Hi


I have encountered a problem on Routeros 5.7 (not sure if it works on earlier versions or not).

I have a client which always delays the payment until i disconnect his service so i figured i would try this tutorial:

http://wiki.mikrotik.com/wiki/Payment_Reminders


My settings at the moment are:

/ip firewall nat add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp src-address-ist=payment_reminder to-ports=8080

Web proxy is enabled on port 8080

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow disabled=no dst-address=10.10.2.1
add action=deny disabled=no redirect-to=www.webpage.com (i added the address as http://www.webpage.com but it appears as http://www.webpage.com)

The rules are enabled, i have tested with a simple rule to block yahoo and the proxy and the nat rule are working but i cannot redirect to my webpage. The web server is an apache with multiple virtual hosts.

add action=deny disabled=yes dst-host=*.yahoo.com src-address=10.124.175.0/24

This is the error that i get in firefox:The page isn't redirecting properly

Iexplorer being a dumb application it just displaying diagnose the connection...

If anyone can point me in the right direction it would be great thank you.

Can the client load www.webpage.com and display the payment notification when not locked down?

yes it works without a problem, also the dns is working properly, but still when trying those to rules from web proxy it does not work

Well, it should. Some detail isn't configured right. Post the output of "/interface print detail", "/ip route print detail", "/ip address print detail", "/ip firewall export", and "/ip proxy export". Also post the result of a router pinging the web server hosting that page by DNS name. Then post the result of a client pinging that web server by DNS name. Also add a network diagram.

I have configured the webproxy on my home router since i cannot post any info from a client on the forum

I have basically mirrored the needed settings on my home router with basic needed settings for internet action and this

"Internet" is the pppoe connection to the ISP. The network cable is on ether1

/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="ether1" type="ether" mtu=1500 l2mtu=1526 max-l2mtu=1526

1 R name="ether2" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524

2 name="ether3" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524

3 name="ether4" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524

4 R name="ether5" type="ether" mtu=1500 l2mtu=1524 max-l2mtu=1524

5 R name="Internet" type="pppoe-out" mtu=1480


/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=10.0.0.1 gateway-status=10.0.0.1 reachable Internet distance=1 scope=30 target-scope=10

1 ADC dst-address=10.0.0.1/32 pref-src=79.x.x.x gateway=Internet gateway-status=Internet reachable distance=0 scope=10

2 ADC dst-address=10.124.175.0/24 pref-src=10.124.175.2 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10


/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=10.124.175.2/24 network=10.124.175.0 interface=ether2 actual-interface=ether2

1 D address=79.116.67.100/32 network=10.0.0.1 interface=Internet actual-interface=Internet


/ip firewall export
# oct/04/2011 16:49:17 by RouterOS 5.7
# software id = WLVP-TRG6
#
/ip firewall address-list
add address=10.124.175.0/24 disabled=no list=SNAT
add address=10.124.175.5 disabled=no list=payment_reminder

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no protocol=\
tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=\
tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=accept chain=input comment="Allow ICMP Request limited version" disabled=no icmp-options=8:0-255 limit=3,3 protocol=icmp
add action=accept chain=input comment="Allow Winbox" disabled=no dst-port=8291 in-interface=Internet protocol=tcp
add action=accept chain=input comment="Accept PPTP" disabled=no dst-port=1723 in-interface=Internet protocol=tcp
add action=drop chain=input connection-state=new disabled=no in-interface=ether1
add action=accept chain=input comment="Accept GRE" disabled=no in-interface=Internet protocol=gre
add action=drop chain=input comment="Drop All Input" connection-state=new disabled=no in-interface=Internet
add action=accept chain=forward comment="Accept Established/Related On PPPOE" connection-state=established disabled=no in-interface=Internet
add action=accept chain=forward comment=HTTP disabled=no dst-port=80 in-interface=Internet protocol=tcp
add action=accept chain=forward connection-state=related disabled=no in-interface=Internet
add action=accept chain=forward comment="Accept RDC port 3389" disabled=no dst-port=3389 in-interface=Internet protocol=tcp
add action=accept chain=forward comment="uTorrent port 25023" disabled=no dst-port=25023 in-interface=Internet protocol=tcp
add action=drop chain=forward comment="Drop All New Connections on PPPOE" disabled=no in-interface=Internet
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=Internet
add action=dst-nat chain=dstnat disabled=no dst-port=25023 in-interface=Internet protocol=tcp to-addresses=10.124.175.5 to-ports=25023
add action=dst-nat chain=dstnat disabled=no dst-port=3389 in-interface=Internet protocol=tcp to-addresses=10.124.175.5 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-port=21 in-interface=Internet protocol=tcp to-addresses=10.124.175.5 to-ports=21
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=Internet protocol=tcp to-addresses=10.124.175.5 to-ports=80
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp src-address-list=payment_reminder to-ports=8080


/ip proxy export
# oct/04/2011 16:55:00 by RouterOS 5.7
# software id = WLVP-TRG6
#
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow disabled=yes dst-address=x.x.x.x (can't display this)
add action=deny disabled=yes redirect-to=www.domain.com (here i have the real address configured on the router ofc)

ping http://www.domain.com
HOST SIZE TTL TIME STATUS
x.x.x.x 56 47 123ms
x.x.x.x 56 47 122ms
x.x.x.x 56 47 122ms
x.x.x.x 56 47 122ms
x.x.x.x 56 47 124ms
x.x.x.x 56 47 124ms
x.x.x.x 56 47 123ms
x.x.x.x 56 47 125ms
sent=8 received=8 packet-loss=0% min-rtt=122ms avg-rtt=123ms max-rtt=125ms


C:\Users\w4rh0und>ping http://www.domain.com

Pinging http://www.domain.com [x.x.x.x] with 32 bytes of data:
Reply from x.x.x.x: bytes=32 time=123ms TTL=46
Reply from x.x.x.x: bytes=32 time=124ms TTL=46
Reply from x.x.x.x: bytes=32 time=122ms TTL=46
Reply from x.x.x.x: bytes=32 time=122ms TTL=46

Ping statistics for x.x.x.x:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 122ms, Maximum = 124ms, Average = 122ms


Home pc (10.124.175.5) connected on ether2 ------------(10.124.175.2) MT Router ether1 (pppoe client) ------- ISP


I even tried disabling the firewall, but still i don't get a result.

I haven't filtered anything coming from the pc, only added the redirect rule just to make sure.

NVM i found out where the problem was:


/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0


enabled=no!!!!


Thanks a lot. Seeing the entire config made me read it xxxx times and really helped .