Hi ppl!
I use the Mikrotik hotspot to auth clients on my paid network, i would like to make a profile or something that when the user "forget" to pay the monthly bill , i put it on a profile that did not allow him to browse or redirect any request to a " YOU DID NOT PAYED THE BILL YET PLEASE PAY" page.
there´s any way to do that using the hotspot profiles?
thanks!
sorry for my bad english.
Gustavo Santos
Netstream
-
-
gustkiller
Member
- Posts: 419
- Joined:
- Location: Brazil
- Contact:
Call me dense but...
Marking the packets for users who are delinquent in the bills is easy, but how do I then redirect users to a "website of my choice" based on the packet marks? Example commands? I'm using 2.9.18 if it matters.
-A.
-A.
Code: Select all
/ip firewall nat add chain=dstnat packet-mark=MyPacketMark action=dst-nat to-addresses=IPAddressOfTheWebsiteOfYourChoice
And take care that TheWebserverOfYourChoice does accept IP-based HTTP requests (i.e. no hostname-based HTTP/1.1 hosting), as the redirected requests from your clients will carry the original host-header-name. So you will get requests for http://www.google.com, http://www.cnn.com etc. to that webserver and should make sure that it is answering those...
Best regards,
Christian Meis
Best regards,
Christian Meis
Thanks Eugene, but
The dst-nat approach seems like it ought to work, but it seems that it does not in fact work.
I use packet marking extensively, and I've tested the above with redirection to a web site both inside and outside of my network to no avail. The remote web site seems not to get the request. I've disabled the ip web-proxy to make sure that feature was not interfering.
There must be some additional configuration required to make this work -- but what? Has anyone actually done this and had it work?
-Andrew
I use packet marking extensively, and I've tested the above with redirection to a web site both inside and outside of my network to no avail. The remote web site seems not to get the request. I've disabled the ip web-proxy to make sure that feature was not interfering.
There must be some additional configuration required to make this work -- but what? Has anyone actually done this and had it work?
-Andrew
Hi
Im using some different way to resolve this problem. Using two address list. One contains all valid user ip addresses, second exactly the same ips but all by default are disabled. In dst nat have two positions. First using address list with disabled ip redirect http requests to page with "pay your bills...", second redirect to transparent proxy. Now if someone have debet
I only enabling his ip on second address list. Guy have access to only one page. List with "debet" ips using also with firewall filter to drop all other packets to disable other protocols as mail, instant communicators, games etc.
Im using some different way to resolve this problem. Using two address list. One contains all valid user ip addresses, second exactly the same ips but all by default are disabled. In dst nat have two positions. First using address list with disabled ip redirect http requests to page with "pay your bills...", second redirect to transparent proxy. Now if someone have debet
I only enabling his ip on second address list. Guy have access to only one page. List with "debet" ips using also with firewall filter to drop all other packets to disable other protocols as mail, instant communicators, games etc.-
-
gustkiller
Member
- Posts: 419
- Joined:
- Location: Brazil
- Contact:
thanks for the replys!
i´m using a easier way with the hotspot flogin.htm file
i just disable the user and when he try to login it is redirected to the flogin page with the possible reasons for that page and one of then is " You didnt payed the bill yet". This month i get all users to pay the bill within 24 hours
i´m using a easier way with the hotspot flogin.htm file
i just disable the user and when he try to login it is redirected to the flogin page with the possible reasons for that page and one of then is " You didnt payed the bill yet". This month i get all users to pay the bill within 24 hours
Re: Thanks Eugene, but
Not sure what is not working, but the dst-nat approach DOES work, as I've used it here.The dst-nat approach seems like it ought to work, but it seems that it does not in fact work.
Action on the dstnat rule will be dst-nat.I use packet marking extensively, and I've tested the above with redirection to a web site both inside and outside of my network to no avail. The remote web site seems not to get the request. I've disabled the ip web-proxy to make sure that feature was not interfering.
Not sure what you mean by "additional", but here is the overview of what has to happen:There must be some additional configuration required to make this work -- but what?
1. You must be able to ID the traffic. You can use ip address, interface name (for pppoe connections), whatever else the firewall code can match on.
2. The interface that the customer traffic enters on CANNOT be the same as the "redirected" packet is going to leave the router on.
3. The webserver must be configured to reply with your "you didn't pay" page for both the http://ip.add.ress.here request as well as it's "404" page. There can be no other webservers "listening" on that IP address, because the packet will arrive with what will be considered "invalid" http/1.1 headers.
4. If you are dropping all other traffic, you will want to insure that you accept tcp/80 (http) and udp/53 (dns) traffic prior to dropping the other stuff.
5. put in the dst-nat rule and it should work.
MANY times.Has anyone actually done this and had it work?
I setup a PPPoE profile to give non-paying customers a private ip address, instead of the normal public. I added an interface on my webserver that also had a private IP. I added the following rules (profile also below) - it won't work. Any ideas on what is wrong?
PPPoE Profile:
3 name="disco_profile" local-address=65.77.x.x remote-address=disco_pool use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=default rate-limit=256k/384k
IP Pool:
3 disco_pool 10.10.2.2-10.10.2.254
Firewall Filters:
0 chain=forward src-address=10.10.3.0/24 protocol=tcp dst-port=80 action=accept
1 chain=forward src-address=10.10.3.0/24 protocol=udp dst-port=53 action=accept
2 chain=forward src-address=10.10.3.0/24 protocol=tcp action=reject reject-with=tcp-reset
NAT Rule:
0 chain=dstnat src-address=10.10.2.0/24 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.10.3 to-ports=80
1 chain=srcnat out-interface=MT2BH1 src-address=10.10.2.0/24
action=masquerade
Any ideas why this will not work?
PPPoE Profile:
3 name="disco_profile" local-address=65.77.x.x remote-address=disco_pool use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=default rate-limit=256k/384k
IP Pool:
3 disco_pool 10.10.2.2-10.10.2.254
Firewall Filters:
0 chain=forward src-address=10.10.3.0/24 protocol=tcp dst-port=80 action=accept
1 chain=forward src-address=10.10.3.0/24 protocol=udp dst-port=53 action=accept
2 chain=forward src-address=10.10.3.0/24 protocol=tcp action=reject reject-with=tcp-reset
NAT Rule:
0 chain=dstnat src-address=10.10.2.0/24 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.10.3 to-ports=80
1 chain=srcnat out-interface=MT2BH1 src-address=10.10.2.0/24
action=masquerade
Any ideas why this will not work?
Last edited by jdmarti1 on Fri May 05, 2006 12:43 am, edited 2 times in total.
You webserver at 10.10.10.3 will get the HTTP requests as the clients sent them. I.e. it will be queried for webpages like http://www.yahoo.com, http://www.microsoft.com, http://www.you-name-it.net. Is your webserver config prepared to handle that? (I.e. IP-based HTTP hosting, not using any hostnames)
If that's not the problem, what exactly do you mean be "it won't work"? Error messages/logs or the like would be quite helpful...
Best regards,
Christian Meis
If that's not the problem, what exactly do you mean be "it won't work"? Error messages/logs or the like would be quite helpful...
Best regards,
Christian Meis
Christian -
Not sure how to verify that, I am unsure what you mean. The server appears to be working properly. I put 10.10.10.3 in a browser, and the proper page appears. When the private IP's are handed out - all I get is the page that says "this page cannot be displayed". What log information would be helpful?
Not sure how to verify that, I am unsure what you mean. The server appears to be working properly. I put 10.10.10.3 in a browser, and the proper page appears. When the private IP's are handed out - all I get is the page that says "this page cannot be displayed". What log information would be helpful?
Redirect on transparent bridge
So I suppose that if I'm using Mikrotik as a transparent bridge and not as a router/NAT box, that this trick won't work?
Eric
Eric
That is what happens when you paste from two routers. The pool was correct in the router. I have found I have a very odd problem. Seems I can't get to the server from the MT IP addresses. I can get there from the PPPoE addresses, just not from the interfaces on the MT routers. I am using OSPF, and am going to research to see what is going on here. I problably have a small typo somewhere giving me grief. Thanks for the help thus far!!!