Feature #11975


Simplify NAT logging to conforme more easily with local/regional laws

Added by Guillaume LUCAS about 3 years ago. Updated about 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


The French law requires from ISPs to log "who used this IP address at this timestamp?" informations for a year.

For our public-addressed subnets, it's easy: our IPAM memorize association between an IP addresse and a person.
For our RFC1918-addressed subnets, pfSense must log timestamp + private IP + private port + destination IP + destination port.

Constraints (from
  • NAT rules don't have a "log" checkbox
  • NAT processing is done before filtering so adding a logging rule on WAN interface fails (RFC1918 IP adresses was already translated)
  • Only floating filtering rules can match without performing pass/drop action
I think about two ways of doing it:
1) Add a floating rule with following parameters:
  • Action: match
  • Interface: all internal private-addressed subnets
  • Direction: in
  • Protocol: any
  • Source: any
  • Destination: invert match + alias with all of our networks (because no need of recording inter-VLANs flows)
  • "Log" checkbox: checked
    2) Check "log" checkbox on each pass rule on each private-addressed interface (as previous, add alias in destination to disable recording of inter-VLANs traffic).
  • Variant with floating rule on each private-addressed interface + tagged match.

So, I have a technical solution so it's OK for me.

My feature request is: can we imagine a mechanism to automatically permit logging of private-addressed subnets like filter rule auto creation on NAT rule adding? I see two ways to do that:
  • NAT rules with a "log" checkbox? I think that it's impossible because of PF's limit but maybe I'm wrong.
  • A checkbox in general settings which creates additionnal (floating?) rules. Bonus if it don't log inter-VLANs trafic (auto-detection of internal subnets? pre-filled list of internal networks?).

Feature request justification: have a easier technical solution to conforme with local/regional laws around the globe and simplify the choice of decision-makers in favor of pfSense.

Related issues

Is duplicate of Feature #7800: Add option for state loggingNew08/22/2017

Actions #1

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Duplicate

Duplicate of #7800

We're limited at the moment by what pf offers as data for logging, and last I saw, it doesn't support this. It's been a request for a while now.

Actions #2

Updated by Jim Pingle about 3 years ago

  • Is duplicate of Feature #7800: Add option for state logging added

Also available in: Atom PDF