I'm trying to make work such scheme:
1. mikrotik gives ip to LAN by DHCP-server. Let suppose the DHCP pool is 192.168.0.0/24, so I
creating a address-list=CLIENTS with 192.168.0.0/24
and before give them access to the Internet, I send CLIENTS to web-server page where they need to login and they will be sending to address-list=CLIENTS_LOGON, here is a code which redirect them to WEB-server:
ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 protocol=tcp dst-address=0.0.0.0/0 src-address-list=clients dst-port=80
The problem is that I dont know how to gives them access when they in address-list=CLIENTS_LOGON and there is the rule above.
masquerade - does not appropriate, because when user wants to logout on the 10.0.0.10 web-page the page will see IP of output mikrotik interface. I will NAT 192.168.0.0/24 on the WEB-server
Could some one suggest me solution of this problem.
Will much appreciated.