My customers get private IP addresses which are translated to public addresses on the edge of the network. The translation is usually many private addresses to one public address using masquerade or srcnat actions.
In Poland network operators are obliged to keep information about IP address usage for one year in case of law infringements.
In case of src-nat it practically means keeping at least information about every established TCP session - source private IP and port and destination IP and port.
This is a well known situation, there also is a well known firewall filter rule which allows to log the TCP session info:
Code: Select all
/ip firewall filter add action=log chain=forward connection-state=new protocol=tcp src-address=10.0.0.0/8Code: Select all
08:54:57 firewall,info forward: in:ether2_LAN out:ether1_UPLINK, src-mac 00:27:22:xx:xx:xx, proto TCP (SYN), 10.0.20.38:50173->213.180.x.x:443, len 60The question is: how to find out, what port number is the connection translated to on the public side?
I know I can sniff it on a port mirror of the uplink using tcpdump, but maybe there's a better solution.
Setting up the following ip firewall mangle rule:
Code: Select all
/ip firewall mangle add action=log chain=postrouting connection-state=established protocol=tcp src-address=10.0.0.0/8Code: Select all
09:14:26 firewall,info postrouting: in:(none) out:ether1_UPLINK, src-mac 00:13:ce:xx:xx:xx, proto TCP (ACK), 10.0.20.101:38290->173.194.x.x:80, NAT (10.0.20.101:38290->55.22.x.x:38290)->173.194.x.x:80, len 52
Thanks,
jacek
