I'm sure the big guys are anyway. Big data. Track everything, sort it out later.
----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Mathew Howard" <[email protected]> To: "af" <[email protected]> Sent: Tuesday, December 27, 2016 8:07:57 PM Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods Well, yeah, I guess that's better than just telling them "I have no idea, it could be any of these 100 customers"... and if there's no more information to be had, there's not much they can do (unless there are laws requiring us to track this stuff, that I'm not aware of). But as far as actually being able to help, I'm wondering if anybody is actually going to be logging port numbers on the other end of things. On Tue, Dec 27, 2016 at 8:02 PM, Mike Hammett < [email protected] > wrote: Require a port number to proceed? ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Mathew Howard" < [email protected] > To: "af" < [email protected] > Sent: Tuesday, December 27, 2016 7:58:21 PM Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods The problem I see with that though, is the subpoenas we've gotten are generally just an IP address, and a time period... if this is coming from something like, say, a facebook post, is there typically going to be any log of that sort of thing? Assigning port blocks would work fine for things like bittorrent DMCA takedown notices, where they give you port information, but I'm not sure how you would use it to track down a specific customer when all they give you is the IP address... On Tue, Dec 27, 2016 at 6:51 PM, Josh Reynolds < [email protected] > wrote: <blockquote> If you assign a port block per customer (PBA NAT in Juniper), you don't really need to log anything... do you? On Tue, Dec 27, 2016 at 3:45 PM, Adam Moffett < [email protected] > wrote: > A recent thread about a subpoena made me wonder. Historically this hasn't > been an issue for me because I've had access to enough public IP's...but it > might become an issue soon. > > Has anybody set up CGN with appropriate logging on Mikrotik? > I'm thinking you would have to log every set of src-ip, dst-ip, src-port, > and dst-port for each connection that a customer opens. Does simply > checking the "log" checkbox on the srcnat rule generate enough data or is > there more to it? > > Has anybody tried the method on the wiki > ( > http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 > ) > where you assign a range of port numbers to each private IP? The idea is > you don't have to log everything at that point because you know that a > connection from port x corresponds to private ip y. Then you just need to > keep track of who has which private IP. It seems like this would have a > side effect of limiting the number of simultaneous connections a single > customer could open....maybe not a bad thing. > > Thanks, > Adam </blockquote>
