Vyos CGNAT and logging howto


How to do cgnat in vyos … and also how to save the connection/nat logs ( so that we can trace abuse )


CGNAT should work very similar to normal NAT, shouldn’t it? There’s a defined subnet to use, Therefore you treat the entire setup as an ISP controlled double-NAT setup. Unless I’m wildly mis-understanding things:

  • Subnet the into smaller networks based on your network setup
  • Create the NAT policies so you can minimize how many smaller subnets run on Public WAN IPs
  • Setup DHCP pools if you want to automate handing out IPs for your pools
  • It can work with businesses, you just have to port forward to them and tell them what the public facing IP is
    • Many businesses HATE this, they like to control the public facing IP
  • Send all your logs to a syslog/ELK server to be analyzed and stored

I will add this disclaimer: this is how we ran our MSP-controlled WISP several years ago. So we handled the clients firewall, port forwarding, etc.


Thanks for replying.
For example purpose, suppose we NAT to for example a single IP.
So assume we got an abuse complaint saying 1 week back, there was a ssh login attempt or a hack attempt from our public IP on the other remote system. So looking for a way to save/store connections/nat to some format and we can handle abuse issues like this and figure out which machine from the internal network is causing this.

If normal NAT allows this, it is fine as well. I just read and CGN is more verbose and elaborate in terms of logging requirement and wanted to know how to set it up and how to enable logging . if that is even possible with vyos.

Sorry I didn’t see this sooner. I think syslog with something like ELK or Graylog to help parse the logs would fit your situation.


Thank you for the reply.
The question is, how do I enable connection logging for just this subnet , so that it goes to syslog?

You can’t enable logging per network or per interface, syslog captures all traffic and usually system messages. But if you feed all those logs into something like an ELK stack, you would be able to parse the logs quickly to find just the information you want.