pfSense

The French law requires from ISPs to log "who used this IP address at this timestamp?" informations for a year.

For our public-addressed subnets, it's easy: our IPAM memorize association between an IP addresse and a person.
For our RFC1918-addressed subnets, pfSense must log timestamp + private IP + private port + destination IP + destination port.

Constraints (from https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html):

• NAT rules don't have a "log" checkbox
• NAT processing is done before filtering so adding a logging rule on WAN interface fails (RFC1918 IP adresses was already translated)
• Only floating filtering rules can match without performing pass/drop action

I think about two ways of doing it:
1) Add a floating rule with following parameters:

• Action: match
• Interface: all internal private-addressed subnets
• Direction: in
• Protocol: any
• Source: any
• Destination: invert match + alias with all of our networks (because no need of recording inter-VLANs flows)
• "Log" checkbox: checked
  OR
  2) Check "log" checkbox on each pass rule on each private-addressed interface (as previous, add alias in destination to disable recording of inter-VLANs traffic).
• Variant with floating rule on each private-addressed interface + tagged match.

So, I have a technical solution so it's OK for me.

My feature request is: can we imagine a mechanism to automatically permit logging of private-addressed subnets like filter rule auto creation on NAT rule adding? I see two ways to do that:

• NAT rules with a "log" checkbox? I think that it's impossible because of PF's limit but maybe I'm wrong.
  OR
• A checkbox in general settings which creates additionnal (floating?) rules. Bonus if it don't log inter-VLANs trafic (auto-detection of internal subnets? pre-filled list of internal networks?).

Feature request justification: have a easier technical solution to conforme with local/regional laws around the globe and simplify the choice of decision-makers in favor of pfSense.