We would like to issue private IPs to the hotspot subscribers, and then NAT them onto the one public IP assigned to the AP. Problem is, the police could come by with the public IP and a time period, asking for the name of the subscriber. With the information that is normally logged, we could at best come with a list subscribers that were on the hotspot at that time.
We do not have enough public IPs to go around. I suppose it is possible to create a firewall rule that creates a log entry every time a subscriber opens a TCP connection. Presumably the police will have all the socket info (src & dst IP, src & dst port). It seems that this would work, but create an enormous amount of data.
Is there a simpler way? How is this situation normally handed?
The jurisdiction is Mexico.
Thanks in advance, Vic.