We have been trying to setup a firewall chain to restrict users with a specific profile.
We have
User1 — Profile 1 Incoming Filter1 - Firewall Chain P1 - rule = allow Port 80 only
User2 — Profile 2 Incoming Filter2 - Firewall Chain P2 - rule = allow all ports
We have thought the chains P1 and P2 would be dynamically jumped to as traffic is tested
On the Firewall, If we enable the “Place Hotpot Rules Here” , set the chain to “Forward” and jump to Chain “P1” then we see traffic passing. But this needs to happen dynamically
Does anyone have any idea how this is meant to work please as its fundamental to controlling hotspot subscriptions ?
Edit the Hotspot profiles and fill out the address list parameter. Users logging into that profile get dynamically added to that address list now. Make your firewall rules as you need them and decide who a user is based on the address lists.
One last question, how can I redirect to an error page when a restricted browser user gets blocked by the firewall rule. Not essential but it would be better to tell them they have been blocked and maybe suggest they purchase an upgrade voucher
You can’t. Think about it - how are you going to show a webpage when you’re blocking a telnet connection? You don’t have the power to magically pop open a browser on a user’s machine.
You can only redirect to a webpage within the HTTP protocol itself. So what you could do is add users to an additional address list when you’re blocking other traffic, and redirect the next web page they load. However, that gets messy quickly. Also consider that there are lots of applications nowadays that talk HTTP without being able to handle redirect. Weather widgets on the desktop that show the current temperature, for example. They can get redirected, but cannot meaningfully display the new content to the user. I don’t’ think it’s worth implementing given how many problems there are to solve.
If you do want to work on it, http://wiki.mikrotik.com/wiki/Payment_Reminders shows how to do payment reminders. That concept would work for you, but you’d want to add to the initial address list via a firewall rule that adds to an address list with passthrough=yes just before you drop the actual traffic.
On a sidenote, if you’re using an external RADIUS server for all authentication you can also pop users onto address lists via the Mikrotik-Address-List attribute (id 19 within the vendor, type string).