Hi Guys
I dont know if this been posted before but I did search and I came up empty handed here. My question is there away to log NAT ip address or not? If there is whats the correct coding or way of doing this.

you mean traffic

yes logging NAT traffic I guess.

Create a log rule before the actual dstnat or srcnat rule:

where do you put the internal IP in that command?

/ip firewall nat add chain=srcnat src-address="<ip>" action=log log-prefix="srcnat"

ADD: the internal IP will get logged to the system log.

so your saying the setup like this:

/ip firewall nat add chain=srcnat src-address="<ip>" action=log log-prefix="srcnat"
/ip firewall nat add chain=dstnat src-address="<ip>" action=log log-prefix="dstnat"

so the dstnat would be the real world ip then correct?

if so thanks for your help doug!!!!

Basically, the logging rules just log the traffic as it hits the nat rule.

Maybe I'm misunderstanding what exactly you are trying to do?

basically I am trying to do log the customers NAT internal IP in-case they are using P2P software and If I get the letter from the feds/gov I can track down the customer who downloading stuff illegal on my network.

basically I am trying to do log the customers NAT internal IP in-case they are using P2P software and If I get the letter from the feds/gov I can track down the customer who downloading stuff illegal on my network.

In that case, yes, this srcnat rule will contain the internal IP as the first address in the log entry:

Hi,

My first mangle rule is:
0 chain=forward action=log connection-state=new dst-address-list=!OpenDNS log-prefix="" (DNS queries are removed from logging)

and result looks like this:
22:37:20 firewall,info forward: in:ether2-local-master out:ether1-gateway, src-mac 00:30:48:d3:56:0c, proto UDP, 192.168.10.3:123->150.254.183.15:123, len 56
22:40:39 firewall,info forward: in:ether2-local-master out:ether1-gateway, src-mac 00:03:94:11:f4:a5, proto TCP (SYN), 192.168.10.20:1025->193.25.161.199:443, len 24

Firewall events are send to remote syslog daemon due to huge amount of data.

Hope this helps.

Regards, Grzegorz.

Also, to log just p2p traffic you could try:

how long is the log? i.e. day month year? is there a way to specify?

can the log be wrote to memory with date stamp in the files section of the router?

you need to use remote syslog server

oic, works thanks

Hi there
did the last configuraiton meets your requests? I think it will not work because it's related to private client ip and that will not work always (in Itlaly for example that is a problem because privacy/interception law). here an example :


1) think of a scenario where thousands connection are happening per second ( normal for small medium wisp, for example).
2) given 2 user A and B , may be (it's happening more often that expected , with some probability gt 0 , both of them will connect to facebook.com;

3) the mikrotik router has just 1 public ip and for that is using nat/masquerade on private clients ip;
4) both user A and B arive to internal LAN interface with IPa (user A) and IPb (user B) and respectivley with src port Pa and Pb.
5) now both of them are connecting to destination site with ip IPd and port IPd.
6) There is a probability > 0 that the two sourvce port will be exaclty the same port : Pa=Pb; (and may be a third user IPc and may be a fourth user with IPd ...)
7) how the nat algorithm will work in that case? Well, one of the 2 (or the 10/20/30 ...) user will take a specific port as source port and the other a diferent one . So we will have a source natted ip/port for both users as :
IPa/Pa ----> IPpub/Pa';
IPb/Pb ----> IPpub/Pb';
and becacuese Pa==Pb we never can have Pa'==Pb' because the revere traffic could be not well defined!! So for sure Pa'!=Pb'.

The law representative will come and ask : " listen at time HH.MM.ss" who had Ip address IPpub and port Port P as source when connecting to destination IPd with port Pd?"

9) we can answer to previous question giving a list of possible "maliciuos users" : both A and B becasue we Can't map Pb with one and only one between Pa' and Pb'. The inspector will not accept the previous answer because in that time just one customer was using that src ip/port and not more than one user.

10) In other countries the answer with more than 1 item will result in fines and punishement. Lwa doesn't accept to be not specific and exact giving perfect answer and not a basket of possible candidate.

This scenario is creating some issue around the world and the solution in my opinionwas really straight : just permitting a log action after src nat rule matching (more process rule switch) or a additional extra switch to add an optional log item for the jyst amtched src nat rule.

Thanks a lot for your attention

and all of you let me know what do you think about it.

Any one can comment this in actual environment of hardware and software?

Any idea to solve the problem of lack of public ips?

Hi All,

Firstly many thanks to all of you & specially for Grzegorz. I am able to see the log in my syslog server. But I want see to private to public IP mapping log in my syslog server. Actually My ISP give me a /29 block of public IP which I am using in my Mikrotik router for dynamic natting[many:many] purpose. I have configured dynamic nat through NETMAP or SRC-NAT rule successfully. It works with Both NETMAP & SRC-NAT rule. For logging purpose I have configured a syslog server in my local pc & there i can see the log like:

Jan 27 13:13:53 MikroTik firewall: forward: in:ether1 out:ether4, src-mac 00:25:b3:4b:84:3f, proto TCP (SYN), 192.168.230.6:49640->74.125.236.207:80, len 52
Jan 27 13:13:53 MikroTik firewall: forward: in:ether1 out:ether4, src-mac 00:25:b3:4b:84:3f, proto TCP (SYN), 192.168.230.6:49641->74.125.236.207:80, len 52

Here the public IP's showing are some of the website IP instead of ISP's public IP. Below are my configuration of router for dynamic nat & log.

chain=srcnat action=netmap to-addresses=150.XXX.XXX.0/29 src-address=192.168.230.2-192.168.230.254

chain=dstnat action=netmap to-addresses=192.168.230.0/24 dst-address=150.XXX.XXX.1-150.XXX.XXX.6

I am not using any login authentication service like hotspot or ppoe. I just want the user to stay online always without login restriction but want to keep private to public mapping log .

Apart from that, I am facing another issue related to the reachability through ICMP protocol to my ISP's public IP which is mapped with a private IP on that time from outside from my network. Suppose 192.168.230.5 mapped with 150.XXX.XXX.2 IP & I am able to ping any IP in the world but can't not ping myh own if from anywhere from world. It's showing "TTL expired in transit". After a long search I got a solution for the problem i.e. I need to make a route pointing to the null interface. Below is the route

A SB 150.242.151.144/29

After apply this route now I am getting "Request timed out" instead of "TTL expired in transit" but not getting reply from IP 150.XXX.XXX.2 . But when I use this public IP block 150.XXX.XXX.XXX/29 in my LAN interface it's all are working like a charm.

If anybody know the solution of the issues please help me.

Regards,

ankualliance

Sorry for bringing this old post back to life.

We just recently were challenged to figure out a logging solution to see NATs. Specifically because of third party analytical firms like IP Echelon sending us emails about users downloading/sharing illegal content.

So the question here is how do you generate a log so you can see the private IP, public IP, destination IP and ports?

Here is my solution from my edge router:
Which generates a log entry like so (edited):
And there you have it, the very last section labeled "NAT" clearly shows you the information you would need. Obvisouly this is specific to all-p2p traffic types.

This potentially can generate a lot of log entries very quickly so make sure you are offloading to a syslog server. I use Kiwi and then have a filter setup to insert into SQL.

Hi. I have the same problem. Yes, we can send info to our syslog server for every packet. So the log item is like this:
But is any chance to log only the first packet from connection? When I mark only "New connection" packet, this log doen´t contains the "outgoing" port. The log is like this:
Does anybody dolve this problem? Logging every packet is not necessarry. Thanks for help.

Bobhy