Hi all, just a question i am having problems with.
We use ROS for PPPoE customers Auth back to our RADIUS server, when a user is Authorised they are given a IP/Bandwidth limits/etc and are able to access the WWW
When a user has no credit we want to give them an IP from a BLOCKED pool of IPs, (this bit we can do all ok so far)
next we want to send them to the walled garden for payment etc
Is this possible using standard PPPoE and if so can you please point me in the right direction
Edit: haha just saw fewi’s post.. I started mine a while ago but didn’t get to finishing it >_<
I’ve completed something similar in the past, users who are out of quota are handed IP’s from a different address pool that is restricted to being only able to access our account page.
Unfortunately this also has the side affect of not allowing paypal payments. Going to try merging it with the link fewi included and see what I can do.
/ip firewall filter
add action=jump chain=forward comment="for restricted ppp users, jump to restricted chain" disabled=no \
jump-target=ppp-restricted src-address=<your restricted address range .. or list>
add action=accept chain=ppp-restricted comment="Allow access to servers" disabled=no dst-address=<your payment server ip>
add action=accept chain=ppp-restricted comment="allow access to local router addresses, for DNS" disabled=no dst-address-type=local
add action=drop chain=ppp-restricted comment="drop all other traffic" disabled=no
and in the nat table:
add action=src-nat chain=srcnat comment="src-nat restricted pppoe users" disabled=no dst-address=<payment server address> src-address=<pppoe restricted pool> to-addresses=<router WAN NAT IP>
add action=src-nat chain=srcnat comment="src-nat restricted pppoe users" disabled=no dst-address=<payment server address> src-address=<pppoe restricted pool> to-addresses=<router WAN NAT IP>
add action=jump chain=dstnat comment="" disabled=no jump-target=ppp-restricted src-address=<pppoe restricted pool>
add action=accept chain=ppp-restricted comment="" disabled=no dst-address=<payment server address>
add action=dst-nat chain=ppp-restricted comment="" disabled=no dst-address=!<pppoe dns server> dst-port=53 protocol=udp to-addresses=<pppoe dns server>
add action=dst-nat chain=ppp-restricted comment="" disabled=no dst-address=!<pppoe dns server> dst-port=53 protocol=tcp to-addresses=<pppoe dns server>
add action=dst-nat chain=ppp-restricted comment="Force Restricted users to notification page" disabled=no dst-port=80 protocol=tcp to-addresses=<payment server address> to-ports=<pick a non standard port and add a .htaccess for all errors to go to one page>
add action=return chain=ppp-restricted comment="" disabled=no
Hope I’m comprehensible, I’ve replaced all the IP’s in my wiki example with of what IP’s should go in there.
Eg:
10.0.0.0/24 might be your restricted pool
1.1.1.1 might be your payment server
2.2.2.2 might be the router’s WAN address for DNS and also the NAT address you want to use.
port 81 might be the port you host the pppoe redirect on.
We use a page that notifies the user they’re out of quota then has a redirect after 10 seconds to our payment page on the same server however you could use multiple servers so long as the IP’s are listed.
Hey omega-00, if you ever get to try the merged config you mentioned, i would love to know how it went, we also would like our blocked users to be able to access Paypal.com for account topups
Cheers again from a fellow Ozzie, now living in Indonesia
Got some major roll outs happening this week before easter holidays but I might get a chance to do it then (easter break).. will keep you posted.
It’s def something I’m going to work more on in the future thou.
My investigations will also involve looking into a way to do it with IPv6 dual-stacked users too.
