Logging NAT?

  • Does anyone know of a way to log which private IPs are being NAT'd to public IPs?

    Right now, the only thing I can see is in the "Diagnostics: Show States", where it will show current private IPs, Public IPs they NAT to, and the destination.  However, those are only active NATs.  Is there a way to log these?  Also, is there a way to add a timestamp?

    There are times where we need to track down who a user was days earlier, and without the ability to correlate a public IP to a private IP, we cannot determine this info.

    I see that bitmask flag would be helpful for us, but we don't have enough public IPs available to use this option.

    Any help is appreciated,


  • I just replied to this via email on a separate inquiry and figured I'd post it here too.

    There isn't a standard means of doing so. There are plenty of options
    for getting the information you need, depending on exactly how your
    NAT is setup. Most often, people just collect Netflow or similar
    details from their LAN IPs and can associate back any abuse reports
    that way. But that may or may not be very helpful entirely on its own
    like in scenarios where you're using a pool of public IPs and have no
    ability to predict what's going out where. It is important to be able
    to associate back to which internal host, as I presume you don't have
    a big enough public IP assignment to have one internal host per public
    IP. But that may not be enough in and of itself.

    Most universities will setup their outbound NAT in such a way that the
    public IP associates back to one particular internal subnet, or part
    of a particular internal subnet (a /25 or /26 of private IPs per
    public IP), and then can use Netflow records to figure out which host
    was doing whatever you got a report on. Having the NAT setup that way,
    and Netflow records on the LAN side, eliminates the need to log NAT
    translations (which becomes pretty pointless then anyway as logging
    that would just give you a number of hosts on that network that were
    using that IP, and giving you no ability to tell who was doing what at
    the time).

    It appears there is one possibility to log NAT within PF, but it's not
    pretty. We could give that a shot if it's a requirement. In my
    opinion, you're better off not bothering and following the above
    methodology for your outbound NAT as it lets you isolate any reports
    to a small portion of your internal network, which is the best that
    NAT logging is going to do for you anyway. You're going to have to
    have better abilities than that from there to track down the exact
    internal host, and Netflow is generally the tool of choice there once
    you can narrow it down to some portion of the internal network
    based on public IP.

  • Rebel Alliance Developer Netgate

    Netflow would be great, though it does not give you the actual translation, it does give you enough to track it down.

    There are some patches floating around to add something like this in to tcpdump to read pfsync, but there isn't anything stock that does it, and nothing for pfSense. Even with that patch though it doesn't log the destination, just the internal and external IPs and the ports involved.

Log in to reply