Syed Jahanzaib Personal Blog to Share Knowledge !

November 14, 2012

Non Payment Reminder for PPPoE/HOTSPOT Clients in Mikrotik

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 10:44 AM

another series for user manager base setup

https://aacable.wordpress.com/2013/12/03/automating-non-payment-reminder-for-user-manager-expired-accounts/

 

Following is a small howto (written on request of a friend) on how you can redirect non payment / expired pppoe users to a page where he can be informed that his/her account have been suspended due to non payment. In this guide I used PPPoE server only, but you can apply this theory to HOTSPOT or other services also. Remember, methods can vary, but the logic remains same in most cases.

For example when you want to block user due to non payment, just change the user profile to expired users , Then the User will still be able to connect using his ID (pppoe dialer), but when he will try to surf the internet, he will be redirected to you local web server page where he will be informed that his/her account have been suspended due to non payment {As showed in the image above} . This is sometimes helpful for some other purposes too, for example you can also configure / schedule Payment Reminder, that can show payment reminder to users at specific dates/time for few seconds / minutes and then user can resume surfing after few seconds/minutes. but that’s another story.

To shorten this guide, I assume you have a working pppoe server in place with following config.
[Change the ip scheme as per your local requirement/network]


 

For example you may have pppoe server configured for following scheme,

Mikrotik PPPoE Serve rIP = 10.0.0.1
Mikrotik User DHCP Pool = 10.0.0.0/8

Mikrotik PPPoE Pool = 172.16.0.0/16

Now You have to create expired ip pool so we can distinguish non payment users and expired users profile so if we want to block any user , we will simply change this user profile to expired profile.


 

Adding IP pool for Expired / Non Payment Users

/ip pool
add name=Expired-Pool ranges=172.16.1.1-172.16.1.255

 

Adding Profile for Expired / Non Payment Users

/ppp profile
add change-tcp-mss=default dns-server=10.0.0.1 local-address=10.0.0.1 name=pppoe-expired only-one=default rate-limit=128k/128k remote-address=\
Expired-Pool use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=default

 

Enabling Mikrotik Web.Proxy for Expired / Non Payment Users

Now enable Web proxy, so that expired pool users can be redirected to local proxy where they will be denied and redirected to non payment page on any local web server.

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

 

Redirecting Expired User Requests from web.proxy to any local web server page

Now creating rule in web.proxy to block non payment / expired ip pool access and redirect to local web server page.

/ip proxy access
add action=deny disabled=no dst-port="" redirect-to=10.0.0.2/nonpayment/nonpayment.htm src-address=172.16.1.0/24

10.0.0.2 is a local web server where non payment page is uploaded.

You must create any normal html page (which have the non payment message) and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.


 

Adding NAT Rule to redirect Expired / Non Payment Users to local web proxy

Now add NAT rule so that only users with expired ip pool should be redirected to local web proxy where he will be redirected to any local web server page.

/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=172.16.1.0/24 to-ports=8080

 

Restrict Access for Expired Users so they cannot use any other internet service

Now add filter rule to restrict expired ip pool users so they cannot access other internet services.

/ip firewall filter
add action=reject chain=forward disabled=no dst-port=!80,8080 protocol=tcp reject-with=icmp-network-unreachable src-address=172.16.1.1-172.16.1.255

Now when you want to block any users for non payment, just change his profile to pppoe-expired profile.

As showed in the image below . . .

Now the user will still be able to connect to pppoe server, but he will get expired ip pool, and therefore will be treated accordingly to the rules we created for these users :~) As showed in the image below . . .

Note: You must create any normal page and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.

 


 


 

Tips for HOTSPOT

Using above method you can also implement non payment reminder for HOTSPOT users also. I assume you already have working HOTSPOT already running in place.

Mikrotik HOTSPOT Serve rIP = 101.11.11.241
Mikrotik HOTSPOT DHCP Pool = 101.11.11.0/8

Mikrotik HOTSPOT Expired/NON_Payment Users Pool = 101.11.21.0/24

First add expired ip pool for expired/non payment users.

/ip pool
add name=expired-pool ranges=101.11.21.1-101.11.21.255

Now add profile for expired/non payment users.

/ip hotspot user profile
add address-pool=expired-pool idle-timeout=none keepalive-timeout=2m name=expired-profile shared-users=1 status-autorefresh=1m transparent-proxy=no

Now enable web proxy service so that we can redirect expired users to web proxy where they will be redirected to local web server showing non payment page.

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

In proxy, add rule to block and redirect only expired/non payment ip pool.

/ip proxy access
add action=deny disabled=no dst-port="" redirect-to=101.11.11.240/nonpayment/nonpayment.htm src-address=101.11.21.0/24

101.11.11.240 is the local web server ip.

Create NAT rule to redirect expired/non payment users to local web proxy. Move this rule at the end in the NAT List.

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=”place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=”masquerade hotspot network-DEFAULT RULE, ADD ONLY ALLOWED USER IPS RANGE HERE e.g” disabled=no src-address=101.11.11.1-101.11.11.255
add action=redirect chain=dstnat comment=”Redirect Expired Users to Proxy” disabled=no dst-address=!101.11.11.241 dst-port=80 protocol=tcp to-ports=8080

Remember, in HOTSPOT default masquerading rule, you must add only allowed users ip range. so add second rule in the last which will actually redirect only expired ip pool to local web proxy. (the red one)

Create Firewall Filter to Restrict Access for expired/non payment users only. Move this rule at the end in Filter list.

/ip firewall filter
add action=reject chain=input disabled=no dst-port=!80,8080,53 protocol=tcp reject-with=icmp-network-unreachable src-address=101.11.21.0/24

Finally create user and tag him with expired-profile.

/ip hotspot user
add disabled=no name=admin password=admin profile=default
add disabled=no name=test password=test profile=expired-profile server=hotspot1

Now from user end, try to browse any site, hotspot login page will appear, login with the test id, and try to browse, you will be redirected to your local web server page showing non payment reminder.

Remember: Rules placement is very important in this method. if you misplace rules, you will not get desired results.


 

Regard’s
Syed Jahanzaib

52 Comments »

  1. Nice info sir, many thanks

    Regards.
    LM
    Sent from my BlackBerry® via Smartfren EVDO Network

    Comment by projectionistlutful@gmail.com — November 14, 2012 @ 10:49 AM

  2. Good Info Jahanzaib bhai

    Comment by Amjad Iqbal — November 14, 2012 @ 1:55 PM

  3. Hi Sayd, nice tutorial as allways:)!!!
    I have one question how to configure it if we use mikrotik UserManager?..
    Thank you in advance

    Comment by Nick — November 14, 2012 @ 7:06 PM

    • This can work with UserMAN only if you are not using any time limit for user.
      If you are using Time base Voucher, like account will expire after one month, then you wont be able to use this feature. You can manually change the profile via user man, .

      Some testing is required for this purpose. Go ahead and test.
      I havent tested it yet.

      Comment by Syed Jahanzaib / Pinochio~:) — November 15, 2012 @ 10:10 AM

  4. Very nice job.. thanks a lot. I am sure I will be using it soon..!
    Thanks again

    George V.
    Rhodes, Greece

    Comment by George Vangopoulos — November 15, 2012 @ 4:57 AM

  5. Nice sharing Jahanzaib bhai !!

    Comment by faizan — November 15, 2012 @ 12:34 PM

  6. Zaib Bhai Ips Main thori Confusion hai plz solved mera lan ip 192.168.0.1 hai or wan ip 192.168.1.2 hai

    Comment by Saim — November 15, 2012 @ 6:55 PM

  7. what should i do if i have placed error message on internet??

    Comment by waqar ahmad — November 15, 2012 @ 7:26 PM

    • allow the required sites/domains folder for expired users, where the page is hosted and move this rule before NAT rule which redirects the expired users to local proxy. OR in proxy allow the required sites and move them on top,

      Comment by Syed Jahanzaib / Pinochio~:) — November 18, 2012 @ 3:46 PM

  8. thanks for sharing nice article, in hotspot skype is still working

    Comment by alikhan — November 16, 2012 @ 1:16 AM

  9. Dear Sir Great Job,s , this perofile pictures attached Please

    Comment by Matloob Hussain — November 16, 2012 @ 11:23 AM

  10. great sir, but i have issue with both, hotspot and PPPOE server. neither worked for me while testing.
    hotspot and PPPOE work with normal profiles to access internet. but when expired-profile is selected user login but neihter local web server, mikrotik server can be PING nor the nonpayment page can be seen or browsed.
    tu kia is k ilawa be koi ROUTE or firewall setting karni hai jo uper nahi hain ?

    Comment by Abdur Rehman — November 17, 2012 @ 9:41 AM

  11. sir plz you talk to me
    how add webpage html past
    sir mujh bata saky tha ke ke haam yeh html ka page kuhdbana sakta hai aur bana kar kese pest kar sakty hai kia yeh file main yeh page pest hoga plz is ke bare main full infromistion de

    Comment by mani — November 17, 2012 @ 6:15 PM

  12. Nice sharing Jahanzaib bhai

    Comment by SHAHBAZ COMMANDO — November 17, 2012 @ 10:36 PM

  13. sir plz user main ki link send karen plz

    Comment by shaeelmemon — November 18, 2012 @ 11:43 PM

  14. Dear sir,

    My preferred scenario is 01 = WAN (with so many dsl routers on the same wan with different ips or different range of ips) 01 = LAN (with hotspot and PPPOE service running)

    I need 01. My Hotspot/PPPOE clients messenger, skype, yahoo, fring and other messenger may use one of my designated dsl router. 02. Browsing services may also be designated by me on atleast 02 alternate dsl routers. 03. My clients may look for their downloading on again one of my choice dsl router. 04. Expired hotspot/pppoe clients may be redirected to non-payment. *if above is not possible My every single PPPOE client may get the service UP/DOWN from one of dsl routers on MY MIKROTIK wan.

    hoping for a positive response. Muhammad Abrar sky2serv@gmail.com ………………………………………………………………………………………………………………………………… * On Wed, Nov 14, 2012 at 10:44 AM, Syed Jahanzaib Personnel Blog to Share Knowledge ! wrote:

    > ** > Syed Jahanzaib / Pinochio~:) posted: ” Following is a small howto > (written on request of a friend) on how you can redirect non payment / > expired users to a page where he can be informed that his/her account have > been suspended due to non payment. For example when you want to block user > due”

    Comment by Muhammad Abrar — November 20, 2012 @ 3:02 PM

    • Dear sir
      I also get errors when putting the nonpayment page on internet.Page not found can you please give us tutorial on how to configure correct rules for it to work?
      I love your tutorials.

      Comment by Lascel — November 21, 2012 @ 11:47 AM

      • You have to allow the required url’s and allow them before any deny / redirect rule.

        Comment by Syed Jahanzaib / Pinochio~:) — November 21, 2012 @ 3:43 PM

      • “You have to allow the required url’s and allow them before any deny / redirect rule.”
        sir please can u tell me these steps to create the rule for this, like i want to redirect user to http://example.com/nonpayment.html

        Comment by Asim — November 26, 2012 @ 2:57 AM

    • Yes its possible, but due to the very high customization you require, its not possible to give you the complete step by step guide. Only paid support can fulfill your requirements.

      Comment by Syed Jahanzaib / Pinochio~:) — November 21, 2012 @ 3:57 PM

  15. Hello again sir
    I did not mean you should do my complete config just some pointers in the right direction,but not necesary anymore cause I’ve noticed that in the webproxy you must not put the ip address of your website but instaed use the complete site name to redirect to.
    And voila it worked like a charm

    Comment by Lascel — November 21, 2012 @ 7:18 PM

  16. Hi sir i tried many times to post a question on your blog but I don’t know what going out I can’t see any of my post
    maybe i’m doing error some where

    Comment by Marcel Fossua — November 26, 2012 @ 1:35 AM

  17. cool seems to be ok now
    then Please I would like to have some help on this issue

    I have a vsat installation with /28 publics ip then I would like to set an RB750 on top of the installation as on the chart below
    _______________ ____________ 66.86.98.xx4/28 ___________
    Vsat———–| Cisco 2800 |—-66.86.98.x2/28—-e1—————|RB 750 |–e3—–Client A——-| FW |
    |_______________| |___________ | |___________|
    66.86.98.x1/28 e2 | 66.86.98.xx3/28
    |
    Client B

    but I need the RB 750 just for bandwidth management I have some tips how to handle the queues
    but now my main problem is the public ip without any nat
    let say Client A on ether2 and clientB on ether3 just like a switch but with bandwidth management (CIR/MIR and bursting)
    please I don’t know if my explanation of the problem is clear so please can you give me some solution?? Thanks very much

    Comment by Marcel Fossua — November 26, 2012 @ 1:54 AM

  18. finaly I will try this setup looks more or less what I want http://wiki.mikrotik.com/wiki/TransparentTrafficShaper
    thanks anyway

    Comment by Marcel Fossua — November 26, 2012 @ 4:45 AM

  19. Hello Sir ,

    Is it necessary to configure any other proxy settings on the clients pc-s ?

    Thank you !

    Comment by Gjergji — December 12, 2012 @ 12:41 AM

  20. hello i want to get a cracked version of radius manager 4 , and install it , how i can get it plz

    Comment by joe — December 31, 2012 @ 5:11 AM

  21. Sir,
    How to config squid on fedora 15 with single NIC
    I want to config Mikrotik 750 all are on public ip
    1. ether1 WAN link
    2. ether2 Cybroam usermanager
    3. ether3 Squid/lusca in fedora 15
    give my any idea

    Comment by lalit — January 20, 2013 @ 9:58 PM

    • On SQuid server, set its default gateway pointing to mikrotik. Also create a NAT rule that nat all traffic coming from squid ip to WAN itnerface.

      Comment by Syed Jahanzaib / Pinochio~:) — January 21, 2013 @ 10:53 AM

  22. salaam sir keese hai aap sir mujh yeh bata sakty hai ke html ka page khaa par pest karna hai aur pppoe main jo aapne likh hai wo main ne kardiya hai par aap waliya koi page samne nah arahaa bata sakty hai kia waja hai

    Comment by noman — January 21, 2013 @ 12:09 PM

  23. Dear Sir,
    i have a problem, Some time i check the 1 Mb Shared user on my Mikrotik RB750GL, speed will not be shared as a 0.5 & 0.5 on Shared account. 1 Mb & 1 MB is using Same ID. kindly check it plz

    kindly check it plz.

    Comment by adeelhafeez786 — January 22, 2013 @ 1:13 AM

  24. aslam-alikum…
    i am new person of ubuntu .now iam installing your guideness of dma softlab rm.but installing process i have some command problems please send my email me full details of commands please..please

    Comment by prasad — January 27, 2013 @ 10:28 AM

  25. Great sir, At last i successed, i do expriment in VMWare as hobby.
    i config it with user-manger by creating two profiles in user-manager, and it worked for both, PPPOE and Hotsopt. but i have to switch the profile from user-manger web interface. is there any way to switch these profile from terminal (console) in user-manager ??
    thax in adv

    Comment by Abdul Rehman — February 5, 2013 @ 12:38 PM

  26. Assalamualikum sir
    how to share folder like cable network they have own link of share folder like Songs movies and manay thing softwaer in cable network .. how can i made like this on mikrotik ppoe server or hotspot ?

    Comment by Ali Khan — February 18, 2013 @ 5:46 AM

  27. thanks Sir

    Comment by Ali Khan — February 19, 2013 @ 4:00 AM

  28. mainay try kya hy hotspot per per wo web proxy main hits nahein de rha.
    redirect wala rule end main he paste kya hy nat main
    aur filter wala rule bhi end main he paste kiya hy reject wala
    filter rule per hit ho rhe hy per redirect walay per nahein hit ho rhe
    jaise ap nay kaha tha ky redirect wala end main rakhna hy aur sirf lan ki ip ko he masqurade karwana hy wahi karwaya hy per redirect walay rule per hit nahein ho rhe can you please tell me about this

    Comment by Taher Ahmed Ghouri — March 16, 2013 @ 3:08 AM

  29. Thanks For Sharing Jehanzaib Bhai!!!!

    Comment by Suleman Mughal — March 30, 2013 @ 12:23 PM

  30. friend.
    You’ve done a very good job.
    I ask you to do me a tutorial on how to make website with photos.
    we do not accept html web proxy with photos.

    like and how to make the notification two days before the final payment by a certain time.
    I used http://translate.google.com/

    Comment by denet — May 6, 2013 @ 2:27 AM

  31. Hello Sir
    How can i do it in “Queues – PCQ” System

    Comment by Molla S. Islam Rabby — July 29, 2013 @ 9:23 AM

  32. Salam
    As per you advised me today on fb i designed the same on my mikrotik box, but it is not working with the radius manager is it possible it also redirect the radius user to that page???

    Comment by Abidali — August 18, 2013 @ 6:08 PM

  33. Asalam o Alikum sir, is these rules are work with load balancing i m using your script of 2 wan load balancing and hotspot server can i use these scripts for reminder.

    Comment by Ip Man — October 29, 2013 @ 10:46 PM

  34. hi,
    how to reject all person not connected pppoe to access the Internet. Even if he has the address of my pppoe Network.

    Comment by Alex Monkam — December 26, 2013 @ 4:32 PM

  35. any difference between 101.11.11.241 and 101.11.11.240 ??? i am confused… Help

    Comment by Asad Ali — January 27, 2014 @ 3:10 PM

  36. Please giv e a picture or video tutorial for hotspot non payment reminder or recommend me any other post… i done the above steps but unsuccessful…

    Comment by Asad Ali — January 27, 2014 @ 3:31 PM

  37. ye kon se adress han or web server kopn sa hota ha yha pe pppoe no payment page load kia jay

    Mikrotik PPPoE Serve rIP = 10.0.0.1
    Mikrotik User DHCP Pool = 10.0.0.0/8
    Mikrotik PPPoE Pool = 172.16.0.0/16

    Comment by Naseer Ahmad — June 8, 2014 @ 11:08 PM

  38. Skype is still working

    Comment by Hassan zia — August 22, 2015 @ 12:27 PM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: