Community discussions

MUM Europe 2020
 
VicRace
just joined
Topic Author
Posts: 20
Joined: Tue Apr 14, 2009 7:17 pm

NAT and the Law

Tue Oct 25, 2011 8:49 pm

G'day,

We would like to issue private IPs to the hotspot subscribers, and then NAT them onto the one public IP assigned to the AP. Problem is, the police could come by with the public IP and a time period, asking for the name of the subscriber. With the information that is normally logged, we could at best come with a list subscribers that were on the hotspot at that time.

We do not have enough public IPs to go around. I suppose it is possible to create a firewall rule that creates a log entry every time a subscriber opens a TCP connection. Presumably the police will have all the socket info (src & dst IP, src & dst port). It seems that this would work, but create an enormous amount of data.

Is there a simpler way? How is this situation normally handed?

The jurisdiction is Mexico.

Thanks in advance, Vic.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: NAT and the Law

Tue Oct 25, 2011 9:07 pm

Normally (at least in Australia) we do the same and let them know we don't record the port-ip combinations.

This for us is ok as it is in most cases illegal to collect customer traffic data without authorisation.

You can however then offer to track all data for a short period or mirror data to a port they can record.

Lastly: if you have a netflow system collecting traffic flow data from MikroTik devices you could use this to provide the pair, but it would likely depend on how long you were keeping data for and how often you aggregated it.
brightwifi.com | mikrotik-routeros.com | MTCNA,MTCWE.MTCTCE | Give karma where due
 
User avatar
greencomputing
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Wed Jun 23, 2010 1:12 pm
Location: Italy

Re: NAT and the Law

Thu Nov 10, 2011 2:13 am

Hi there
I'm afraid but NetFlow will not work because intrinsic definition of flows. What you will get will be the communication end-to-end so nothing about the public ip used as NAT public ip.

To say :

IPs : private ip

IPnat : public nat ip

IPd : public destinaiton IP.

Merely, netflow will send information about the flows

IPs ---> IPd
and
IPd --->IPs

and magically no info will be supplied for IPnat
If answer was helpful to you why to not plan to... give me karma :)
greencomputing

--------------------
MTCNA / MTCRE certified Senior Mikrotik Consultant

Who is online

Users browsing this forum: Hitchman, kamik7766, MSN [Bot] and 55 guests