Currently I'm telling my customers to pay the bill with the hotspot trick described in the wiki http://wiki.mikrotik.com/wiki/How_to_Block_Customer. Problem is that I'm also using arp=reply-only, and I still want to use it. When you enable the hotspot, it bypasses all clients, so if a client just changes his IP or MAC Address, they can still access the internet and the server.
I've been trying for the past few hours to redirect all traffic from a specified IP or MAC to a local web-server running on my internal network, but I've been without luck. Currently I'm in the state that the "forwarded" port doesn't accept connections on the local interface.
Can anyone explain me a proper way to do this?
Thanks.
---Well, I don't want to use authentification, as it's not such a big network (max 200 users). Can't I just redirect all traffic to another http server?
I've tried that in numerous ways, but it seems I'm missing something.
No,
I think will more easy when you are turning on your hotspot system, by this way make basically secure for users connect to the network as subscribe first to administrator and get know users. i support you when come back to your trick in first post. just make discuss for unauthenti....users without built webserver local one:
Code: Select all
1. Turn on your hotspot system.
2. Make difference subnet on the network for 'dynamic ip by manual' and 'dynamic ip by host'
3. Customize 'login.html' filename or edit it without validation username and password cases.
4. ip-binding for subscriber.regards
Hasbullah.com
---
Sorry but I don't understand your english... You lost me on the subnet parts =/
Could you please explain more detailed? I'm willing to try this MAC Authentification on the hotspot if you explain me in depth
Also I want to specify that I have 2 public ip classes, a /26 and a /25 (and I'll probably get the whole /24 in march or something, but my isp has some problems with the ips)
Could you please explain more detailed? I'm willing to try this MAC Authentification on the hotspot if you explain me in depth
Also I want to specify that I have 2 public ip classes, a /26 and a /25 (and I'll probably get the whole /24 in march or something, but my isp has some problems with the ips)We sometimes use a simple dst-nat firewall rule to redirect all connections from the customers IP address
/ip firewall nat add chain=dstnat src-address=clientsIP protocol=tcp action=dst-nat to-addresses=Webserver to-ports=80 comment="Captive Page" disabled=no
Dont know if this will help but here is it anyway.
/ip firewall nat add chain=dstnat src-address=clientsIP protocol=tcp action=dst-nat to-addresses=Webserver to-ports=80 comment="Captive Page" disabled=no
Dont know if this will help but here is it anyway.
If you will use universal client (HotSpot one-to-one NAT), than arp must be enabled.
Information about one-to-one NAT and other HotSpot options,
http://www.mikrotik.com/docs/ros/2.9/ip/hotspot
Information about one-to-one NAT and other HotSpot options,
http://www.mikrotik.com/docs/ros/2.9/ip/hotspot
I tried to do that , but the login page still apears !!!! no access without login !!!!!MAC-authentication is implemented in the HotSpot, when client gets authorized in HotSpot as soon as MAC-address appeared in HotSpot host list.
Authentication occurs without login/password.
HotSpot is the most flexible solution.
This should block everything but port 80 (which is being directed to your webserver) and DNS requestsI don't want to block only TCP, that's the issue. I want to block everything. If I block only TCP they could, for instance, play games over the net =/
/ip firewall filter add chain=forward src-address=CustomerIP protocol=tcp dst-port=!80 action=reject reject-with=icmp-admin-prohibited comment="" disabled=no
/ip firewall filter add chain=forward src-address=CustomerIP protocol=udp dst-port=!53 action=reject reject-with=icmp-admin-prohibited comment="" disabled=no
Listen,
What I used to use was to NAT the users that didnt pay to a web server I had on the network.
do this:
add chain=dstnat src-address=192.168.10.44 protocol=tcp action=dst-nat to-addresses=10.10.5.200 to-ports=8085 comment="" disabled=yes
play with it, not sure if the client ip is on src-addresss or dst-addresss so change it around. Since I changed my config to do load balance NOTHING ELSE WORKS ON MY MT and noone here seems to know or care why...
hope this helps.
What I used to use was to NAT the users that didnt pay to a web server I had on the network.
do this:
add chain=dstnat src-address=192.168.10.44 protocol=tcp action=dst-nat to-addresses=10.10.5.200 to-ports=8085 comment="" disabled=yes
play with it, not sure if the client ip is on src-addresss or dst-addresss so change it around. Since I changed my config to do load balance NOTHING ELSE WORKS ON MY MT and noone here seems to know or care why...
hope this helps.
Hi Znuff,
We are in a similar situation, we want the accounts person who has little tech knowledge to be able to block people.
With help from autohotkey and their forums I put together a crude and nasty script that may help.
It asks for the relevant details, then telnets the Mikrotik and pastes the commands.
I have only tested it on a local network so latency may be a problem but you can edit the script to help with that.
http://wwwires.com/captive.rar
you could also edit the script so certain fields are entered automaticaly
We are in a similar situation, we want the accounts person who has little tech knowledge to be able to block people.
With help from autohotkey and their forums I put together a crude and nasty script that may help.
It asks for the relevant details, then telnets the Mikrotik and pastes the commands.
I have only tested it on a local network so latency may be a problem but you can edit the script to help with that.
http://wwwires.com/captive.rar
you could also edit the script so certain fields are entered automaticaly
Who is online
Users browsing this forum: garyjduk and 20 guests