A recent thread about a subpoena made me wonder. Historically this
hasn't been an issue for me because I've had access to enough public
IP's...but it might become an issue soon.
Has anybody set up CGN with appropriate logging on Mikrotik?
I'm thinking you would have to log every set of src-ip, dst-ip,
src-port, and dst-port for each connection that a customer opens. Does
simply checking the "log" checkbox on the srcnat rule generate enough
data or is there more to it?
Has anybody tried the method on the wiki
(http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444)
where you assign a range of port numbers to each private IP? The idea
is you don't have to log everything at that point because you know that
a connection from port x corresponds to private ip y. Then you just
need to keep track of who has which private IP. It seems like this
would have a side effect of limiting the number of simultaneous
connections a single customer could open....maybe not a bad thing.
Thanks,
Adam
