Logging state tables…
-
We use pfSense to onboard our users for secured wireless. It is rare, but from time to time we will get a take down notice from the DMCA and we have need to tie the following:
External WAN interface (the interface representing 100s of people behind it with a single IP address) to an external address (the address of the illegal content) to an internet IP address to a user.
Getting to that appears nearly impossible with the current setup. Even if I log ALL packets (permit and block), in most cases I am unable to tie this together. The state table, if it were being logged, would solve this issue. I could easily search for who attempted to connect to a particular site at a given time, and then tie the internal IP address to an authentication. But there does not appear to be a way to do this.
Does anyone else know how to skin this cat?
(This was posted inadvertently in the captive portal group. I have asked for that topic to be deleted)
-
There is no way to "log the state table" in the way you describe. In the future we do plan on having a way to log NAT translations as they happen, but at the moment that isn't possible.
You could use a netflow exporter like softflowd to send flow data to a server elsewhere on your network, and that may allow you to correlate the connections better.
That said, unless you have more than one external IP address you should be able to match an internal user to a remote IP address in a given time frame just from logging the LAN rule(s) passing out traffic.
-
So, how far in the future? Is this a feature that is on the roadmap?
