So i have looked around for this, some posts are unanswered, others are answered with "works fine for me". Unfortunately its not working fine for thus the question being posted.

Following to the tee the instructions for http://wiki.mikrotik.com/wiki/Payment_Reminders. Changing the server ip and the redirect page. The customer that is being redirected gets stuck in a loop. IE just flat gets stuck, firefox produces a loop detection and stops.

I found this one which I test and works nearly perfect except I can't redirect to a specific page only to a server ip. http://stfunoo.be/?p=859

Thanks up front for any help.

Post your actual config.

The most likely cause is quite simply that you didn't properly allow traffic to the server hosting the payment information, causing the proxy to redirect people to it, it being disallowed, causing the proxy to redirect, and so on.

Keep in mind I am testing this on a simple router config prior to putting this on the main router, I also tried setting parent proxy as suggested in another post but that resulted in the same loop:

[admin@MikroTik] /ip firewall> export
# jan/02/1970 00:22:45 by RouterOS 4.14
# software id = 3A57-83K4
#
/ip firewall address-list
add address=192.168.100.200 comment="" disabled=no list=payment_reminder
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=udp src-address-list=payment_reminder
add action=accept chain=forward comment="" disabled=no dst-address-list=payment_reminder protocol=udp src-port=53
add action=drop chain=forward comment="" disabled=no src-address-list=payment_reminder
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=192.168.100.0/24
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address-list=payment_reminder to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] /ip firewall>

# jan/02/1970 00:25:17 by RouterOS 4.14
# software id = 3A57-83K4
#
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080,8081 serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow comment="" disabled=no dst-address=74.116.200.5
add action=deny comment="" disabled=no redirect-to=myaccount.succeed.net
[admin@MikroTik] /ip proxy>

Superficially that looks fine. Devil in the details though.

A couple more things to check:
- when you resolve myaccount.succeed.net on the client, does it resolve to 74.116.200.5?
- when you check the hits on the two proxy access rules, does the rule that permits traffic to 74.116.200.5 have any hits?
- does myaccount.succeed.net have any external dependencies it pulls in from other IPs?
- doing a quick traffic capture trying to access myaccount.succeed.net shows it at least pulls in HTTPS resources (I see TLS being negotiated in Wireshark). Those would fail as the proxy can't do HTTPS (which is why you're only redirecting tcp/80 to it in the destination NAT rule you wrote). You may have to add an address list of payment reminder server resources listing all IPs required to load that page, and then permit it in the IP firewall before you drop traffic sourced from the "payment_reminder" list.

The wiki article you followed assumes a very simply, HTTP only, self contained payment reminder site. The site you're redirecting to is significantly more complex. A quick test might also be to try redirecting to a simple HTTP only page that simply says "test". Does that work with the current ruleset?

Yes Client resolves to 200.5
Hits in proxy = 931 and counting on the deny, 0 on the allow (i am assuming this is bad)

I specified a simple html under construction page. Still does the same thing.

I actually want it to go to a specific html page anyway that I will build. Then the customer can go from there to either call or login and pay their bill.

Thanks for helping with this btw. Getting this working will help us dramatically on the part of the network for non radius clients.

Hits in proxy = 931 and counting on the deny, 0 on the allow (i am assuming this is bad)

Yup, that's the problem. Not sure what's wrong, though. It should work based on what you posted. Any chance of upgrading the router past 4.14? 4.17 is the latest in the 4.x train, otherwise 5.8 is the most recent release - could be a bug, though the change logs past 4.14 don't show anything proxy related that would qualify.

You could also try permitting the payment reminder site outside of the proxy by creating a list of allowed objects, and then permitting them in the filters and not redirecting to the proxy in NAT. Here what your rule set would look like:
Keep testing with the simply HTML page, though, myaccount.succeed.net is unlikely to work since it pulls in Twitter and stuff. The above hopefully gets a simple HTML page up and running (which could also be HTTPS etc., just add all IPs involved in serving content to the payment_reminder_resources address list).

Edit: had dst-address instead of dst-address-list in a few instances, fixed now

Another thought: does the router have DNS configured? As in, does "/ping myaccount.succeed.net" or ":put [:resolve myaccount.succeed.net]" work from the router CLI? If the proxy can't resolve the host the client requested then it can't hit the first rule because it doesn't know myaccount.succeed.net is that IP address.

Oh your a friggin genius. Always gotta be something simple that i overlook. Could have also tested using the ip as the redirect and found this issue as well

Thanks for that. Guess thats why your title is forum guru.

Last thing. Will this setup work on a straight bridged tik or does the tik need to be in a router type mode?

Don't know. It might work in bridge mode as long as you use the IP firewall for bridging (http://wiki.mikrotik.com/wiki/Manual:In ... e_Settings) via "use-ip-firewall=yes". Have never tried that, though. All my RouterOS devices are routers.

Just out of curiosity, what fixed it? DNS, or the address list bypass?

That would be the fact i didn't have dns put in the device.

Alternatively I took dns out again for testing and changed the redirect to the ip of the server and it worked as well with out dns.

On the router versus bridge, I was just more curious, we are in the process of replacing our netscreen 100 with a rb1100, just havent got that far yet so once thats done the unit will be in router mode.

Current tik is just a elaborate switch at the moment. I guess I will have to try it and find out.

Thanks again

Cool. Glad it's working now.

If you find out if it works in bridge mode maybe post back in this thread with results so others with the same question can find it.

OK i have this now working perfectly.

This will work on bridge with IP Firewall enabled for bridge settings, and of course with router mode.

Adding the line for the resource list was a great idea. This gave us the ability to kill their internet and redirect them, while adding subnets and ips to the resource list to allow us and our monitoring system to retain access to their radio. Also adding our billing system ip to the list allowed them full access to pay their bill online.

Now that this is working we will be pushing towards a addon module for whmcs to automate the ip entry and removal into the tik.

Thanks again to fewi.

Alright, I had to move everything to the RB1100 since the RB493G wasn't handling the load. Since moving it over to the RB1100 OS 4.17 (also Tried 5. it is not working.

I can ping the accessible server but cannot bring up the actual static page. I copied the rules and filters from the 493 that were working great but now they don't. redirect address works. I can ping the server 74.116.200.5 from behind the blocked ip. I can even ping myaccount.succeed.net successfully. Just won't bring up the actual page.

I can see it actually doing the redirect just wont let anything come up.

Help Again?

/ip firewall address-list
add address=74.116.200.2 comment=DNS disabled=no list=payment_reminder_resources
add address=10.4.2.131 comment="Dustin Theirs" disabled=no list=payment_reminder
add address=10.0.0.0/24 comment="Supercell Backhaul Network, do not remove or disable" disabled=no list=payment_reminder_resources
add address=74.116.200.15 comment="Corp access, do not remove or disable" disabled=no list=payment_reminder_resources
add address=74.116.200.5 comment="My Account access" disabled=no list=payment_reminder_resources
add address=74.116.200.3 comment=DNS disabled=no list=payment_reminder_resources
add address=8.8.8.8 comment="" disabled=no list=payment_reminder_resources
add address=10.2.1.140 comment="" disabled=no list=payment_reminder
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=udp src-address-list=payment_reminder
add action=accept chain=forward comment="" disabled=no dst-address-list=payment_reminder protocol=udp src-port=53
add action=accept chain=forward comment="" disabled=no dst-address-list=payment_reminder_resources src-address-list=payment_reminder
add action=accept chain=forward comment="" disabled=no dst-address-list=payment_reminder src-address-list=payment_reminder_resources
add action=drop chain=forward comment="" disabled=no src-address-list=payment_reminder
/ip firewall nat
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address-list=payment_reminder to-ports=8080
add action=accept chain=dstnat comment="" disabled=no dst-address-list=payment_reminder_resources src-address-list=payment_reminder

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 max-fresh-time=3d \
max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow comment="" disabled=no dst-address=74.116.200.5
add action=deny comment="" disabled=no redirect-to=myaccount.succeed.net/accounthold.html

Looks like i get a

Firefox - Connection Interupted - The connection to the server was reset while loading. The network link was interupted while negitiating a connection.

I get the same message no matter what part of the network i am on. In testing I used several different customers.