Main Nav

For those of you who use pfSense, does anyone know of a way to log which private IPs are being NAT'd to public IPs?

Right now, the only thing I can see is in the "Diagnostics: Show States", where it will show current private IPs, Public IPs they NAT to, and the destination. However, those are only active NATs. Is there a way to log these? Also, is there a way to add a timestamp?  The firewall logs do not show the NAT info.

There are times where we need to track down who a user was days earlier, and without the ability to correlate a public IP to a private IP, we cannot determine this info.

Any help is appreciated.

 

Thanks,

 

-Dan

 

-----------------------

Daniel Mc Cue

Salem State University

71 Loring Ave.

Salem, MA  01970

(978) 542-6909

 



********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from wilcoxkm@email.appstate.edu

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Dec 14, 2011 at 02:34:31PM +0000, Daniel McCue wrote: > For those of you who use pfSense, does anyone know of a way to log which > private IPs are being NAT'd to public IPs? We aren't a pfSense shop but we are a FreeBSD + pf shop. pfSense is built on FreeBSD + pf so I don't mind tossing in our experiences. > Right now, the only thing I can see is in the "Diagnostics: Show States", where > it will show current private IPs, Public IPs they NAT to, and the destination. > However, those are only active NATs. Is there a way to log these? Also, is > there a way to add a timestamp? The firewall logs do not show the NAT info. You can get the same information from the command line using pfctl -s s As you've noted, that's great for current connections but it's horrible for logging and states that have expired. pfsync is used to keep multiple pf firewalls in sync - it's used to share state. Since inside/outside/destination information is necessary for sharing state, we use it to track NAT logging with a start time, an end time, three port:ip tuples, the MAC of the firewall interface that did the NAT and a transaction id. The alternative is to track network flows via pflowd/cflowd (they're in ports, one uses the pf state table directly). kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk7ow9kACgkQsKMTOtQ3fKGwMwCfdLxhMnZOiP6+ic7otyzhKNyl PmwAn1wLLcSHdPAGW6MmFXANbg0Rk1F6 =6QkB -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.