Hi guys, long time ago - before all browsers went to HTTPS we had simple rules in IP->Firewall->NAT to redirect port 80 for our stopped customers ( which are not paying tax ) to some NGINX server IP:port , which shows some page with simple text like:
Your internet is stopped. You can all us on 12345676 or visit our website http://some-site.com/
This way stopped customers know that they forgot to pay - instead of call for internet not working, and also you can give them some options listed on that page.
Now - in 2023 ( modern times ) - all browsers default to https, and 99% of the sites require https. So rules for port 80 DNAT does not work anymode, and same rules for port 443 are not working also, because of the SSL way of work.
I tried even to redirect customers to PROXY - but this also does not work with HTTPS.
So question is - what is the current modern way to show message to customers when they forgot to pay - via WEB page. I have seen some companies to still do this and it works perfectly - obviously not with simple firewall redirect.
My users, if not pay, receive one SMS instead of blindly disable the connection.
If still not pay, after 7 days we call the user.
If not answer and still not pay, after 7 days receive another SMS and the connection is completely blocked.
If still not pay, after 7 days the debt collection institution intervenes, and then the law court.
You can use DNS server which have functionality to reply for IP list of such users that for any DNS request reply same IP (IP of your web server hosting that page), like DNS spoofing. This will partially work, if some website replying with HSTS header and user has already visited that page browser will remember that and still return warning that connection is not secure, but if host is visited for the first time, not in browser cache or web is not setting HSTS header it will work.
You can try it by simply in your hosts file add IP of your local webserver for some host.domains and see in your browser how it works.
Edit: Also you will need for that on router hairpin nat for DNS port and IP of your DNS server.
Edit2: Maybe you not need to find DNS server which can respond per IP, just setup additional DNS server which will return for any request same IP and you can dynamically manage on router hairpin nat rules for IP addresses that are blocked. Still HSTS issue persist…
Yes - we are using SMS warning, it works very good, but still many of the companies preffer to have that kind of screen with instructions for user - where and how can they pay and so on.
But rejecting AUTH will lead to no internet I guess, some devices like Huawei routers have option to redirect user to some SITE for information - thou we don’t know how they do it
DNS Redirect was one of the ideas we thing about. It should be pretty simple to setup a DNS server with FAKE zones inside, all leading to same IP. Thou I was worried about the DNS cache in end user routers / PCs, but now you say there is another problem like HSTS, so maybe it will not work 100%
Most modern OS’es have some functionality for “detect portal”. When they connect to WiFi, they attempt to download some http page (which page varies by OS) and when that does not succeed, they follow any redirects that they get. This is intended for WiFi networks that first want the user to read and accept “terms & conditions”, or where the user needs to enter some password or voucher code (like in “hotspot”).
So with your old method of redirecting all port 80 traffic to a single server, and blocking all other traffic, you still will reach some customers.
Not everyone, of course.
This is likely also the method referred above. It is not foolproof, but it is what you have available.
