrighted material/files/movies I receive notices for.

North Idaho Tom Jones

Do not do that,
do not have any legal value p2p@paramount.copyright-notice.com or others....
Do not cooperate with echelon.

They just try to intimidate, if they REALLY make a lawsuit for each case, it would take thousand of years to do them all, on all cuntry...
then they try to intimidate the ISPs,
but they themselves violate the law by intercepting traffic without the authorization of any court,
or by accessing it without no authorization on the user's computer.

Give quality service to your client, do not use NAT, use true IP.

You could give each client a set range of source ports so you determine by the log of the source port used to know which client it was. You could rotate the source ports between the clients at a set time and log the new distribution.

The copyright claimer has also to provide the source port used.

This will limted the number of connections at the same time for each client. You then only have to log which client used what port from login time to logoff time or time of redistributing of ports.

Please don't log more data of your clients for this.

Edit: see starter as viewtopic.php?f=2&t=155724&p=770437&hilit=cgn#p770437

Do not do that,
do not have any legal value p2p@paramount.copyright-notice.com or others....
Do not cooperate with echelon.

They just try to intimidate, if they REALLY make a lawsuit for each case, it would take thousand of years to do them all, on all cuntry...
then they try to intimidate the ISPs,
but they themselves violate the law by intercepting traffic without the authorization of any court,
or by accessing it without no authorization on the user's computer.

This is absolutely not true. In the US (and other countries), there are regulatory requirements by the FCC and Dept of Justice to keep this information that have nothing to do with music or media companies and DMCA. As a consultant, i've been involved in a number of cyber crime cases where this information is requested by local or state law enforcement, or the FBI using a subpoena and they specifically ask for data that correlates an IP address to a subscriber. ISPs in the US are required to be able to provide it whether or not the media companies are involved with DMCA.

https://www.fcc.gov/public-safety-and-h ... assistance

Typically, when using MikroTik, we'll dedicate source port ranges allocated to each subscriber with an export of the state table to a logging server and then a reduction of the data size using logstash.

Fast way: do not use NAT, use true IP.

Each Public IP correspond to one user,
and if some user do some crime, you know exactly what user is, without any effort...
At that point, simply log the traffic of the IP to demonstrated if is spoofed or not.

What would be nice - but will never happen - would be for these notices to also include the remote IP address.
It would be great and useful if these notices included both ends of the connection ( show local and remote IP address and ports ).
But - I know these notices will never include that information because then the world would know what remote IP addresses and servers to avoid.

Also , it would help to include additional time-stamp information which indicates the start-time and the end-time.
But - I know this will also never happen.

If an ISP has the money to get Public IPv4 at auction then sure I'd rather use that over NAT but that's not always the case or it's not practical to sit on the RIR waiting list.

The better answer is to use IPv6 in dual stack with public IPv4 if possible and CGNAT if not. This reduces the logging load significantly

Yes, if using CGNAT then IPv6 is a must.

IPv6 do not requre any form of NAT... (ok, only between IPv6)

Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ?

NetFlow is the answer here. It will export ("log") all the connection tracking statistics for you. Use NetFlow v9 as it provides a richer set of information, including full NAT details for each connection.

Syslog to log NAT/CGN-Nat translations

I hope somebody knows to the answer to the question I am asking.

Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ?

Like many ISPs and WISPs , we get copyright notices which state somebody at an IP address downloaded something with some additional basic data.
I have a need to log time-stamped nat translations , so that I can locate what inside natted customer did what and where to with what protocol and what outside IP address was used.
This info is needed only to locate the customer and notify the customer to stop downloading copyrighted material/files/movies I receive notices for.

North Idaho Tom Jones

I think I basically have the same logging/tracing requirements as yours with copyright notices and so on.

In my cas, I need to translate 100-200 WPA2 Entreprise WiFi users (with BYOD) to which I provide 1 private IPv4 address to 1 public IPv4 address.

I first thought I would simply log NAT translations but was quickly overflowed by the amount of data. I do not imply this can't be done, but for some reasons, I didn't put a lot of effort to follow this route.

Then I thought I should set a deterministic NAT: each user is given a slice of ports (65k ports divided by 100 or 200). While thinking about this I saw two issues:
1. Implementing deterministic NAT itself
2. Binding 802.1x data to DHCP

I would be very curious to read about this 802.1x to DHCP point and more generally to read about this NAT translation logging.

Can I and how do I , log ( syslog and/or syslog to a remote syslog server ) all NAT translations ?

NetFlow is the answer here. It will export ("log") all the connection tracking statistics for you. Use NetFlow v9 as it provides a richer set of information, including full NAT details for each connection.

Netflow v9/IPFIX is broken the last time I checked on my RB3011 (I don't know for the beta 7.x OS)
Long time ago I made a ticket to address this with Mikrotik ... never was fixed to my knowledge. It has to do with the timestamping that is wrong etc.
As a fallback, I export v5 from my Mikrotik into Splunk and this seems to work.

NetFlow is the answer here. It will export ("log") all the connection tracking statistics for you. Use NetFlow v9 as it provides a richer set of information, including full NAT details for each connection.

Which NATing device did you use with NetFlow ? A Mikrotik device ? If positive, which one (with OS version) ?
What was the NATed throughput ? In 1Gb/s range ?