Community discussions

 
timreichhart
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Sun Feb 07, 2010 9:11 pm

is there any way to log NAT?

Tue Apr 27, 2010 7:16 pm

Hi Guys
I dont know if this been posted before but I did search and I came up empty handed here. My question is there away to log NAT ip address or not? If there is whats the correct coding or way of doing this.
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: is there any way to log NAT?

Tue Apr 27, 2010 7:39 pm

you mean traffic
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
timreichhart
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Sun Feb 07, 2010 9:11 pm

Re: is there any way to log NAT?

Tue Apr 27, 2010 8:00 pm

yes logging NAT traffic I guess.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: is there any way to log NAT?

Tue Apr 27, 2010 9:59 pm

Create a log rule before the actual dstnat or srcnat rule:
/ip firewall nat add chain=dstnat action=log log-prefix="dstnat"
/ip firewall nat add chain=srcnat action=log log-prefix="srcnat"
Doug
 
timreichhart
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Sun Feb 07, 2010 9:11 pm

Re: is there any way to log NAT?

Tue Apr 27, 2010 10:40 pm

where do you put the internal IP in that command?
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: is there any way to log NAT?

Tue Apr 27, 2010 10:51 pm

/ip firewall nat add chain=srcnat src-address="<ip>" action=log log-prefix="srcnat"

ADD: the internal IP will get logged to the system log.
Doug
 
timreichhart
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Sun Feb 07, 2010 9:11 pm

Re: is there any way to log NAT?

Tue Apr 27, 2010 10:58 pm

so your saying the setup like this:

/ip firewall nat add chain=srcnat src-address="<ip>" action=log log-prefix="srcnat"
/ip firewall nat add chain=dstnat src-address="<ip>" action=log log-prefix="dstnat"

so the dstnat would be the real world ip then correct?

if so thanks for your help doug!!!!
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: is there any way to log NAT?

Tue Apr 27, 2010 11:20 pm

Basically, the logging rules just log the traffic as it hits the nat rule.

Maybe I'm misunderstanding what exactly you are trying to do?
Doug
 
timreichhart
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Sun Feb 07, 2010 9:11 pm

Re: is there any way to log NAT?

Tue Apr 27, 2010 11:32 pm

basically I am trying to do log the customers NAT internal IP in-case they are using P2P software and If I get the letter from the feds/gov I can track down the customer who downloading stuff illegal on my network.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: is there any way to log NAT?

Tue Apr 27, 2010 11:41 pm

basically I am trying to do log the customers NAT internal IP in-case they are using P2P software and If I get the letter from the feds/gov I can track down the customer who downloading stuff illegal on my network.
In that case, yes, this srcnat rule will contain the internal IP as the first address in the log entry:
/ip firewall nat add chain=srcnat action=log log-prefix="srcnat"
Doug
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: is there any way to log NAT?

Tue Apr 27, 2010 11:46 pm

Hi,

My first mangle rule is:
0 chain=forward action=log connection-state=new dst-address-list=!OpenDNS log-prefix="" (DNS queries are removed from logging)

and result looks like this:
22:37:20 firewall,info forward: in:ether2-local-master out:ether1-gateway, src-mac 00:30:48:d3:56:0c, proto UDP, 192.168.10.3:123->150.254.183.15:123, len 56
22:40:39 firewall,info forward: in:ether2-local-master out:ether1-gateway, src-mac 00:03:94:11:f4:a5, proto TCP (SYN), 192.168.10.20:1025->193.25.161.199:443, len 24

Firewall events are send to remote syslog daemon due to huge amount of data.

Hope this helps.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: is there any way to log NAT?

Tue Apr 27, 2010 11:57 pm

Also, to log just p2p traffic you could try:
/ip firewall mangle add chain=prerouting connection-state=new  p2p=all-p2p action=log log-prefix="p2p"
Doug
 
rb384997
just joined
Posts: 15
Joined: Mon Apr 26, 2010 11:01 pm

Re: is there any way to log NAT?

Wed Apr 28, 2010 4:21 pm

how long is the log? i.e. day month year? is there a way to specify?
 
rb384997
just joined
Posts: 15
Joined: Mon Apr 26, 2010 11:01 pm

Re: is there any way to log NAT?

Wed Apr 28, 2010 4:25 pm

can the log be wrote to memory with date stamp in the files section of the router?
 
User avatar
martini
Member Candidate
Member Candidate
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: is there any way to log NAT?

Wed Apr 28, 2010 5:35 pm

you need to use remote syslog server
 
rb384997
just joined
Posts: 15
Joined: Mon Apr 26, 2010 11:01 pm

Re: is there any way to log NAT?

Wed Apr 28, 2010 8:04 pm

oic, works thanks
 
User avatar
greencomputing
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jun 23, 2010 1:12 pm
Location: Italy

Re: is there any way to log NAT?

Mon May 02, 2011 11:09 pm

Hi there
did the last configuraiton meets your requests? I think it will not work because it's related to private client ip and that will not work always (in Itlaly for example that is a problem because privacy/interception law). here an example :


1) think of a scenario where thousands connection are happening per second ( normal for small medium wisp, for example).
2) given 2 user A and B , may be (it's happening more often that expected ;) , with some probability gt 0 , both of them will connect to facebook.com;

3) the mikrotik router has just 1 public ip and for that is using nat/masquerade on private clients ip;
4) both user A and B arive to internal LAN interface with IPa (user A) and IPb (user B) and respectivley with src port Pa and Pb.
5) now both of them are connecting to destination site with ip IPd and port IPd.
6) There is a probability > 0 that the two sourvce port will be exaclty the same port : Pa=Pb; (and may be a third user IPc and may be a fourth user with IPd ...)
7) how the nat algorithm will work in that case? Well, one of the 2 (or the 10/20/30 ...) user will take a specific port as source port and the other a diferent one . So we will have a source natted ip/port for both users as :
IPa/Pa ----> IPpub/Pa';
IPb/Pb ----> IPpub/Pb';
and becacuese Pa==Pb we never can have Pa'==Pb' because the revere traffic could be not well defined!! So for sure Pa'!=Pb'.

8) The law representative will come and ask : " listen at time HH.MM.ss" who had Ip address IPpub and port Port P as source when connecting to destination IPd with port Pd?"

9) we can answer to previous question giving a list of possible "maliciuos users" : both A and B becasue we Can't map Pb with one and only one between Pa' and Pb'. The inspector will not accept the previous answer because in that time just one customer was using that src ip/port and not more than one user.

10) In other countries the answer with more than 1 item will result in fines and punishement. Lwa doesn't accept to be not specific and exact giving perfect answer and not a basket of possible candidate.

This scenario is creating some issue around the world and the solution in my opinionwas really straight : just permitting a log action after src nat rule matching (more process rule switch) or a additional extra switch to add an optional log item for the jyst amtched src nat rule.

Thanks a lot for your attention

and all of you let me know what do you think about it.
If answer was helpful to you why to not plan to... give me karma :)
greencomputing

--------------------
MTCNA / MTCRE certified Senior Mikrotik Consultant
 
osvaldotcf
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Mon Feb 04, 2013 7:26 pm

Re: is there any way to log NAT?

Mon Jun 16, 2014 5:09 am

Any one can comment this in actual environment of hardware and software?

Any idea to solve the problem of lack of public ips?
 
ankualliance
just joined
Posts: 1
Joined: Mon Jan 26, 2015 8:17 pm

Re: is there any way to log NAT?

Tue Jan 27, 2015 11:35 am

Hi All,

Firstly many thanks to all of you & specially for Grzegorz. I am able to see the log in my syslog server. But I want see to private to public IP mapping log in my syslog server. Actually My ISP give me a /29 block of public IP which I am using in my Mikrotik router for dynamic natting[many:many] purpose. I have configured dynamic nat through NETMAP or SRC-NAT rule successfully. It works with Both NETMAP & SRC-NAT rule. For logging purpose I have configured a syslog server in my local pc & there i can see the log like:

Jan 27 13:13:53 MikroTik firewall: forward: in:ether1 out:ether4, src-mac 00:25:b3:4b:84:3f, proto TCP (SYN), 192.168.230.6:49640->74.125.236.207:80, len 52
Jan 27 13:13:53 MikroTik firewall: forward: in:ether1 out:ether4, src-mac 00:25:b3:4b:84:3f, proto TCP (SYN), 192.168.230.6:49641->74.125.236.207:80, len 52

Here the public IP's showing are some of the website IP instead of ISP's public IP. Below are my configuration of router for dynamic nat & log.

chain=srcnat action=netmap to-addresses=150.XXX.XXX.0/29 src-address=192.168.230.2-192.168.230.254

chain=dstnat action=netmap to-addresses=192.168.230.0/24 dst-address=150.XXX.XXX.1-150.XXX.XXX.6

I am not using any login authentication service like hotspot or ppoe. I just want the user to stay online always without login restriction but want to keep private to public mapping log .

Apart from that, I am facing another issue related to the reachability through ICMP protocol to my ISP's public IP which is mapped with a private IP on that time from outside from my network. Suppose 192.168.230.5 mapped with 150.XXX.XXX.2 IP & I am able to ping any IP in the world but can't not ping myh own if from anywhere from world. It's showing "TTL expired in transit". After a long search I got a solution for the problem i.e. I need to make a route pointing to the null interface. Below is the route

A SB 150.242.151.144/29

After apply this route now I am getting "Request timed out" instead of "TTL expired in transit" but not getting reply from IP 150.XXX.XXX.2 . But when I use this public IP block 150.XXX.XXX.XXX/29 in my LAN interface it's all are working like a charm.

If anybody know the solution of the issues please help me.

Regards,

ankualliance
 
User avatar
ScottReed
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Sep 24, 2009 9:47 pm
Location: Montana / Western Massachusetts

Re: is there any way to log NAT?

Tue Jun 07, 2016 5:22 pm

Sorry for bringing this old post back to life.

We just recently were challenged to figure out a logging solution to see NATs. Specifically because of third party analytical firms like IP Echelon sending us emails about users downloading/sharing illegal content.

So the question here is how do you generate a log so you can see the private IP, public IP, destination IP and ports?

Here is my solution from my edge router:
/ip firewall mangle add action=accept chain=prerouting p2p=all-p2p log=yes log-prefix=NAT_p2p
Which generates a log entry like so (edited):
2016-06-07	08:02:29	Daemon.Info	172.x.x.x	Jun  7 08:02:30 SYS-NAME NAT_p2p prerouting: in:etherx out:(none), src-mac 4c:5e:0c:5b:xx:xx, proto UDP, 172.20.x.x:49221->72.175.x.x:3400, NAT (172.20.x.x:49221->216.x.x.x:49221)->72.175.x.x:3400, len 120
And there you have it, the very last section labeled "NAT" clearly shows you the information you would need. Obvisouly this is specific to all-p2p traffic types.

This potentially can generate a lot of log entries very quickly so make sure you are offloading to a syslog server. I use Kiwi and then have a filter setup to insert into SQL.
 
bobhy
just joined
Posts: 1
Joined: Mon Feb 26, 2018 10:15 am

Re: is there any way to log NAT?

Mon Feb 26, 2018 10:20 am

Hi. I have the same problem. Yes, we can send info to our syslog server for every packet. So the log item is like this:
proto UDP, 172.20.x.x:49221->72.175.x.x:3400, NAT (172.20.x.x:49221->216.x.x.x:49221)->72.175.x.x:3400, len 120
But is any chance to log only the first packet from connection? When I mark only "New connection" packet, this log doen´t contains the "outgoing" port. The log is like this:
proto UDP, 172.20.x.x:49221->72.175.x.x:3400, len 120
Does anybody dolve this problem? Logging every packet is not necessarry. Thanks for help.

Bobhy

Who is online

Users browsing this forum: No registered users and 98 guests