Community discussions

MikroTik App
 
deathstar444
just joined
Topic Author
Posts: 3
Joined: Mon May 22, 2017 4:20 pm

HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Wed Nov 14, 2018 3:04 pm

Good Day

So currently i have this problem on a network that i am working on.

Basicly i have lets say 5 towers each with an seperate ip range, and lets say 100 cliens on each tower, and all the clients are getting internet through there pppoe connection to the tower and authentication to radius.

Then i have a seperate ip range that i am giving the clients to there wireless uplinks each a ip, and pushing down a dhcp option to them to route a certain destination through the uplink for the clients voip connections, that is not influenced by the pppoe queue, then at the end point the certain destination from the certain source ranges are being natted only so the client can not get internet coming through that range when there pppoe goes down.

The Problem i have is when the clients connection goes down there will be an alternative default route over the uplink ip, which will not provide them internet, but when the client tries to access the internet any site i need it to redirect to an alternative website, so basicly port 80 and 443, http, https sites all need to redirect to the alternative website.

I want to do this at the end point of the network where i am currently natting the voip destination range , when the traffic gets there it must redirect to the alternative website.

Do someone possibly know what options i have for that, that will work for both http and https?

Thanks
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Thu Nov 15, 2018 1:25 am

For HTTP sure, just DNAT them to your webserver. There is no way to do this for HTTPS though.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Thu Nov 15, 2018 7:07 am

Just DNAT the :443 traffic to a webserver configured to match anything (simple/default Apache configuration).

The clients will get a cert warning because it is very likely that your client request will not match the request (unless they directly went to a URI that matches the Apache server name). As soon as they click through the cert warning you'll be up and running. You can then redirect them to a URI that's trusted properly with a valid SSL certificate to restore the magic green bar/lock.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Thu Nov 15, 2018 7:26 am

that is not a "certificate warning". That is "certificate error". And everyday more and more servers use stricter policy (HSTS etc...) which browsers interpret as unskippable. So more and more often, users simply cant skip it.
Personally, I consider it terrible practice, when someone design service the way it force users to skip security errors. This literary teach BFU to ignore security errors and skip them without thinking. In the end it leads to compromised security (because people can't know when it is fine to skip it and when it is bad hacker and they should not skip it)

HTTPS simply needs to be considered non-redirectable. It is better to block it completely than break security by redirection.
 
deathstar444
just joined
Topic Author
Posts: 3
Joined: Mon May 22, 2017 4:20 pm

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Thu Nov 15, 2018 8:28 am

Just DNAT the :443 traffic to a webserver configured to match anything (simple/default Apache configuration).

The clients will get a cert warning because it is very likely that your client request will not match the request (unless they directly went to a URI that matches the Apache server name). As soon as they click through the cert warning you'll be up and running. You can then redirect them to a URI that's trusted properly with a valid SSL certificate to restore the magic green bar/lock.
Thank you for the information much appreciated, do you possibly have a website where i can get information on setting up an apache web server like this, and on the apache web server will i be able to redirect this to another url?

Thanks
 
deathstar444
just joined
Topic Author
Posts: 3
Joined: Mon May 22, 2017 4:20 pm

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Thu Nov 15, 2018 8:29 am

that is not a "certificate warning". That is "certificate error". And everyday more and more servers use stricter policy (HSTS etc...) which browsers interpret as unskippable. So more and more often, users simply cant skip it.
Personally, I consider it terrible practice, when someone design service the way it force users to skip security errors. This literary teach BFU to ignore security errors and skip them without thinking. In the end it leads to compromised security (because people can't know when it is fine to skip it and when it is bad hacker and they should not skip it)

HTTPS simply needs to be considered non-redirectable. It is better to block it completely than break security by redirection.
Thank you for the information i will look at all viable options first and decide on the best option for the clients, but looking at your reply it seems like a risk as well. Thanks
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: HTTP/HTTPS/All Traffic Redirect To Certain Website At End Point Router From Specific Ip Range

Fri Nov 16, 2018 2:11 am

The clients will get a cert warning because it is very likely that your client request will not match the request (unless they directly went to a URI that matches the Apache server name). As soon as they click through the cert warning you'll be up and running. You can then redirect them to a URI that's trusted properly with a valid SSL certificate to restore the magic green bar/lock.
This is rather irresponsible advice, as a network operator you should not be putting users in a place where they get accustomed to clicking through SSL errors. The error you get from a hotspot CN mismatch and the error from an attacker at a coffee shop stealing bank credentials are identical. Both messages should never be clicked through by a user, and the best way to encourage that behavior is to never inject those kinds of errors into your network.

Who is online

Users browsing this forum: GoogleOther [Bot], karlisi, kivimart, mkx, peterda and 106 guests