Hi all!

I'm trying to make work such scheme:
1. mikrotik gives ip to LAN by DHCP-server. Let suppose the DHCP pool is 192.168.0.0/24, so I
creating a address-list=CLIENTS with 192.168.0.0/24

and before give them access to the Internet, I send CLIENTS to web-server page where they need to login and they will be sending to address-list=CLIENTS_LOGON, here is a code which redirect them to WEB-server:

The problem is that I dont know how to gives them access when they in address-list=CLIENTS_LOGON and there is the rule above.
I'm confused...

masquerade - does not appropriate, because when user wants to logout on the 10.0.0.10 web-page the page will see IP of output mikrotik interface. I will NAT 192.168.0.0/24 on the WEB-server

Could some one suggest me solution of this problem.
Will much appreciated.
Thank you

Specify an out-interface=[WAN-interface-name] parameter on the masquerade rule so it only fires for traffic to the Internet.

However, it sounds like you're reinventing a Hotspot. Any particular reason you aren't just using a Hotspot with an external splash page?

I have such scheme:

USER192.168.0.2---->192.168.1.2Mikrotik(DHCP)10.0.0.1---->10.0.0.10 GATEWAY(NAT,WEB-SERVER)
when user receive 192.168.0.2 on I can ping 0.0.0.0/0 because NAT working on (10.0.0.10 )GATEWAY (it's NATing 192.168.0.0/24)

I redirect all requests on 0.0.0.0/0:80 to 10.0.0.10:80 to login
it's working
but ping working too -it's bad - it's needed to recover too (deny ping to internet when user redirected to 10.0.0.10:80 )

then when user logon, it will appear on address-list CLIENTS_LOGON . I want them do not redirect to webserver but give them internet. And I don't understand how to do it.

Sorry for my bad explanation and poor English )

perhaps fewi had to ask him first, "do you know that mikrotik has hotspot feature?" which gives almost exact scheme you're asking.

Is there any motive for not use hotspot or you don't know as works hotspot ?

I know about hotspot, I think I got it what is needed, I'll answer what I'm thinking, but after I check it )

I found such solution

the solution is to add such rule above my redirecting rule : above this but for many address-lists I will need many such rules it's not good

I also tried to mark packets and allow them:
and then
but it's does not work (

maybe someone can help me

perhaps the main problem is language here. we don't know what are you trying to do. we're just assuming you're trying to build a hotspot, and we told you that mikrotik has hotspot feature already, you don't have to set anything else on firewall. i hope you understand what i'm saying now.

check out : when you setup a hotspot to an interface, mikrotik will set the firewall automatically to a redirect page, which mikrotik already has it built-in.
to learn more about it, please open and read:

thank you for an answer, but I don't need hotspot. On the GATEWAY (WEBSERVER, NAT) I have Billing system which allows users and counts traffic. I described a situation and what I want to do, I need a suggestion with Firewall rules and nothing else

thank you for an answer, but I don't need hotspot. On the GATEWAY (WEBSERVER, NAT) I have Billing system which allows users and counts traffic. I described a situation and what I want to do, I need a suggestion with Firewall rules and nothing else

ah, so do mikrotik. mikrotik also have billing system for its hotspot, it is called, user manager. however, mikrotik hotspot, could also be set to read data from RADIUS server, if your your billing system support this.

Thank you about Mikrotik hotspot. But I just need a suggestion with firewall