how to block my client that not pay?

trottolino1970 · February 26, 2008, 3:17pm

how to block my client that not pay and i show to them a page of my webserver?

maximan · February 26, 2008, 7:23pm

Just redirect all the traffic 80 (for example) to you website/server, and this server have the page with a message for pay.

Max
http://mikrotikexpert.com
http://maxid.com.ar

hulk-bd · February 27, 2008, 4:20am

upload a web page(with a nonpayment notice) to a web server, make a address list named= nonpaid user, add non paid user ip to that address list, then make dat nat rule with src-address= nonpaid user and dst-nat to your web server ip and port.

Thanks maybe it would be helpful to you.

alternativi · February 27, 2008, 9:31pm

so my friend, i have made the web server, but if you can explain me this..about address list, where i can make these address list, with client ip addressess, if you can tell us, about this..

With RespECt AlterNATIVI

Znuff · February 28, 2008, 2:56am

1st of all, stop using AlTeRNatiVE CApS ThiNGiE. It’s really annoying. Pay some respect please.

2nd of all, have a look under Firewall → Address List (/ip firewall address-list in the console).

trottolino1970 · February 28, 2008, 9:26am

not work

Stanislav_Hrncir · February 28, 2008, 11:41am

disconnect it !

trottolino1970 · February 28, 2008, 11:55am

good idea

fosben · February 28, 2008, 12:00pm

chain=dstnat action=dst-nat to-addresses=85.252.x.x to-ports=80 src-address=85.252.x.x dst-port=80 protocol=tcp comment=“customer doesnt pay” disabled=no

I use this nat rule, and it works ok to all but 1 webserver. The webserver it doesnt work to is the one I want it to go to, and I cant figure out why it doesnt work. If I type its ip in my browser the page is displayed correctly. Any idea what can be wrong on the web server ?

hulk-bd · February 28, 2008, 8:15pm

fosben wrote:
chain=dstnat action=dst-nat to-addresses=85.252.x.x to-ports=80 src-address=85.252.x.x dst-port=80 protocol=tcp comment=“customer doesnt pay” disabled=no

ok first of all 85.252.x.x is your web server IP right? then what is src-address=85.252.x.x ? src-address should be your client IP address whom you want to show your nonpayment notice. you can use only protocol=tcp don’t use dst-port=80 cause then your this client can logon to yahoo messanger or service like that.

Thanks

trottolino1970 · February 28, 2008, 8:29pm

Which is the correct version?

hulk-bd · February 28, 2008, 8:49pm

chain=dstnat action=dst-nat to-addresses=(web server ip) to-ports=80 src-address=(user IP) protocol=tcp comment=“customer doesnt pay” disabled=no

if you have an address-list named something like=nonpaid user and you have your non paid user IP in that address list then you can do another thing >

chain=dstnat action=dst-nat to-addresses=(web server ip) to-ports=80 src-address=(User IP range like 192.168.1.0/24) protocol=tcp src-address list=(nonpaid user) comment=“customer doesnt pay” disabled=no

Hope you’ll understand what I want to say here.

NB: And make sure to put this rule in the 1st line of your firewall nat.
Thanks

fosben · February 29, 2008, 9:18am

yes, and as I said, this works to all but the web server I want it to work to.. So what I was asking is what could be wrong on the web server I natted to since it didnt work

hulk-bd · February 29, 2008, 11:09am

IS YOU WEB SERVER HAVE MUILTIPLE WEB PAGE HOSTED? I mean is it you own web server with your notice page only or the web server hosts multiple domains? cause if you use a shard web server IP then you can’t put your web page address as a text(DNS) in your MT you have to put the IP address and port. Then check your firewall that are u put any forward rule with your nonpaid user IP address as action=drop.

Hope I make myself clear.

Thanks

awsmith · March 14, 2008, 10:02pm

x.x.x.x = IP address of your webserver that will give the "please pay us" page.
y.y.y.y = the IP address of a customer who has been suspended for nonpayment

/ ip firewall nat 
add chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 \
    dst-port=80 protocol=tcp src-address-list=suspended_customers comment="" \
    disabled=no 
/ ip firewall filter
# You want to allow DNS, so they can lookup www.youtube.com (for example) and let their browser
# attempt to contact it but reject all other UDP traffic
add chain=forward action=reject reject-with=icmp-admin-prohibited dst-port=!53 \
    protocol=udp src-address-list=suspended_customers comment="" disabled=no
# Once they've resolved www.youtube.com, you let their port 80 request get out (and to the NAT
# rules).
add chain=forward action=reject reject-with=icmp-admin-prohibited dst-port=!80 \
    protocol=tcp src-address-list=suspended_customers="" disabled=no 
/ ip firewall address-list
# And here is where we define the customer IPs that get their traffic filtered and redirected
add list=suspended_customers address=y.y.y.y comment="" disabled=no

Note that these specific rules will allow non-tcp/udp traffic through. If you definitely need to block those, you can modify these rules.

I prefer rejecting, rather than dropping traffic, so the customer will immediately see that their connection attempt (IM’s, ftp, file sharing, etc)
has failed, rather than waiting for a timeout.

FredrikG · March 15, 2008, 8:31am

Hi,

Can I do this without NAT?

I have public IPs on both sides and uses just a simple route.

DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE

0 A S 0.0.0.0/0 r 212.112.XXX.XXX 1 IP-XXXX

//Fredrik

trottolino1970 · April 22, 2008, 8:14am

hi to all. i try all but in my mtk dont work because the web server is in the same class of my customer. I wan toresolve this proble, in wich mode?

Def · September 11, 2008, 11:48am

awsmith:

x.x.x.x = IP address of your webserver that will give the "please pay us" page.
y.y.y.y = the IP address of a customer who has been suspended for nonpayment

/ ip firewall nat 
add chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 \
    dst-port=80 protocol=tcp src-address-list=suspended_customers comment="" \
    disabled=no 
/ ip firewall filter
# You want to allow DNS, so they can lookup www.youtube.com (for example) and let their browser
# attempt to contact it but reject all other UDP traffic
add chain=forward action=reject reject-with=icmp-admin-prohibited dst-port=!53 \
    protocol=udp src-address-list=suspended_customers comment="" disabled=no
# Once they've resolved www.youtube.com, you let their port 80 request get out (and to the NAT
# rules).
add chain=forward action=reject reject-with=icmp-admin-prohibited dst-port=!80 \
    protocol=tcp src-address-list=suspended_customers="" disabled=no 
/ ip firewall address-list
# And here is where we define the customer IPs that get their traffic filtered and redirected
add list=suspended_customers address=y.y.y.y comment="" disabled=no

Note that these specific rules will allow non-tcp/udp traffic through. If you definitely need to block those, you can modify these rules.

I prefer rejecting, rather than dropping traffic, so the customer will immediately see that their connection attempt (IM’s, ftp, file sharing, etc)
has failed, rather than waiting for a timeout.

This setting works great, but only if the server x.x.x.x is in front of mikrotik:

But is possible to redirect y.y.y.y to x.x.x.x when it’s behind mikrotik?

Thank you in advance