Vyos CGNAT and logging howto

admin0 · January 26, 2021, 3:20pm

Hi,

How to do cgnat in vyos … and also how to save the connection/nat logs ( so that we can trace abuse )

Thanks

firedrow · January 26, 2021, 8:02pm

CGNAT should work very similar to normal NAT, shouldn’t it? There’s a defined subnet to use, 100.64.0.0/10. Therefore you treat the entire setup as an ISP controlled double-NAT setup. Unless I’m wildly mis-understanding things:

Subnet the 100.64.0.0/10 into smaller networks based on your network setup
Create the NAT policies so you can minimize how many smaller subnets run on Public WAN IPs
Setup DHCP pools if you want to automate handing out IPs for your pools
It can work with businesses, you just have to port forward to them and tell them what the public facing IP is
- Many businesses HATE this, they like to control the public facing IP
Send all your logs to a syslog/ELK server to be analyzed and stored

I will add this disclaimer: this is how we ran our MSP-controlled WISP several years ago. So we handled the clients firewall, port forwarding, etc.

admin0 · January 26, 2021, 11:48pm

Hi.

Thanks for replying.
For example purpose, suppose we NAT 100.64.0.0/10 to for example a single IP.
So assume we got an abuse complaint saying 1 week back, there was a ssh login attempt or a hack attempt from our public IP on the other remote system. So looking for a way to save/store connections/nat to some format and we can handle abuse issues like this and figure out which machine from the internal network is causing this.

If normal NAT allows this, it is fine as well. I just read and CGN is more verbose and elaborate in terms of logging requirement and wanted to know how to set it up and how to enable logging . if that is even possible with vyos.

firedrow · February 15, 2021, 11:41pm

Sorry I didn’t see this sooner. I think syslog with something like ELK or Graylog to help parse the logs would fit your situation.

admin0 · February 16, 2021, 11:21am

Hi,

Thank you for the reply.
The question is, how do I enable connection logging for just this subnet , so that it goes to syslog?

firedrow · February 16, 2021, 4:58pm

You can’t enable logging per network or per interface, syslog captures all traffic and usually system messages. But if you feed all those logs into something like an ELK stack, you would be able to parse the logs quickly to find just the information you want.

https://docs.vyos.io/en/latest/configuration/system/syslog.html