Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Logging NAT?

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcc15038
      last edited by

      Does anyone know of a way to log which private IPs are being NAT'd to public IPs?

      Right now, the only thing I can see is in the "Diagnostics: Show States", where it will show current private IPs, Public IPs they NAT to, and the destination.  However, those are only active NATs.  Is there a way to log these?  Also, is there a way to add a timestamp?

      There are times where we need to track down who a user was days earlier, and without the ability to correlate a public IP to a private IP, we cannot determine this info.

      I see that bitmask flag would be helpful for us, but we don't have enough public IPs available to use this option.

      Any help is appreciated,

      -Dan

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        I just replied to this via email on a separate inquiry and figured I'd post it here too.

        There isn't a standard means of doing so. There are plenty of options
        for getting the information you need, depending on exactly how your
        NAT is setup. Most often, people just collect Netflow or similar
        details from their LAN IPs and can associate back any abuse reports
        that way. But that may or may not be very helpful entirely on its own
        like in scenarios where you're using a pool of public IPs and have no
        ability to predict what's going out where. It is important to be able
        to associate back to which internal host, as I presume you don't have
        a big enough public IP assignment to have one internal host per public
        IP. But that may not be enough in and of itself.

        Most universities will setup their outbound NAT in such a way that the
        public IP associates back to one particular internal subnet, or part
        of a particular internal subnet (a /25 or /26 of private IPs per
        public IP), and then can use Netflow records to figure out which host
        was doing whatever you got a report on. Having the NAT setup that way,
        and Netflow records on the LAN side, eliminates the need to log NAT
        translations (which becomes pretty pointless then anyway as logging
        that would just give you a number of hosts on that network that were
        using that IP, and giving you no ability to tell who was doing what at
        the time).

        It appears there is one possibility to log NAT within PF, but it's not
        pretty. We could give that a shot if it's a requirement. In my
        opinion, you're better off not bothering and following the above
        methodology for your outbound NAT as it lets you isolate any reports
        to a small portion of your internal network, which is the best that
        NAT logging is going to do for you anyway. You're going to have to
        have better abilities than that from there to track down the exact
        internal host, and Netflow is generally the tool of choice there once
        you can narrow it down to some portion of the internal network
        based on public IP.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Netflow would be great, though it does not give you the actual translation, it does give you enough to track it down.

          There are some patches floating around to add something like this in to tcpdump to read pfsync, but there isn't anything stock that does it, and nothing for pfSense. Even with that patch though it doesn't log the destination, just the internal and external IPs and the ports involved.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.