Community discussions

 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Tell non-paying customers to pay the bill, without hotspot

Tue Oct 03, 2006 1:47 am

Currently I'm telling my customers to pay the bill with the hotspot trick described in the wiki http://wiki.mikrotik.com/wiki/How_to_Block_Customer. Problem is that I'm also using arp=reply-only, and I still want to use it. When you enable the hotspot, it bypasses all clients, so if a client just changes his IP or MAC Address, they can still access the internet and the server.

I've been trying for the past few hours to redirect all traffic from a specified IP or MAC to a local web-server running on my internal network, but I've been without luck. Currently I'm in the state that the "forwarded" port doesn't accept connections on the local interface.

Can anyone explain me a proper way to do this?

Thanks.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Tue Oct 03, 2006 4:44 pm

and what about autentification in hotspot - no login no internet
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Tue Oct 03, 2006 5:08 pm

Well, I don't want to use authentification, as it's not such a big network (max 200 users). Can't I just redirect all traffic to another http server?
I've tried that in numerous ways, but it seems I'm missing something.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Oct 03, 2006 5:43 pm

MAC-authentication is implemented in the HotSpot, when client gets authorized in HotSpot as soon as MAC-address appeared in HotSpot host list.
Authentication occurs without login/password.

HotSpot is the most flexible solution.
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Tue Oct 03, 2006 6:46 pm

Well, I don't want to use authentification, as it's not such a big network (max 200 users). Can't I just redirect all traffic to another http server?
I've tried that in numerous ways, but it seems I'm missing something.
---
No,
I think will more easy when you are turning on your hotspot system, by this way make basically secure for users connect to the network as subscribe first to administrator and get know users. i support you when come back to your trick in first post. just make discuss for unauthenti....users without built webserver local one:
1. Turn on your hotspot system.
2. Make difference subnet on the network for 'dynamic ip by manual' and 'dynamic ip by host' 
3. Customize 'login.html' filename or edit it without validation username and password cases.
4. ip-binding for subscriber.
With that's methode, i think is simple and easy solution and more...more...more benefite to administrator. again, don't do this when that's methode isn't simple and easy. and in the file 'login.html' just to say: 'Ooooop...!, Sorry..you are not our MEMBER' and turn off your webserver local one, ofcourse.

regards
Hasbullah.com
---
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Tue Oct 03, 2006 8:36 pm

Sorry but I don't understand your english... You lost me on the subnet parts =/

Could you please explain more detailed? I'm willing to try this MAC Authentification on the hotspot if you explain me in depth :-) Also I want to specify that I have 2 public ip classes, a /26 and a /25 (and I'll probably get the whole /24 in march or something, but my isp has some problems with the ips)
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Oct 04, 2006 9:01 am

To use MAC-authentication in HotSpot,
- create users list, '/ip hotspot user add name=XX:XX:XX:XX:XX:XX' (XX:XX:XX:XX:XX:XX client MAC-address, add to user table every HotSpot client).
- set for HotSpot profile to use 'mac' method,
'ip hotspot profile set profile_name login-by=mac'.
 
dainen
newbie
Posts: 38
Joined: Tue Jul 05, 2005 12:33 pm
Location: Byron Bay, Australia
Contact:

Wed Oct 04, 2006 9:27 am

We sometimes use a simple dst-nat firewall rule to redirect all connections from the customers IP address

/ip firewall nat add chain=dstnat src-address=clientsIP protocol=tcp action=dst-nat to-addresses=Webserver to-ports=80 comment="Captive Page" disabled=no


Dont know if this will help but here is it anyway.
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Wed Oct 04, 2006 1:08 pm

I don't want to block only TCP, that's the issue. I want to block everything. If I block only TCP they could, for instance, play games over the net =/

I'll try the mac auth. in hotspot this weekend when I get back into town. Is arp=reply-only still needed if I use hotspot?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Oct 04, 2006 2:24 pm

If you will use universal client (HotSpot one-to-one NAT), than arp must be enabled.
Information about one-to-one NAT and other HotSpot options,
http://www.mikrotik.com/docs/ros/2.9/ip/hotspot
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Wed Oct 04, 2006 10:21 pm

MAC-authentication is implemented in the HotSpot, when client gets authorized in HotSpot as soon as MAC-address appeared in HotSpot host list.
Authentication occurs without login/password.

HotSpot is the most flexible solution.
I tried to do that , but the login page still apears !!!! no access without login !!!!!
 
dainen
newbie
Posts: 38
Joined: Tue Jul 05, 2005 12:33 pm
Location: Byron Bay, Australia
Contact:

Thu Oct 05, 2006 5:28 am

I don't want to block only TCP, that's the issue. I want to block everything. If I block only TCP they could, for instance, play games over the net =/
This should block everything but port 80 (which is being directed to your webserver) and DNS requests

/ip firewall filter add chain=forward src-address=CustomerIP protocol=tcp dst-port=!80 action=reject reject-with=icmp-admin-prohibited comment="" disabled=no


/ip firewall filter add chain=forward src-address=CustomerIP protocol=udp dst-port=!53 action=reject reject-with=icmp-admin-prohibited comment="" disabled=no
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Oct 05, 2006 8:18 am

samsoft08, you may disable other authentication methods for the HotSpot user profile.
Provide us with logs (/log print), when client does not authenticate via MAC and login page is dislplayed.
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Thu Oct 05, 2006 5:21 pm

dainen: I'm looking for a solution that I can just enable/disable one rule whenever I want to block a customer :-) I'm not the full-time admin of that network, the person who manages is not that technical and I want to keep it simple.
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Thu Oct 05, 2006 5:21 pm

dainen: I'm looking for a solution that I can just enable/disable one rule whenever I want to block a customer :-) I'm not the full-time admin of that network, the person who manages is not that technical and I want to keep it simple... Eventually to make a script that enables/disables that rule :-)
 
dannyboy
Member Candidate
Member Candidate
Posts: 195
Joined: Fri Sep 16, 2005 4:21 am
Location: Nicaragua/USA
Contact:

Sat Oct 07, 2006 11:02 pm

Listen,

What I used to use was to NAT the users that didnt pay to a web server I had on the network.

do this:
add chain=dstnat src-address=192.168.10.44 protocol=tcp action=dst-nat to-addresses=10.10.5.200 to-ports=8085 comment="" disabled=yes

play with it, not sure if the client ip is on src-addresss or dst-addresss so change it around. Since I changed my config to do load balance NOTHING ELSE WORKS ON MY MT and noone here seems to know or care why...

hope this helps.
 
variable
Member Candidate
Member Candidate
Posts: 217
Joined: Wed Apr 13, 2005 4:36 am

Mon Oct 09, 2006 9:38 pm

i accomplished this a different way because i dont like hotspot. I have each user in defined to a certain ip pool depending on their status, ie payed or not. for no pays i have firewall rules that redirect all traffic in pool nopay to xxx.
 
dainen
newbie
Posts: 38
Joined: Tue Jul 05, 2005 12:33 pm
Location: Byron Bay, Australia
Contact:

Tue Oct 10, 2006 7:20 am

Hi Znuff,

We are in a similar situation, we want the accounts person who has little tech knowledge to be able to block people.
With help from autohotkey and their forums I put together a crude and nasty script that may help.
It asks for the relevant details, then telnets the Mikrotik and pastes the commands.
I have only tested it on a local network so latency may be a problem but you can edit the script to help with that.
http://wwwires.com/captive.rar

you could also edit the script so certain fields are entered automaticaly
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

masquerade or src-nat to-addresses ??

Wed Oct 11, 2006 3:28 am

sorry

Who is online

Users browsing this forum: Google [Bot] and 96 guests