I don’t think that such a question was discussed here before and search also didn’t provide anything useful, so i decided to create a new topic.
Currently I’m moving my quite complicated router from Linux to RouterOS. Everything so far is successful with one issue.
Without telling long stories - I’d like to do such a thing: http://wiki.mikrotik.com/wiki/How_to_Block_Customer.
Unfortunately Hotspot suggestion is not that great for me, because it takes away some options I need.
Currently (on my linux router) my solution is based on prerouting customers public http requests to port 80 with dst-nat to routers 81 port, which then is forwarded to another machine (which does all the billing and stuff) using portfwd daemon.
My question is - is it possible to do something similar with RouterOS as it doesn’t obviously have the possibility of running some third-party portfwd daemon..
To make it simple to understand: I need to load a web page from an external (local of course) web server in customers browser when he tries to access his desired web page. Or maybe someone has another solution?
I do believe this can be difficult to understand at first, so feel free to ask questions, I’m willing to bring some lightness if it’s required
Well, yesterday I’ve investigated such a solution, the idea came when I found forced transparent proxy setup example in mikrotik wiki.. It also happens to be an external host for proxy server which is almost what I need. Too bad the setup requires lots of directives, packet marking and so on.
But I believe that I shall have to stick with proxy as my backup plan though
So as I understand there is no other simple way of doing it?
To make it simpler to understand here is some brief review how it should look like:
192.168.0.2 (client) request for lets say http://www.google.com → RouterOS Gateway (192.168.0.1) → Web Server (192.168.0.254:80)
For starters, I could redirect such a request to RouterOS port 81 using PREROUTING redirect-to. Then all that is left - is to make RouterOS port 81 somehow retranslate to 192.168.0.254:80 (what that tiny portfwd daemon perfectly does).. Web server machine can be configured to have RouterOS as it’s default gateway if it is required.
The project page for portfwd daemon is http://portfwd.sourceforge.net if someone is interested. Yet such functionality would be appreciated in RouterOS, I find it very useful.
Someone who knows it, could tell that it is not possible. It’d save me some time.. As for now, I’m not giving up, one way or another I’m going to reach my goal
Chupaka, I tried your suggestion. It almost works, but it visibly redirects you to specified redirect url. Such behavior is not what I am looking for, it also creates some problems with internet browsers: Opera is complaining about “Cross network request” and requires to confirm if I really want to be redirected.. Yesterday I somehow managed to achieve such thing without a proxy server
hmmm, these rules you may setup anywhere you want. it’s just mandatory that captured traffic should go through that device =) and second rule you need because you redirect the connection to the same network segment
After trying lot’s of different setups, I came up with completely different solution, and as the matter of fact, I do not use any of Chupakas’ suggested approaches, because it cannot provide me functionality I need - determine blocked clients IP address in webserver..
That masquerading way is to be done in the gateway itself, unless you set up gateways in CPEs. Sadly webserver will see that request is coming from the gateway that organizes this redirect. If you need to display one static webpage, it’s of course ok. I need some more functionality with custom information in the page that is displayed to the customers..
Well, I redirect their DNS requests (UDP port 53) to the internal RouterOS DNS server with both primary and secondary DNS servers set to 0.0.0.0 and static DNS entry with wildcard “.*” pointing to my webserver. That way when they request for an IP addr of some host, they get my webservers’ IP.
As for portfwd, I didn’t get that functionality, as the matter of fact. Running a Linux based router doesn’t stop you to start some lightweight http server (or even apache, who cares), which I actually did. Using portfwd certainly doesn’t provide such function as it simply re-translates packets.
Chupaka, I’m not sure if it did that when I tried with different subnets. But it could be even better solution. I shall try it soon. And for the moment, you could be more specific and explain how do you picture it
One more thing. I’ve managed to set up a DHCP server which gives static IP leases to known clients and gives [an IP, gateway and DNS] from different subnet to unknown ones, so when they try to access some webpage, they are congratulated with my custom page and informed about procedures how to get Internet access. This could even be automated, using RouterOS SNMP or telnet/ssh control abilities. With PHP it’s extremely easy.
for DST-NAT to work, you need the traffic from the server to the client go through your router. so they should be either on different interfaces, or in different subnets.
according to management - you may want to look at RouterOS API, there is also PHP implementation
Don’t know if I’m doing something wrong, but I can’t get it working.. I’ve placed http server in completely different subnet (its IP is now 192.168.1.2), assigned an IP (192.168.1.1) to my routerOS, and my client machine is of course 192.168.0.1, subnet masks are 24bit everywhere, so there are no connection between these subnets. The default gateway in 1.2 is of course 192.168.1.1.. Tried various different setups, and cannot get DST-NAT to do what I want
I do believe that there are some minor mistakes in my setups, so could you please give some more hints?
