Hello,
We have a policy to not allow P2P traffic and we wan’t to display a message to person who have been blocked which he would see if he tries to surf the net.
I already created an IP alias for that message to show, so if we go to 10.0.0.66, we see message that “internet has been blocked, because of torrent usage”.
add action=dst-nat chain=dstnat comment="BLOCKED USERS REDIRECT TO MESSAGE SERVER" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content \
disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80 !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
!ipv4-options !layer7-protocol !limit !nth !out-bridge-port !out-interface !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address src-address-list=BLOCKED_FOR_TORRENT_USAGE !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=10.0.0.66 to-ports=80 !ttl
This is a exported rule from NAT to forward blocked computers to 10.0.0.66, redirection works, but blocked PC is ignoring HTTP ACK packets from 10.0.0.66, because it waits ACK packet from real server.
Any suggestions?
