If you assign a port block per customer (PBA NAT in Juniper), you don't really need to log anything... do you?
On Tue, Dec 27, 2016 at 3:45 PM, Adam Moffett <[email protected]> wrote: > A recent thread about a subpoena made me wonder. Historically this hasn't > been an issue for me because I've had access to enough public IP's...but it > might become an issue soon. > > Has anybody set up CGN with appropriate logging on Mikrotik? > I'm thinking you would have to log every set of src-ip, dst-ip, src-port, > and dst-port for each connection that a customer opens. Does simply > checking the "log" checkbox on the srcnat rule generate enough data or is > there more to it? > > Has anybody tried the method on the wiki > (http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444) > where you assign a range of port numbers to each private IP? The idea is > you don't have to log everything at that point because you know that a > connection from port x corresponds to private ip y. Then you just need to > keep track of who has which private IP. It seems like this would have a > side effect of limiting the number of simultaneous connections a single > customer could open....maybe not a bad thing. > > Thanks, > Adam
