Dear members,
Idea:
Permit all users to browse the web. But several sites (social, news) need to be filtered and redirected to another page AFTER user spent there more than 5 minutes.
Problem:
At this stage I’ve stuck to create firewall filter rule that will add the IP address to the address list ONLY after user has spent some time/ exceeded the maximum connection count (during one hour).
Any ideas?
You can play a little bit with limit option or dst-limit in /ip firewall mangle
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle#Properties
I’ve tried to play with these options (limit / dst-limit) in filter /ip firewall filter. Does it have any difference if I try the same in “mangle”?
It really depends on what you want to do. Mangle is generally used for marking connections, packets which in turn can be farther used in routes and queues or address lists. In firewall filter you generally put rules for dropping, allowing connections etc.
Mangle can process packets in prerouting or postrouting chain as well. Then you have NAT for redirecting connections.
Well, I will try to explain again.
I want to prevent users to spend a lot amount of time on social/news/fun web-sites.
For example, if user opened http://www.euronews.com and browses it for a while (~5 minutes/per hour) - that’s ok.
But if user is abusing - redirect to a corporate web-page.
And I want to control “list of the web-sites”, to be able later on add/remove other sites.
Maybe create different redirect pages for “news”, different for “fun” different for “social”. But for a start - let’s take an example with the “news” list with only two hosts: “euronews.com” and “theguardian.com”.
Can anyone help on this? Maybe someone has implemented similar solution in their infrastructure.
Maybe you could treat the the lan as a hotspot for internet access to non-exempt work related sites. Then you could use user manager or RADIUS to set limits on session time which could be 5 minutes per “ticket”. You could have an automated system which issues one new “ticket” per hour. I can visualize doing that with FreeRADIUS and an SQL database. I have not looked into MikroTik’s user manager.
You may want to do some searching in the wiki and forums for the term “time limit”. I did a google search for “mikrotik wiki time limit” and got some likely prospects, but I have not tried to setup anything similar to this myself.
Thank you, but unfortunately I did not find any suitable rules for this type of solution. And I’m not familiar with Radius/Hotspot solutions. Since it’s a corporate network - I also don’t like muche the idea when users need to “register” somehow to get internet access.
Maybe there are any other ways to do so? Maybe some scripting is needed there?
“Register” can be handled by MAC address authentication.
Personally, I think the users would be more aware of the need to work rather than play if they have to authenticate to play. But people say I am mean.
Doing what you want will likely require a lot of scripting. You may need to hire a consultant if the searches didn’t give you any good ideas.
@tigran
take a look at the solution worked out with the help of @rextended (you might add him some carma if it helps)
http://forum.mikrotik.com/t/address-list-jump-on-next-address-list-option-request/78325/7