If drop I want to open html file

giobulia · June 3, 2012, 1:56pm

Example if this have drop I want to open html file

I have billing system and when client do not have balance, system automatic make drop.
when client open any website I want to see my html file

thank you

boen_robot · June 3, 2012, 2:54pm

Add a dst-nat rule which NATs any address to your web server’s address. You must of course also filter by src-address to only match the clients which haen’t payed. You’ll have to enable/disable this rule when clients switch between payed/unpaid. Note also that your filter rule must keep accepting the packet for this to work.

Also, I’ve said it before, and I’ll say it again, as it’s imortant - you should add your client’s IP addresses into address lists, and make your filter and nat rules match by them. This will improve your network’s performance, and make it easier to manage too.

So…

Do

/ip firewall address-list add list="plan1" address="172.12.22.53" comment="6064"

and do that for every client. Keep the value of “list” the same across clients (in the example I use “plan1”, but this can be anything you want, as long as it’s the same for everyone). For clients that need to be off, use another value for “list”, like for example:

/ip firewall address-list add list="unpaid" address="172.12.22.59" comment="6063"

Add the following filter rules

/ip firewall filter add chain="forward" src-address-list="plan1" action="accept" comment="Allow clients to send packets"

/ip firewall filter add chain="forward" dst-address-list="plan1" action="accept" comment="Allow clients to receive packets"

/ip firewall filter add chain="forward" src-address-list="unpaid" protocol="tcp" dst-port="80" action="accept" comment="Allow unpaid clients to send packets to port 80"

/ip firewall filter add chain="forward" dst-address-list="unpaid" protocol="tcp" src-port="80" action="accept" comment="Allow unpaid clients to receive packets from port 80"

Remove all other filter rules (OK, OK… just disable them for now… but you can remove them when you verify everything is working).
To redirect unpaid clients:

/ip firewall nat add chain="dst-nat" src-address-list="unpaid" action="dst-nat" protocol="tcp" to-address="192.168.0.254" to-port="80" comment="Redirect requests from unpaid clients to a web server"

(replace 192.168.0.254 with the IP of your web server; you can also redirect to another port if needed, as long as you also adjust the last filter rule accordingly)

giobulia · June 5, 2012, 12:14pm

Hello,

It works fine.

Thank you!!

boen_robot · June 5, 2012, 12:17pm

I forgot to add

protocol="tcp"

in the NAT rule. Add that, and it should work. I’ve edited the post above.

giobulia · June 5, 2012, 12:19pm

Now it works.

Thank you! ))