Does anyone know of a way to log which private IPs are being NAT'd to public IPs?
Right now, the only thing I can see is in the "Diagnostics: Show States", where it will show current private IPs, Public IPs they NAT to, and the destination. However, those are only active NATs. Is there a way to log these? Also, is there a way to add a timestamp?
There are times where we need to track down who a user was days earlier, and without the ability to correlate a public IP to a private IP, we cannot determine this info.
I see that bitmask flag would be helpful for us, but we don't have enough public IPs available to use this option.
Any help is appreciated,
I just replied to this via email on a separate inquiry and figured I'd post it here too.
There isn't a standard means of doing so. There are plenty of options
for getting the information you need, depending on exactly how your
NAT is setup. Most often, people just collect Netflow or similar
details from their LAN IPs and can associate back any abuse reports
that way. But that may or may not be very helpful entirely on its own
like in scenarios where you're using a pool of public IPs and have no
ability to predict what's going out where. It is important to be able
to associate back to which internal host, as I presume you don't have
a big enough public IP assignment to have one internal host per public
IP. But that may not be enough in and of itself.
Most universities will setup their outbound NAT in such a way that the
public IP associates back to one particular internal subnet, or part
of a particular internal subnet (a /25 or /26 of private IPs per
public IP), and then can use Netflow records to figure out which host
was doing whatever you got a report on. Having the NAT setup that way,
and Netflow records on the LAN side, eliminates the need to log NAT
translations (which becomes pretty pointless then anyway as logging
that would just give you a number of hosts on that network that were
using that IP, and giving you no ability to tell who was doing what at
It appears there is one possibility to log NAT within PF, but it's not
pretty. We could give that a shot if it's a requirement. In my
opinion, you're better off not bothering and following the above
methodology for your outbound NAT as it lets you isolate any reports
to a small portion of your internal network, which is the best that
NAT logging is going to do for you anyway. You're going to have to
have better abilities than that from there to track down the exact
internal host, and Netflow is generally the tool of choice there once
you can narrow it down to some portion of the internal network
based on public IP.
Netflow would be great, though it does not give you the actual translation, it does give you enough to track it down.
There are some patches floating around to add something like this in to tcpdump to read pfsync, but there isn't anything stock that does it, and nothing for pfSense. Even with that patch though it doesn't log the destination, just the internal and external IPs and the ports involved.