Hi,
How to do cgnat in vyos … and also how to save the connection/nat logs ( so that we can trace abuse )
Thanks
CGNAT should work very similar to normal NAT, shouldn’t it? There’s a defined subnet to use, 100.64.0.0/10. Therefore you treat the entire setup as an ISP controlled double-NAT setup. Unless I’m wildly mis-understanding things:
- Subnet the 100.64.0.0/10 into smaller networks based on your network setup
- Create the NAT policies so you can minimize how many smaller subnets run on Public WAN IPs
- Setup DHCP pools if you want to automate handing out IPs for your pools
- It can work with businesses, you just have to port forward to them and tell them what the public facing IP is
- Many businesses HATE this, they like to control the public facing IP
- Send all your logs to a syslog/ELK server to be analyzed and stored
I will add this disclaimer: this is how we ran our MSP-controlled WISP several years ago. So we handled the clients firewall, port forwarding, etc.
Hi.
Thanks for replying.
For example purpose, suppose we NAT 100.64.0.0/10 to for example a single IP.
So assume we got an abuse complaint saying 1 week back, there was a ssh login attempt or a hack attempt from our public IP on the other remote system. So looking for a way to save/store connections/nat to some format and we can handle abuse issues like this and figure out which machine from the internal network is causing this.
If normal NAT allows this, it is fine as well. I just read and CGN is more verbose and elaborate in terms of logging requirement and wanted to know how to set it up and how to enable logging . if that is even possible with vyos.
Sorry I didn’t see this sooner. I think syslog with something like ELK or Graylog to help parse the logs would fit your situation.
Hi,
Thank you for the reply.
The question is, how do I enable connection logging for just this subnet , so that it goes to syslog?
You can’t enable logging per network or per interface, syslog captures all traffic and usually system messages. But if you feed all those logs into something like an ELK stack, you would be able to parse the logs quickly to find just the information you want.
https://docs.vyos.io/en/latest/configuration/system/syslog.html
If you want to test CGNAT you can find examples in out doc CGNAT — VyOS 1.5.x (circinus) documentation
transition to cgnat…
We use source nat, I planned to update and use cgnat. When logging via syslog, the systemd-journald process consumed too many resources and during rush hour the logs stopped running. Are the syslog settings different for cgnat? And is there an option to do optimization so as not to lose nat logs?
old config:
set nat source rule 1 outbound-interface ‘bond0.48’
set nat source rule 1 source address ‘10.х.х.х/х’
set nat source rule 1 translation address ‘х.х.х.х/24’
set nat source rule 2 outbound-interface ‘bond0.48’
set nat source rule 2 source address '‘10.х.х.х/х’
set nat source rule 2 translation address ‘х.х.х.х/24’
set system conntrack expect-table-size ‘50000000’
set system conntrack hash-size ‘50000000’
set system conntrack log icmp destroy
set system conntrack log icmp new
set system conntrack log tcp destroy
set system conntrack log tcp new
set system conntrack log udp destroy
set system conntrack log udp new
set system conntrack table-size ‘50000000’
set system syslog host 10.х.х.х facility daemon level ‘notice’
set system syslog host 10.х.х.х port ‘5514’
conntrack log options for 1.4 and 1.5 are not working so far: ⚓ T5471 Conntrack logging doesnt seem to be working
Alternatives for new implementation are under consideration.