Currently I’m telling my customers to pay the bill with the hotspot trick described in the wiki http://wiki.mikrotik.com/wiki/How_to_Block_Customer. Problem is that I’m also using arp=reply-only, and I still want to use it. When you enable the hotspot, it bypasses all clients, so if a client just changes his IP or MAC Address, they can still access the internet and the server.
I’ve been trying for the past few hours to redirect all traffic from a specified IP or MAC to a local web-server running on my internal network, but I’ve been without luck. Currently I’m in the state that the “forwarded” port doesn’t accept connections on the local interface.
Well, I don’t want to use authentification, as it’s not such a big network (max 200 users). Can’t I just redirect all traffic to another http server?
I’ve tried that in numerous ways, but it seems I’m missing something.
MAC-authentication is implemented in the HotSpot, when client gets authorized in HotSpot as soon as MAC-address appeared in HotSpot host list.
Authentication occurs without login/password.
No,
I think will more easy when you are turning on your hotspot system, by this way make basically secure for users connect to the network as subscribe first to administrator and get know users. i support you when come back to your trick in first post. just make discuss for unauthenti....users without built webserver local one:
1. Turn on your hotspot system.
2. Make difference subnet on the network for 'dynamic ip by manual' and 'dynamic ip by host'
3. Customize 'login.html' filename or edit it without validation username and password cases.
4. ip-binding for subscriber.
With that's methode, i think is simple and easy solution and more...more...more benefite to administrator. again, don't do this when that's methode isn't simple and easy. and in the file 'login.html' just to say: 'Ooooop...!, Sorry..you are not our MEMBER' and turn off your webserver local one, ofcourse.
Sorry but I don’t understand your english… You lost me on the subnet parts =/
Could you please explain more detailed? I’m willing to try this MAC Authentification on the hotspot if you explain me in depth Also I want to specify that I have 2 public ip classes, a /26 and a /25 (and I’ll probably get the whole /24 in march or something, but my isp has some problems with the ips)
If you will use universal client (HotSpot one-to-one NAT), than arp must be enabled.
Information about one-to-one NAT and other HotSpot options, http://www.mikrotik.com/docs/ros/2.9/ip/hotspot
samsoft08, you may disable other authentication methods for the HotSpot user profile.
Provide us with logs (/log print), when client does not authenticate via MAC and login page is dislplayed.
dainen: I’m looking for a solution that I can just enable/disable one rule whenever I want to block a customer I’m not the full-time admin of that network, the person who manages is not that technical and I want to keep it simple.
dainen: I’m looking for a solution that I can just enable/disable one rule whenever I want to block a customer I’m not the full-time admin of that network, the person who manages is not that technical and I want to keep it simple… Eventually to make a script that enables/disables that rule
play with it, not sure if the client ip is on src-addresss or dst-addresss so change it around. Since I changed my config to do load balance NOTHING ELSE WORKS ON MY MT and noone here seems to know or care why…
i accomplished this a different way because i dont like hotspot. I have each user in defined to a certain ip pool depending on their status, ie payed or not. for no pays i have firewall rules that redirect all traffic in pool nopay to xxx.
We are in a similar situation, we want the accounts person who has little tech knowledge to be able to block people.
With help from autohotkey and their forums I put together a crude and nasty script that may help.
It asks for the relevant details, then telnets the Mikrotik and pastes the commands.
I have only tested it on a local network so latency may be a problem but you can edit the script to help with that. http://wwwires.com/captive.rar
you could also edit the script so certain fields are entered automaticaly
Also I want to specify that I have 2 public ip classes, a /26 and a /25 (and I’ll probably get the whole /24 in march or something, but my isp has some problems with the ips)