Page 1 of 1
Tell non-paying customers to pay the bill, without hotspot
Posted: Tue Oct 03, 2006 1:47 am
by Znuff
Currently I'm telling my customers to pay the bill with the hotspot trick described in the wiki
http://wiki.mikrotik.com/wiki/How_to_Block_Customer. Problem is that I'm also using arp=reply-only, and I still want to use it. When you enable the hotspot, it bypasses all clients, so if a client just changes his IP or MAC Address, they can still access the internet and the server.
I've been trying for the past few hours to redirect all traffic from a specified IP or MAC to a local web-server running on my internal network, but I've been without luck. Currently I'm in the state that the "forwarded" port doesn't accept connections on the local interface.
Can anyone explain me a proper way to do this?
Thanks.
Posted: Tue Oct 03, 2006 4:44 pm
by janisk
and what about autentification in hotspot - no login no internet
Posted: Tue Oct 03, 2006 5:08 pm
by Znuff
Well, I don't want to use authentification, as it's not such a big network (max 200 users). Can't I just redirect all traffic to another http server?
I've tried that in numerous ways, but it seems I'm missing something.
Posted: Tue Oct 03, 2006 5:43 pm
by sergejs
MAC-authentication is implemented in the HotSpot, when client gets authorized in HotSpot as soon as MAC-address appeared in HotSpot host list.
Authentication occurs without login/password.
HotSpot is the most flexible solution.
Posted: Tue Oct 03, 2006 6:46 pm
by balimore
Well, I don't want to use authentification, as it's not such a big network (max 200 users). Can't I just redirect all traffic to another http server?
I've tried that in numerous ways, but it seems I'm missing something.
---
No,
I think will more easy when you are turning on your hotspot system, by this way make basically secure for users connect to the network as subscribe first to administrator and get know users. i support you when come back to your trick in first post. just make discuss for unauthenti....users without built webserver local one:
1. Turn on your hotspot system.
2. Make difference subnet on the network for 'dynamic ip by manual' and 'dynamic ip by host'
3. Customize 'login.html' filename or edit it without validation username and password cases.
4. ip-binding for subscriber.
With that's methode, i think is simple and easy solution and more...more...more benefite to administrator. again, don't do this when that's methode isn't simple and easy. and in the file 'login.html' just to say:
'Ooooop...!, Sorry..you are not our MEMBER' and turn off your webserver local one, ofcourse.
regards
Hasbullah.com
---
Posted: Tue Oct 03, 2006 8:36 pm
by Znuff
Sorry but I don't understand your english... You lost me on the subnet parts =/
Could you please explain more detailed? I'm willing to try this MAC Authentification on the hotspot if you explain me in depth
Also I want to specify that I have 2 public ip classes, a /26 and a /25 (and I'll probably get the whole /24 in march or something, but my isp has some problems with the ips)
Posted: Wed Oct 04, 2006 9:01 am
by sergejs
To use MAC-authentication in HotSpot,
- create users list, '/ip hotspot user add name=XX:XX:XX:XX:XX:XX' (XX:XX:XX:XX:XX:XX client MAC-address, add to user table every HotSpot client).
- set for HotSpot profile to use 'mac' method,
'ip hotspot profile set profile_name login-by=mac'.
Posted: Wed Oct 04, 2006 9:27 am
by dainen
We sometimes use a simple dst-nat firewall rule to redirect all connections from the customers IP address
/ip firewall nat add chain=dstnat src-address=clientsIP protocol=tcp action=dst-nat to-addresses=Webserver to-ports=80 comment="Captive Page" disabled=no
Dont know if this will help but here is it anyway.
Posted: Wed Oct 04, 2006 1:08 pm
by Znuff
I don't want to block only TCP, that's the issue. I want to block everything. If I block only TCP they could, for instance, play games over the net =/
I'll try the mac auth. in hotspot this weekend when I get back into town. Is arp=reply-only still needed if I use hotspot?
Posted: Wed Oct 04, 2006 2:24 pm
by sergejs
If you will use universal client (HotSpot one-to-one NAT), than arp must be enabled.
Information about one-to-one NAT and other HotSpot options,
http://www.mikrotik.com/docs/ros/2.9/ip/hotspot
Posted: Wed Oct 04, 2006 10:21 pm
by samsoft08
MAC-authentication is implemented in the HotSpot, when client gets authorized in HotSpot as soon as MAC-address appeared in HotSpot host list.
Authentication occurs without login/password.
HotSpot is the most flexible solution.
I tried to do that , but the login page still apears !!!! no access without login !!!!!
Posted: Thu Oct 05, 2006 5:28 am
by dainen
I don't want to block only TCP, that's the issue. I want to block everything. If I block only TCP they could, for instance, play games over the net =/
This should block everything but port 80 (which is being directed to your webserver) and DNS requests
/ip firewall filter add chain=forward src-address=CustomerIP protocol=tcp dst-port=!80 action=reject reject-with=icmp-admin-prohibited comment="" disabled=no
/ip firewall filter add chain=forward src-address=CustomerIP protocol=udp dst-port=!53 action=reject reject-with=icmp-admin-prohibited comment="" disabled=no
Posted: Thu Oct 05, 2006 8:18 am
by sergejs
samsoft08, you may disable other authentication methods for the HotSpot user profile.
Provide us with logs (/log print), when client does not authenticate via MAC and login page is dislplayed.
Posted: Thu Oct 05, 2006 5:21 pm
by Znuff
dainen: I'm looking for a solution that I can just enable/disable one rule whenever I want to block a customer
I'm not the full-time admin of that network, the person who manages is not that technical and I want to keep it simple.
Posted: Thu Oct 05, 2006 5:21 pm
by Znuff
dainen: I'm looking for a solution that I can just enable/disable one rule whenever I want to block a customer
I'm not the full-time admin of that network, the person who manages is not that technical and I want to keep it simple... Eventually to make a script that enables/disables that rule
Posted: Sat Oct 07, 2006 11:02 pm
by dannyboy
Listen,
What I used to use was to NAT the users that didnt pay to a web server I had on the network.
do this:
add chain=dstnat src-address=192.168.10.44 protocol=tcp action=dst-nat to-addresses=10.10.5.200 to-ports=8085 comment="" disabled=yes
play with it, not sure if the client ip is on src-addresss or dst-addresss so change it around. Since I changed my config to do load balance NOTHING ELSE WORKS ON MY MT and noone here seems to know or care why...
hope this helps.
Posted: Mon Oct 09, 2006 9:38 pm
by variable
i accomplished this a different way because i dont like hotspot. I have each user in defined to a certain ip pool depending on their status, ie payed or not. for no pays i have firewall rules that redirect all traffic in pool nopay to xxx.
Posted: Tue Oct 10, 2006 7:20 am
by dainen
Hi Znuff,
We are in a similar situation, we want the accounts person who has little tech knowledge to be able to block people.
With help from autohotkey and their forums I put together a crude and nasty script that may help.
It asks for the relevant details, then telnets the Mikrotik and pastes the commands.
I have only tested it on a local network so latency may be a problem but you can edit the script to help with that.
http://wwwires.com/captive.rar
you could also edit the script so certain fields are entered automaticaly
masquerade or src-nat to-addresses ??
Posted: Wed Oct 11, 2006 3:28 am
by samsoft08
sorry