MikroTik

Hi ppl!

I use the Mikrotik hotspot to auth clients on my paid network, i would like to make a profile or something that when the user "forget" to pay the monthly bill , i put it on a profile that did not allow him to browse or redirect any request to a " YOU DID NOT PAYED THE BILL YET PLEASE PAY" page.

there´s any way to do that using the hotspot profiles?

thanks!

sorry for my bad english.

Gustavo Santos
Netstream

You could use incoming-packet-mark property and then redirect all users with a specific mark to a website of your choice.

Eugene

thanks !

Marking the packets for users who are delinquent in the bills is easy, but how do I then redirect users to a "website of my choice" based on the packet marks? Example commands? I'm using 2.9.18 if it matters.

-A.

And take care that TheWebserverOfYourChoice does accept IP-based HTTP requests (i.e. no hostname-based HTTP/1.1 hosting), as the redirected requests from your clients will carry the original host-header-name. So you will get requests for http://www.google.com, http://www.cnn.com etc. to that webserver and should make sure that it is answering those...

Best regards,
Christian Meis

The dst-nat approach seems like it ought to work, but it seems that it does not in fact work.

I use packet marking extensively, and I've tested the above with redirection to a web site both inside and outside of my network to no avail. The remote web site seems not to get the request. I've disabled the ip web-proxy to make sure that feature was not interfering.

There must be some additional configuration required to make this work -- but what? Has anyone actually done this and had it work?

-Andrew

I think this will probably be exactly the problem I described above.

Best regards,
Christian Meis

Hi
Im using some different way to resolve this problem. Using two address list. One contains all valid user ip addresses, second exactly the same ips but all by default are disabled. In dst nat have two positions. First using address list with disabled ip redirect http requests to page with "pay your bills...", second redirect to transparent proxy. Now if someone have debet I only enabling his ip on second address list. Guy have access to only one page. List with "debet" ips using also with firewall filter to drop all other packets to disable other protocols as mail, instant communicators, games etc.

thanks for the replys!
i´m using a easier way with the hotspot flogin.htm file

i just disable the user and when he try to login it is redirected to the flogin page with the possible reasons for that page and one of then is " You didnt payed the bill yet". This month i get all users to pay the bill within 24 hours

The dst-nat approach seems like it ought to work, but it seems that it does not in fact work.

Not sure what is not working, but the dst-nat approach DOES work, as I've used it here.

I use packet marking extensively, and I've tested the above with redirection to a web site both inside and outside of my network to no avail. The remote web site seems not to get the request. I've disabled the ip web-proxy to make sure that feature was not interfering.

Action on the dstnat rule will be dst-nat.

There must be some additional configuration required to make this work -- but what?

Not sure what you mean by "additional", but here is the overview of what has to happen:

1. You must be able to ID the traffic. You can use ip address, interface name (for pppoe connections), whatever else the firewall code can match on.

2. The interface that the customer traffic enters on CANNOT be the same as the "redirected" packet is going to leave the router on.

3. The webserver must be configured to reply with your "you didn't pay" page for both the http://ip.add.ress.here request as well as it's "404" page. There can be no other webservers "listening" on that IP address, because the packet will arrive with what will be considered "invalid" http/1.1 headers.

4. If you are dropping all other traffic, you will want to insure that you accept tcp/80 (http) and udp/53 (dns) traffic prior to dropping the other stuff.

5. put in the dst-nat rule and it should work.

Has anyone actually done this and had it work?

MANY times.

I setup a PPPoE profile to give non-paying customers a private ip address, instead of the normal public. I added an interface on my webserver that also had a private IP. I added the following rules (profile also below) - it won't work. Any ideas on what is wrong?

PPPoE Profile:
3 name="disco_profile" local-address=65.77.x.x remote-address=disco_pool use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=default rate-limit=256k/384k

IP Pool:
3 disco_pool 10.10.2.2-10.10.2.254

Firewall Filters:
0 chain=forward src-address=10.10.3.0/24 protocol=tcp dst-port=80 action=accept

1 chain=forward src-address=10.10.3.0/24 protocol=udp dst-port=53 action=accept

2 chain=forward src-address=10.10.3.0/24 protocol=tcp action=reject reject-with=tcp-reset

NAT Rule:
0 chain=dstnat src-address=10.10.2.0/24 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.10.3 to-ports=80

1 chain=srcnat out-interface=MT2BH1 src-address=10.10.2.0/24
action=masquerade


Any ideas why this will not work?

You webserver at 10.10.10.3 will get the HTTP requests as the clients sent them. I.e. it will be queried for webpages like http://www.yahoo.com, http://www.microsoft.com, http://www.you-name-it.net. Is your webserver config prepared to handle that? (I.e. IP-based HTTP hosting, not using any hostnames)

If that's not the problem, what exactly do you mean be "it won't work"? Error messages/logs or the like would be quite helpful...

Best regards,
Christian Meis

Christian -

Not sure how to verify that, I am unsure what you mean. The server appears to be working properly. I put 10.10.10.3 in a browser, and the proper page appears. When the private IP's are handed out - all I get is the page that says "this page cannot be displayed". What log information would be helpful?

So I suppose that if I'm using Mikrotik as a transparent bridge and not as a router/NAT box, that this trick won't work?

Eric

Christian -

Looks like my webserver is the problem.
10.10.2.254 - - [30/Apr/2006:01:44:18 -0500] "GET / HTTP/1.1" 304 -
10.10.2.254 - - [30/Apr/2006:01:48:01 -0500] "GET / HTTP/1.1" 304 -

Any ideas on how to correct this simply?

The webserver shows no errors - I have the 404 page set to bring up the page. The part that seems in error is the Nat rule. It shows no traffice. The filter rules show traffic - but not the NAT or Masquerade rule.

Correct me if I'm wrong, but you give out ip addresses from the 10.10.3.0/24 pool to disconnected users, and your dst-nat rule is looking for ip addresses from 10.10.2.0/24....

Best regards,
Christian Meis

That is what happens when you paste from two routers. The pool was correct in the router. I have found I have a very odd problem. Seems I can't get to the server from the MT IP addresses. I can get there from the PPPoE addresses, just not from the interfaces on the MT routers. I am using OSPF, and am going to research to see what is going on here. I problably have a small typo somewhere giving me grief. Thanks for the help thus far!!!