Hello. I have a small problem with redirect some clients that doesnt pay for the service :-/ So far I used web-proxy to redirect them from router (NAT) to wevserver working on external ip. PHP script on my webserver used apache_resquest_headers to get true clients ip that connect "behind" the router. The problem is, when I changed dst-chan rule in firewall from redirect all ports except 53 to proxy for rule that should redirect just port 80 header - x-forwarded-for dissapeard... so now I cant reveal which client connects to my webserver 
(( Im using static routing. Let me get some schema of my network clients--192.168.1.0/24--AP---192.168.252.0/24---router (NAT)---public_ip--webserver (debian) Someone told me, that I should use VPN... Unfortunately I have no idea, how should I do it and telling the true Im not so sure if I`m heading in a good direction…