As the thread title says.

Maybe it is a stupid question, and it is a non-problem, still I would be curious to know if something like this exists and/or there is some other "common practice" or similar thing.

When you do a maintenance intervention on - say - elevators, you put a sign "Out of order" on each door at the various storeys.

People read the sign, grudgingly take the stairs, but do not report to the porter or maintenance guy "Hey, the elevator is out of order!"

Last week there was a connection issue at the office.

Basically the ISP line failed, both the "main" and "failover" ISP's (I was later told that the issue was a problem in a junction box between us and the telephone/dsl central, that the ISP solved in a few hours time).

I setup temporarily a third (via LTE backup connection) link so that a basic connection was re-established in a matter of some 20-30 minutes, but while I was trying to understand what was happening practically everyone in the building either called or tracked me down at the server room to say "Hey, there is no internet!".

Now the question, when some maintenance/configuration changes/whatever is needed on the LAN or WAN that would imply no connection for more than a few minutes, is there a simple way to redirect browsers to a web page to the effect of:

Out of order.
Under Maintenance.
DON'T PANIC
(assume the above to be written in large, friendly letters)
We're working on it, please be patient and try again later.

I am thinking of a device to which I can connect the LAN instead of the modem/router and that will serve a static web page in any browser, no matter the address, and no matter if coming from wi-fi or wired clients, sort of a "catch all" device.

No idea if it is possible at all.

I have seen a couple of related topics:
viewtopic.php?t=208023
viewtopic.php?t=205557

But I am not sure that approach can work, if it is the "right" one, or if there are better/different ways.

This thread has a few approach to a similar problem:
viewtopic.php?t=195386&hilit=captive+portal

Basically the options from that are:
1. Create a [largely unused] captive portal on new VLAN, with update HTML with your "Out of order" sign. For maintenance, you change the VLAN to captive portal VLAN. The only issue is /ip/hotspot does add a shit done of dynamic firewall rules, which might gets annoying when reviewing the config.
2. Do the same, but same old/cheap Mikrotik to have to run just the captive portal with "Out of order' HTML, and plug in the small router. This has the advantage if the router itself was broken, you can still have have your "Out of order" flag flying. Since the hotspot does little and traffic to one web page is light, even some older mAP might due & it it could be plug-and-play.
3. if you already have a local web server, you can using set DHCP Server to return a custom option with the link to a web server (with HTML and JSON file for the DHCP Option). It take half the lease time on average for this method to trigger, but a bit simpler than enabling the full captive portal.

Yes, I had in mind a possible re-use for one old hap Lite I have around, but I have also a couple (still old) thin clients I am not using, so a minimal Linux with a web server would also be possible.

But using hotspot would catch only wi-fi users, and anyway the half-lease time would be too long.
And I don't have a VLAN anyway.

A certain Amm0 explained how hotspot can only take care of the wifi part in a post in one of the two threads I mentioned:
viewtopic.php?t=208023#p1077781

All employees have a cell phone......
Send mass text message - internet out restoration time est XX:XX Hrs.

A certain Amm0 explained how hotspot can only take care of the wifi part in a post in one of the two threads I mentioned:
viewtopic.php?t=208023#p1077781

Your memory is better than mine. But despite my poor summary there... I'm pretty /ip/hotspot applies to any LAN clients connected to the bridge — I just meant like coffeeshop's wifi use case, vs page redirection which is how that thread started...

AFAIK, you should be able to reset the hAPlite to defaults, remove one of the ports from the bridge, set the port's IP address to match your main router's IP, then use /ip/hotspot/setup on the ports to create a hotspot. You need to look at the docs on the customizations and config, but largely be just removing the login stuff from the HTML, so there be no way to "auth" on your "out of order" sign HTML page. To enable your "sign", you just unplug the main router from LAN, and put in the hAPlite.

For bonus points, a sophisticated approach be using VRRP on main LAN, so the main LAN IP is the VRRP address like .1, and then assign the LAN IP of the "out-of-order hAP" and main router to .2/.3 - this allow them both be online at same time & you just switch VRRP interface is master by changing the priority. This mean the hotspot trigger on VRRP failure, and the /ip/hotspot has firewall rule to redirect things via DNS... so it be relatively quick at showing your sign but also not instantaneous.

I understand now, you are proposing a "captive portal" that leads to nowhere, I was tricked by the word "hotspot" that I instinctively connected with "Wi-FI stuff", almost any tutorial/example I had seen was about the /ip hotspot assigned on wlan1, but of course it can run just fine also on ethern.

I made an extremely simplified test in gns3 and the main issue (which I believe has no real solution, or at least not a simple one) came out instantly, (possibly obviously) https doesn't work, the browser (firefox inside Tiny Core Linux) in the test) shows a "The connection was interrupted" internal message page and never loads the login page.
Good ol' http works just fine, but of course most if not all the devices use https pages/websites as destination.

It is entirely possible that a real device, (possibly with a proper self-signed certifficate on the Mikrotik device, not exactly "simple") behaves better, though I believe that for the whole stuff to be able to work internet connection (in the background) must exist.

All employees have a cell phone......
Send mass text message - internet out restoration time est XX:XX Hrs.

I see from your reply how you have a vast experience of (graciously) managing personnel in activities that run 24/7 (please read shifts) and that your employees at home or in vacation simply love to be notified about how the internet at the office is working.

Or Canada is different, probably here I would be called out for anti-union behaviour or even stalking.

Besides I would need a mass SMS send program on my own phone (no internet, you remember? ).

I could upload to a cloud server a database of the timetables for shifts and holidays and then connect to it[1] and run a query to determine the phone numbers to send SMS to, of course.


[1] no, wait ...

Simple captive portals (almost) never work for intercepting anything encrypted. They work nicely when "a friendly" device first obrains connectivity and starts to check if it can access (certain servers on) internet. Captive portals appropriately block connectivity and direct client to open certain web page (located in walled garden).

"a friendly" device in this context means that it does follow certain (industry established?) protocols to find out about captive porrsls. And those are most often mobile devices which expect to connect to network which requires certain actions to be done (e.g. certain amount of money paid) before opening the gates. Usual desktop devices are not "friendly" in this aspect. And not even "friendly" devices react nicely when connections get dropped while "physical" connectivity status doesn't change (e.g. wireless connection did not interrupt, DHCP lease is still valid).

And no, "official" server certificate doesn't help in case when TCP connections get intercepted because certificate's Subject (FQDN of server, identified using certificate) will almost certainly not match browser's idea about where it's connecting.

All employees have a cell phone......

How about using good ole public announcement system incude office building to announce internet outages? Those announcements will automatically reach only people physically present inside offices without them being stalked.

Or even older foot messengers ...

FWIW, both modern Windows and MacOS desktop OSes support using DHCP options to detect the captive portal, which /ip/hotspot support (returning the JSON needed by Option 114). Now hotspot also does all the older DNS/redirects schemes too - which @mkx is correct, they don't as well these days since nearly everything is TLS. But the DHCP captive portal would be picked up via a DHCP renew. A lot of users when facing a "network issue" often disconnect/reconnect wi-fi/etc before calling someone, which trigger DHCP renew, which could have the "out-of-order sign" [captive portal HTML].

Yep, but this would assume that the LAN is all DHCP clients (which isn't right now) but even if I changed it to becoming dynamic (possibly needing a few machines to have static assignments via MAC), I would need this "temporary replacement device" to replicate the same DHCP server settings or give out some other device address as DHCP server.

I could probably manage this way the wi-fi part (and devices that connect to it are likely more "friendly" as mkx defined them) and add a "plain" http bookmark to 192.168.0.1 to each wired machine browser(s) telling people to check that link if internet is not working, but then I would have to serve an alternate "internet is fine" page in normal operation.

Not "simple" at all.

Not "simple" at all.

And here I thought you like making things more complex.

Well,. at least we tried.

Re-searching I found this thread
viewtopic.php?t=136510
where sindy was (as he always is) clear:
viewtopic.php?t=136510#p672515

So I re-asked an already asked and replied to question, my bad.

It remains (IMHO) a pity that something like this is not possible, but I do understand how the basic issue is in the way https works and of course the makers of the browsers have no interest in providing something that would work the way I imagined, the possibility of adding a (http) link to the gateway on the error page "no internet" would be IMHO enough, but it won't likely happen .