how to block my client that not pay and i show to them a page of my webserver?

Just redirect all the traffic 80 (for example) to you website/server, and this server have the page with a message for pay.


Max
http://mikrotikexpert.com
http://maxid.com.ar

upload a web page(with a nonpayment notice) to a web server, make a address list named= nonpaid user, add non paid user ip to that address list, then make dat nat rule with src-address= nonpaid user and dst-nat to your web server ip and port.

Thanks maybe it would be helpful to you.

upload a web page(with a nonpayment notice) to a web server, make a address list named= nonpaid user, add non paid user ip to that address list, then make dat nat rule with src-address= nonpaid user and dst-nat to your web server ip and port.

Thanks maybe it would be helpful to you.

so my friend, i have made the web server, but if you can explain me this..about address list, where i can make these address list, with client ip addressess, if you can tell us, about this..

With RespECt AlterNATIVI

1st of all, stop using AlTeRNatiVE CApS ThiNGiE. It's really annoying. Pay some respect please.


2nd of all, have a look under Firewall -> Address List (/ip firewall address-list in the console).

upload a web page(with a nonpayment notice) to a web server, make a address list named= nonpaid user, add non paid user ip to that address list, then make dat nat rule with src-address= nonpaid user and dst-nat to your web server ip and port.

Thanks maybe it would be helpful to you.

not work

disconnect it !

disconnect it !

good idea

upload a web page(with a nonpayment notice) to a web server, make a address list named= nonpaid user, add non paid user ip to that address list, then make dat nat rule with src-address= nonpaid user and dst-nat to your web server ip and port.

Thanks maybe it would be helpful to you.

chain=dstnat action=dst-nat to-addresses=85.252.x.x to-ports=80 src-address=85.252.x.x dst-port=80 protocol=tcp comment="customer doesnt pay" disabled=no

I use this nat rule, and it works ok to all but 1 webserver. The webserver it doesnt work to is the one I want it to go to, and I cant figure out why it doesnt work. If I type its ip in my browser the page is displayed correctly. Any idea what can be wrong on the web server ?

fosben wrote:
chain=dstnat action=dst-nat to-addresses=85.252.x.x to-ports=80 src-address=85.252.x.x dst-port=80 protocol=tcp comment="customer doesnt pay" disabled=no

ok first of all 85.252.x.x is your web server IP right? then what is src-address=85.252.x.x ? src-address should be your client IP address whom you want to show your nonpayment notice. you can use only protocol=tcp don't use dst-port=80 cause then your this client can logon to yahoo messanger or service like that.

Thanks

fosben wrote:
chain=dstnat action=dst-nat to-addresses=85.252.x.x to-ports=80 src-address=85.252.x.x dst-port=80 protocol=tcp comment="customer doesnt pay" disabled=no

ok first of all 85.252.x.x is your web server IP right? then what is src-address=85.252.x.x ? src-address should be your client IP address whom you want to show your nonpayment notice. you can use only protocol=tcp don't use dst-port=80 cause then your this client can logon to yahoo messanger or service like that.

Thanks

Which is the correct version?

chain=dstnat action=dst-nat to-addresses=(web server ip) to-ports=80 src-address=(user IP) protocol=tcp comment="customer doesnt pay" disabled=no

if you have an address-list named something like=nonpaid user and you have your non paid user IP in that address list then you can do another thing >

chain=dstnat action=dst-nat to-addresses=(web server ip) to-ports=80 src-address=(User IP range like 192.168.1.0/24) protocol=tcp src-address list=(nonpaid user) comment="customer doesnt pay" disabled=no

Hope you'll understand what I want to say here.

NB: And make sure to put this rule in the 1st line of your firewall nat.
Thanks

chain=dstnat action=dst-nat to-addresses=(web server ip) to-ports=80 src-address=(user IP) protocol=tcp comment="customer doesnt pay" disabled=no

yes, and as I said, this works to all but the web server I want it to work to.. So what I was asking is what could be wrong on the web server I natted to since it didnt work

IS YOU WEB SERVER HAVE MUILTIPLE WEB PAGE HOSTED? I mean is it you own web server with your notice page only or the web server hosts multiple domains? cause if you use a shard web server IP then you can't put your web page address as a text(DNS) in your MT you have to put the IP address and port. Then check your firewall that are u put any forward rule with your nonpaid user IP address as action=drop.

Hope I make myself clear.

Thanks

Note that these specific rules will allow non-tcp/udp traffic through. If you definitely need to block those, you can modify these rules.

I prefer rejecting, rather than dropping traffic, so the customer will immediately see that their connection attempt (IM's, ftp, file sharing, etc)
has failed, rather than waiting for a timeout.

Hi,

Can I do this without NAT?

I have public IPs on both sides and uses just a simple route.

# DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE
0 A S 0.0.0.0/0 r 212.112.XXX.XXX 1 IP-XXXX


//Fredrik

hi to all. i try all but in my mtk dont work because the web server is in the same class of my customer. I wan toresolve this proble, in wich mode?

Code: Select all

x.x.x.x = IP address of your webserver that will give the "please pay us" page.
y.y.y.y = the IP address of a customer who has been suspended for nonpayment

Code: Select all

/ ip firewall nat 
add chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 \
    dst-port=80 protocol=tcp src-address-list=suspended_customers comment="" \
    disabled=no 
/ ip firewall filter
# You want to allow DNS, so they can lookup www.youtube.com (for example) and let their browser
# attempt to contact it but reject all other UDP traffic
add chain=forward action=reject reject-with=icmp-admin-prohibited dst-port=!53 \
    protocol=udp src-address-list=suspended_customers comment="" disabled=no
# Once they've resolved www.youtube.com, you let their port 80 request get out (and to the NAT
# rules).
add chain=forward action=reject reject-with=icmp-admin-prohibited dst-port=!80 \
    protocol=tcp src-address-list=suspended_customers="" disabled=no 
/ ip firewall address-list
# And here is where we define the customer IPs that get their traffic filtered and redirected
add list=suspended_customers address=y.y.y.y comment="" disabled=no 

Note that these specific rules will allow non-tcp/udp traffic through. If you definitely need to block those, you can modify these rules.

I prefer rejecting, rather than dropping traffic, so the customer will immediately see that their connection attempt (IM's, ftp, file sharing, etc)
has failed, rather than waiting for a timeout.

This setting works great, but only if the server x.x.x.x is in front of mikrotik:


But is possible to redirect y.y.y.y to x.x.x.x when it's behind mikrotik?


Thank you in advance