Simplify NAT logging to conforme more easily with local/regional laws
The French law requires from ISPs to log "who used this IP address at this timestamp?" informations for a year.
For our public-addressed subnets, it's easy: our IPAM memorize association between an IP addresse and a person.
For our RFC1918-addressed subnets, pfSense must log timestamp + private IP + private port + destination IP + destination port.
- NAT rules don't have a "log" checkbox
- NAT processing is done before filtering so adding a logging rule on WAN interface fails (RFC1918 IP adresses was already translated)
- Only floating filtering rules can match without performing pass/drop action
1) Add a floating rule with following parameters:
- Action: match
- Interface: all internal private-addressed subnets
- Direction: in
- Protocol: any
- Source: any
- Destination: invert match + alias with all of our networks (because no need of recording inter-VLANs flows)
- "Log" checkbox: checked
2) Check "log" checkbox on each pass rule on each private-addressed interface (as previous, add alias in destination to disable recording of inter-VLANs traffic).
- Variant with floating rule on each private-addressed interface + tagged match.
So, I have a technical solution so it's OK for me.My feature request is: can we imagine a mechanism to automatically permit logging of private-addressed subnets like filter rule auto creation on NAT rule adding? I see two ways to do that:
- NAT rules with a "log" checkbox? I think that it's impossible because of PF's limit but maybe I'm wrong.
- A checkbox in general settings which creates additionnal (floating?) rules. Bonus if it don't log inter-VLANs trafic (auto-detection of internal subnets? pre-filled list of internal networks?).
Feature request justification: have a easier technical solution to conforme with local/regional laws around the globe and simplify the choice of decision-makers in favor of pfSense.