Following is a small howto (written on request of a friend) on how
you can redirect non payment / expired pppoe users to a page where he
can be informed that his/her account have been suspended due to non
payment. In this guide I used PPPoE server only, but you can apply this theory to HOTSPOT or other services also. Remember, methods can vary, but the logic remains same in most cases.
For example when you want to block user due to non payment, just
change the user profile to expired users , Then the User will still be
able to connect using his ID (pppoe dialer), but when he will try to
surf the internet, he will be redirected to you local web server page
where he will be informed that his/her account have been suspended due
to non payment {As showed in the image above} . This is
sometimes helpful for some other purposes too, for example you can also
configure / schedule Payment Reminder, that can show payment reminder to
users at specific dates/time for few seconds / minutes and then user
can resume surfing after few seconds/minutes. but that’s another story.
To shorten this guide, I assume you have a working pppoe server in place with following config.
[Change the ip scheme as per your local requirement/network]
For example you may have pppoe server configured for following scheme,
Mikrotik PPPoE Serve rIP = 10.0.0.1
Mikrotik User DHCP Pool = 10.0.0.0/8
Mikrotik PPPoE Pool = 172.16.0.0/16
Now You have to create expired ip pool so we can distinguish non
payment users and expired users profile so if we want to block any user ,
we will simply change this user profile to expired profile.
Adding IP pool for Expired / Non Payment Users
/ip pooladd name=Expired-Pool ranges=172.16.1.1-172.16.1.255
Adding Profile for Expired / Non Payment Users
/ppp profileadd change-tcp-mss=default dns-server=10.0.0.1 local-address=10.0.0.1 name=pppoe-expired only-one=default rate-limit=128k/128k remote-address=\
Expired-Pool use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=default
Enabling Mikrotik Web.Proxy for Expired / Non Payment Users
Now enable Web proxy, so that expired pool users can be redirected to local proxy where they will be denied and redirected to non payment page on any local web server./ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
Redirecting Expired User Requests from web.proxy to any local web server page
Now creating rule in web.proxy to block non payment / expired ip pool access and redirect to local web server page./ip proxy access
add action=deny disabled=no dst-port=”" redirect-to=10.0.0.2/nonpayment/nonpayment.htm src-address=172.16.1.0/24
10.0.0.2 is a local web server where non payment page is uploaded.
You must create any normal html page (which have the non payment message) and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.
Adding NAT Rule to redirect Expired / Non Payment Users to local web proxy
Now add NAT rule so that only users with expired ip pool should be redirected to local web proxy where he will be redirected to any local web server page./ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=172.16.1.0/24 to-ports=8080
Restrict Access for Expired Users so they cannot use any other internet service
Now add filter rule to restrict expired ip pool users so they cannot access other internet services./ip firewall filter
add action=reject chain=forward disabled=no dst-port=!80,8080 protocol=tcp reject-with=icmp-network-unreachable src-address=172.16.1.1-172.16.1.255
Now when you want to block any users for non payment, just change his profile to pppoe-expired profile.
As showed in the image below . . .
Now the user will still be able to connect to pppoe server, but he will get expired ip pool, and therefore will be treated accordingly to the rules we created for these users :~) As showed in the image below . . .
Note: You must create any normal page and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.
Tips for HOTSPOT
Using above method you can also implement non payment reminder for HOTSPOT users also. I assume you already have working HOTSPOT already running in place.Mikrotik HOTSPOT Serve rIP = 101.11.11.241
Mikrotik HOTSPOT DHCP Pool = 101.11.11.0/8
Mikrotik HOTSPOT Expired/NON_Payment Users Pool = 101.11.21.0/24
First add expired ip pool for expired/non payment users.
/ip pool
add name=expired-pool ranges=101.11.21.1-101.11.21.255
Now add profile for expired/non payment users.
/ip hotspot user profile
add address-pool=expired-pool idle-timeout=none keepalive-timeout=2m name=expired-profile shared-users=1 status-autorefresh=1m transparent-proxy=no
Now enable web proxy service so that we can redirect expired users to web proxy where they will be redirected to local web server showing non payment page.
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
In proxy, add rule to block and redirect only expired/non payment ip pool.
/ip proxy access
add action=deny disabled=no dst-port=”" redirect-to=101.11.11.240/nonpayment/nonpayment.htm src-address=101.11.21.0/24
101.11.11.240 is the local web server ip.
Create NAT rule to redirect expired/non payment users to local web proxy. Move this rule at the end in the NAT List.
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=”place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=”masquerade hotspot network-DEFAULT RULE, ADD ONLY ALLOWED USER IPS RANGE HERE e.g” disabled=no src-address=101.11.11.1-101.11.11.255
add action=redirect chain=dstnat comment=”Redirect Expired Users to Proxy” disabled=no dst-address=!101.11.11.241 dst-port=80 protocol=tcp to-ports=8080
Remember, in HOTSPOT default masquerading rule, you must add only allowed users ip range. so add second rule in the last which will actually redirect only expired ip pool to local web proxy. (the red one)
Create Firewall Filter to Restrict Access for expired/non payment users only. Move this rule at the end in Filter list.
/ip firewall filter
add action=reject chain=input disabled=no dst-port=!80,8080,53 protocol=tcp reject-with=icmp-network-unreachable src-address=101.11.21.0/24
Finally create user and tag him with expired-profile.
/ip hotspot user
add disabled=no name=admin password=admin profile=default
add disabled=no name=test password=test profile=expired-profile server=hotspot1
Now from user end, try to browse any site, hotspot login page will appear, login with the test id, and try to browse, you will be redirected to your local web server page showing non payment reminder.
Remember: Rules placement is very important in this method. if you misplace rules, you will not get desired results.
Regard’s
naveed ahmad
Thanks For Sharing
ReplyDeleteMikrotik Payment Reminder
sir user otomatic redirect to page expired or manual change user profil
ReplyDelete