Redirect user without hotspot and authentication

Arpanet · May 10, 2014, 4:32pm

What I would like to have is redirect user to a web page (allowed by proxy) without using hotspot interface or radius authentication.
is it possible?

Arpanet · May 10, 2014, 9:48pm

a proxy with redirect-to tag could be a solution?

rextended · May 11, 2014, 2:05am

Only specific site or ALL the sites? (if are not payed the invoice??? )

On the first case

/ip proxy access
add action=deny dst-host=*.facebook.com redirect-to=www.workandnotchat.it

On the second case

/ip proxy access
add action=deny dst-host=* redirect-to=www.pay.it

Arpanet · May 11, 2014, 10:47am

yes, you hit it! it’s for defaulting customers
so I could place proxy rules in each customer cpe ?

reinerotto · May 11, 2014, 11:07am

On the second case
/ip proxy access
add action=deny dst-host=* redirect-to=www.pay.it<

Same you can do with squid, too, with so-called “ACL”, access-control-list.
Assuming, you have edited a “customer_needs_to_pay.lst” text file, containing some kinf of ID, like username, IP, or similar.

rextended · May 11, 2014, 2:11pm

It’s better use firewall for redirect to server page “you must pay” and address list.

I have not one examle ready.

Usually when customer not pay the invoice I change the RADIUS / User-Manager profile to one ad-hoc that firewall recognize automatically and redirect all tcp 80 traffic to web page on external server (on external TRUE web server…)

Arpanet · May 11, 2014, 2:27pm

it seems hard to achieve

rextended · May 11, 2014, 2:35pm

Really not, I use that methods…

lista_avvisi = address list on ip used on the profile “RITARDO” on the user-manager…

/ip firewall nat
add action=jump chain=dstnat comment="Inizio degli Avvisi Permanenti" dst-port=80 jump-target=dstnat_avvisi protocol=tcp src-address-list=lista_avvisi
add action=add-src-to-address-list address-list="@1 Ritardo" address-list-timeout=3h chain=dstnat_avvisi comment="Log RITARDO" dst-port=80 protocol=tcp src-address-list=RITARDO
add action=return chain=dstnat_avvisi comment="Rimando se gi\E0 avvisato il RITARDO" src-address-list="@1 Ritardo Avvisato"
add action=add-src-to-address-list address-list="@1 Ritardo Avvisato" address-list-timeout=1h chain=dstnat_avvisi comment="Memorizzo che ho avvisato il RITARDO" dst-port=80 protocol=tcp src-address-list=RITARDO
add action=dst-nat chain=dstnat_avvisi comment="Redirect RITARDO" dst-port=80 protocol=tcp src-address-list=RITARDO to-addresses=89.202.251.10 to-ports=81
add action=return chain=dstnat_avvisi comment="Fine degli Avvisi Permanenti"

and on firewall filter I limit the services that the user can use:

lista_ip_sicuri = list of IP used by ISP, for not block any service traffic.

/ip firewall filter
add action=jump chain=forward comment="Inizio controllo Avvisi" jump-target=forward_avvisi src-address-list=lista_avvisi
add chain=forward_avvisi protocol=icmp src-address-list=lista_avvisi
add chain=forward_avvisi dst-port=53,80-90 protocol=tcp src-address-list=lista_avvisi
add chain=forward_avvisi dst-port=53 protocol=udp src-address-list=lista_avvisi
add chain=forward_avvisi dst-port=1-1023,8291 protocol=tcp src-address-list=RITARDO
add chain=forward_avvisi dst-port=53,123,5678,20561 protocol=udp src-address-list=RITARDO
add action=drop chain=forward_avvisi dst-address-list=!lista_ip_sicuri src-address-list=lista_avvisi
add action=return chain=forward_avvisi comment="Fine controllo Avvisi"

Arpanet · May 11, 2014, 2:59pm

ok this solution in case of pppoe server

rextended · May 11, 2014, 3:07pm

Yes, actually is the best method for authentication and accounting.