G'day,

We would like to issue private IPs to the hotspot subscribers, and then NAT them onto the one public IP assigned to the AP. Problem is, the police could come by with the public IP and a time period, asking for the name of the subscriber. With the information that is normally logged, we could at best come with a list subscribers that were on the hotspot at that time.

We do not have enough public IPs to go around. I suppose it is possible to create a firewall rule that creates a log entry every time a subscriber opens a TCP connection. Presumably the police will have all the socket info (src & dst IP, src & dst port). It seems that this would work, but create an enormous amount of data.

Is there a simpler way? How is this situation normally handed?

The jurisdiction is Mexico.

Thanks in advance, Vic.

Normally (at least in Australia) we do the same and let them know we don't record the port-ip combinations.

This for us is ok as it is in most cases illegal to collect customer traffic data without authorisation.

You can however then offer to track all data for a short period or mirror data to a port they can record.

Lastly: if you have a netflow system collecting traffic flow data from MikroTik devices you could use this to provide the pair, but it would likely depend on how long you were keeping data for and how often you aggregated it.

Hi there
I'm afraid but NetFlow will not work because intrinsic definition of flows. What you will get will be the communication end-to-end so nothing about the public ip used as NAT public ip.

To say :

IPs : private ip

IPnat : public nat ip

IPd : public destinaiton IP.

Merely, netflow will send information about the flows

IPs ---> IPd
and
IPd --->IPs

and magically no info will be supplied for IPnat