Community discussions

MikroTik App
 
cdman
newbie
Topic Author
Posts: 29
Joined: Sun Jan 01, 2006 11:47 pm
Location: Bulgaria/Sofia

Modern way to stop ISP customers with WEB redirect

Mon Mar 27, 2023 10:57 pm

Hi guys, long time ago - before all browsers went to HTTPS we had simple rules in IP->Firewall->NAT to redirect port 80 for our stopped customers ( which are not paying tax ) to some NGINX server IP:port , which shows some page with simple text like:

Your internet is stopped. You can all us on 12345676 or visit our website http://some-site.com/

This way stopped customers know that they forgot to pay - instead of call for internet not working, and also you can give them some options listed on that page.

Now - in 2023 ( modern times ) - all browsers default to https, and 99% of the sites require https. So rules for port 80 DNAT does not work anymode, and same rules for port 443 are not working also, because of the SSL way of work.

I tried even to redirect customers to PROXY - but this also does not work with HTTPS.

So question is - what is the current modern way to show message to customers when they forgot to pay - via WEB page. I have seen some companies to still do this and it works perfectly - obviously not with simple firewall redirect.

Any ideas ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Modern way to stop ISP customers with WEB redirect

Mon Mar 27, 2023 11:02 pm

Are you using hotspot functionality?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Modern way to stop ISP customers with WEB redirect

Mon Mar 27, 2023 11:09 pm

Any ideas ?
My users, if not pay, receive one SMS instead of blindly disable the connection.
If still not pay, after 7 days we call the user.
If not answer and still not pay, after 7 days receive another SMS and the connection is completely blocked.
If still not pay, after 7 days the debt collection institution intervenes, and then the law court.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Modern way to stop ISP customers with WEB redirect

Mon Mar 27, 2023 11:22 pm

some times redirection works when you actively reject connection of clients who forgot to pay

change drop action to reject action using
reject-with=icmp-host-prohibited
tcp reset
can help too

you can try different options available on drop rule
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Modern way to stop ISP customers with WEB redirect

Mon Mar 27, 2023 11:49 pm

The modern way is to reject their auth request via AAA/RADIUS, that's it. With DHCP of course, you need to configure additional options for security.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Modern way to stop ISP customers with WEB redirect

Tue Mar 28, 2023 12:03 am

You can use DNS server which have functionality to reply for IP list of such users that for any DNS request reply same IP (IP of your web server hosting that page), like DNS spoofing. This will partially work, if some website replying with HSTS header and user has already visited that page browser will remember that and still return warning that connection is not secure, but if host is visited for the first time, not in browser cache or web is not setting HSTS header it will work.
You can try it by simply in your hosts file add IP of your local webserver for some host.domains and see in your browser how it works.

Edit: Also you will need for that on router hairpin nat for DNS port and IP of your DNS server.
Edit2: Maybe you not need to find DNS server which can respond per IP, just setup additional DNS server which will return for any request same IP and you can dynamically manage on router hairpin nat rules for IP addresses that are blocked. Still HSTS issue persist...
 
cdman
newbie
Topic Author
Posts: 29
Joined: Sun Jan 01, 2006 11:47 pm
Location: Bulgaria/Sofia

Re: Modern way to stop ISP customers with WEB redirect

Tue Mar 28, 2023 6:22 am

Are you using hotspot functionality?
Nope, we use mainly PPPoE or DHCP for users
Any ideas ?
My users, if not pay, receive one SMS instead of blindly disable the connection.
If still not pay, after 7 days we call the user.
If not answer and still not pay, after 7 days receive another SMS and the connection is completely blocked.
If still not pay, after 7 days the debt collection institution intervenes, and then the law court.
Yes - we are using SMS warning, it works very good, but still many of the companies preffer to have that kind of screen with instructions for user - where and how can they pay and so on.
The modern way is to reject their auth request via AAA/RADIUS, that's it. With DHCP of course, you need to configure additional options for security.
But rejecting AUTH will lead to no internet I guess, some devices like Huawei routers have option to redirect user to some SITE for information - thou we don't know how they do it :)
You can use DNS server which have functionality to reply for IP list of such users that for any DNS request reply same IP (IP of your web server hosting that page), like DNS spoofing. This will partially work, if some website replying with HSTS header and user has already visited that page browser will remember that and still return warning that connection is not secure, but if host is visited for the first time, not in browser cache or web is not setting HSTS header it will work.
You can try it by simply in your hosts file add IP of your local webserver for some host.domains and see in your browser how it works.

Edit: Also you will need for that on router hairpin nat for DNS port and IP of your DNS server.
Edit2: Maybe you not need to find DNS server which can respond per IP, just setup additional DNS server which will return for any request same IP and you can dynamically manage on router hairpin nat rules for IP addresses that are blocked. Still HSTS issue persist...
DNS Redirect was one of the ideas we thing about. It should be pretty simple to setup a DNS server with FAKE zones inside, all leading to same IP. Thou I was worried about the DNS cache in end user routers / PCs, but now you say there is another problem like HSTS, so maybe it will not work 100%
 
reinerotto
Long time Member
Long time Member
Posts: 519
Joined: Thu Dec 04, 2008 2:35 am

Re: Modern way to stop ISP customers with WEB redirect

Tue Mar 28, 2023 9:39 am

some devices like Huawei routers have option to redirect user to some SITE for information - thou we don't know how they do it
Interesting. Did you verify, that this also worked flawlessly for HSTS sites ?
 
cdman
newbie
Topic Author
Posts: 29
Joined: Sun Jan 01, 2006 11:47 pm
Location: Bulgaria/Sofia

Re: Modern way to stop ISP customers with WEB redirect

Tue Mar 28, 2023 11:34 am

Most probably yes - but I have to double check this.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Modern way to stop ISP customers with WEB redirect

Tue Mar 28, 2023 12:04 pm

Most modern OS'es have some functionality for "detect portal". When they connect to WiFi, they attempt to download some http page (which page varies by OS) and when that does not succeed, they follow any redirects that they get. This is intended for WiFi networks that first want the user to read and accept "terms & conditions", or where the user needs to enter some password or voucher code (like in "hotspot").
So with your old method of redirecting all port 80 traffic to a single server, and blocking all other traffic, you still will reach some customers.
Not everyone, of course.

This is likely also the method referred above. It is not foolproof, but it is what you have available.

Who is online

Users browsing this forum: Ahrefs [Bot], Sailwebwifi and 54 guests