I've configured an external syslog server in my network and I would like to log all connections made - not only system messages as it does by default.
So I have enabled logging on my Zones, but it only shows rejected traffic. This can't be changed from UI.
In my case I want to see connections being made from LAN to WAN, to be able to see what my clients actually send out. Of course, I do not wish to log network traffic to local file system, only to my external syslog server.
How do I enable logging for everything in /etc/config/firewall ?
Running OpenWrt 22.03.5 on EdgeRouter X with HW Offload enabled (works great with no CPU usage to speak of on a 1 Gbit/s connection).
EDIT: By connections I of course mean new connections, NOT payloads.
Logging everything and sending it out to an external syslog server will take considerable processing power, and will likely significantly reduce your overall routing throughput.
You'll be able to see the destination of all the packets, but you won't likely be able to see the contents because nearly everything is encrypted these days. This means that you can see that someone went to google or whatever, but you won't be able to see what they searched for. Or you would be able to see that someone is looking at Facebook, but you won't know anything about what they are reading or posting.
With that in mind, do you really need to log all traffic? Or maybe just from specific devices? What is it that you hope to gain from the exercise?
you can use port mirroring to mirror to another host and then capture all traffic on it.
you can use conntrack to see meta info (who connected to where via what ports kind of data).
why you want to capture all traffic?
looks you don't want to capture all traffic, just lan to wan, but still, why to capture actual traffic? if you want to control who can access what, there are various tools, e.g. firewall rules, DNS filtering etc.
wrap actual traffic into syslog protocol a) takes processing power; b) takes network bandwidth (effectively you double you traffic).
Haha, sorry, I was obviously very unclear on what I meant.
I of course meant CONNECTIONS, not all traffic including payload.
I just want to see what my clients and servers connects to outside my private network, just as I did with previous firewalls at home, like pfSense. Not actual payloads. Back in the day using L7 firewalls was fun since very little was encrypted, but now it's just basically meaningless.
Anyways, if you don't keep connection logs, you can't see what devices did what on your network at a later stage. Like a client or IoT-device being hacked and sending data to unofficial targets.
I just thought that such a basic feature like logging of connections would be included in the UI of Openwrts firewall. Some RRD graphs would be nice as well, but I can manage that within my log server.
This is something I've done for the last 15 years with all my firewalls and routers both private and for enterprise networks. I just thought there would be a "Log all connections" in the UI, but I can't find it. There's one option that "Log all connections" in pfSense for example.
I'll do it manually and hope that Openwrt uses logd settings for sending the logs externally and not on local disk.
This is still a ton of "stuff". You can see it using the conntrack utlity as @grrr2 mentions above, ssh into your router and
opkg update && opkg install conntrack
conntrack -E --zone wan
I'm sitting on a quiescent line right now, everyone else is doing something non-internet, so just me on the forum and I'm seeing 50-100 connections being made/broken every minute.
