Worked with HTTP only
another series for user manager base setup
Following is a small howto (written on request of a friend) on how you can redirect non payment / expired pppoe users to a page where he can be informed that his/her account have been suspended due to non payment. In this guide I used PPPoE server only, but you can apply this theory to HOTSPOT or other services also. Remember, methods can vary, but the logic remains same in most cases.
For example when you want to block user due to non payment, just change the user profile to expired users , Then the User will still be able to connect using his ID (pppoe dialer), but when he will try to surf the internet, he will be redirected to you local web server page where he will be informed that his/her account have been suspended due to non payment {As showed in the image above} . This is sometimes helpful for some other purposes too, for example you can also configure / schedule Payment Reminder, that can show payment reminder to users at specific dates/time for few seconds / minutes and then user can resume surfing after few seconds/minutes. but that’s another story.
To shorten this guide, I assume you have a working pppoe server in place with following config.
[Change the ip scheme as per your local requirement/network]
For example you may have pppoe server configured for following scheme,
Mikrotik PPPoE Serve rIP = 10.0.0.1
Mikrotik User DHCP Pool = 10.0.0.0/8
Mikrotik PPPoE Pool = 172.16.0.0/16
Now You have to create expired ip pool so we can distinguish non payment users and expired users profile so if we want to block any user , we will simply change this user profile to expired profile.
Adding IP pool for Expired / Non Payment Users
/ip pool add name=Expired-Pool ranges=172.16.1.1-172.16.1.255
Adding Profile for Expired / Non Payment Users
/ppp profile add change-tcp-mss=default dns-server=10.0.0.1 local-address=10.0.0.1 name=pppoe-expired only-one=default rate-limit=128k/128k remote-address=\ Expired-Pool use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=default
Enabling Mikrotik Web.Proxy for Expired / Non Payment Users
Now enable Web proxy, so that expired pool users can be redirected to local proxy where they will be denied and redirected to non payment page on any local web server.
/ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \ max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
Redirecting Expired User Requests from web.proxy to any local web server page
Now creating rule in web.proxy to block non payment / expired ip pool access and redirect to local web server page.
/ip proxy access add action=deny disabled=no dst-port="" redirect-to=10.0.0.2/nonpayment/nonpayment.htm src-address=172.16.1.0/24
10.0.0.2 is a local web server where non payment page is uploaded.
You must create any normal html page (which have the non payment message) and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.
Adding NAT Rule to redirect Expired / Non Payment Users to local web proxy
Now add NAT rule so that only users with expired ip pool should be redirected to local web proxy where he will be redirected to any local web server page.
/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=172.16.1.0/24 to-ports=8080
Restrict Access for Expired Users so they cannot use any other internet service
Now add filter rule to restrict expired ip pool users so they cannot access other internet services.
/ip firewall filter add action=reject chain=forward disabled=no dst-port=!80,8080 protocol=tcp reject-with=icmp-network-unreachable src-address=172.16.1.1-172.16.1.255
Now when you want to block any users for non payment, just change his profile to pppoe-expired profile.
As showed in the image below . . .
Now the user will still be able to connect to pppoe server, but he will get expired ip pool, and therefore will be treated accordingly to the rules we created for these users :~) As showed in the image below . . .
Note: You must create any normal page and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.
Tips for HOTSPOT
Using above method you can also implement non payment reminder for HOTSPOT users also. I assume you already have working HOTSPOT already running in place.
Mikrotik HOTSPOT Serve rIP = 101.11.11.241
Mikrotik HOTSPOT DHCP Pool = 101.11.11.0/8
Mikrotik HOTSPOT Expired/NON_Payment Users Pool = 101.11.21.0/24
First add expired ip pool for expired/non payment users.
/ip pool add name=expired-pool ranges=101.11.21.1-101.11.21.255
Now add profile for expired/non payment users.
/ip hotspot user profile add address-pool=expired-pool idle-timeout=none keepalive-timeout=2m name=expired-profile shared-users=1 status-autorefresh=1m transparent-proxy=no
Now enable web proxy service so that we can redirect expired users to web proxy where they will be redirected to local web server showing non payment page.
/ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \ max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
In proxy, add rule to block and redirect only expired/non payment ip pool.
/ip proxy access add action=deny disabled=no dst-port="" redirect-to=101.11.11.240/nonpayment/nonpayment.htm src-address=101.11.21.0/24
101.11.11.240 is the local web server ip.
Create NAT rule to redirect expired/non payment users to local web proxy. Move this rule at the end in the NAT List.
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=”place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=”masquerade hotspot network-DEFAULT RULE, ADD ONLY ALLOWED USER IPS RANGE HERE e.g” disabled=no src-address=101.11.11.1-101.11.11.255
add action=redirect chain=dstnat comment=”Redirect Expired Users to Proxy” disabled=no dst-address=!101.11.11.241 dst-port=80 protocol=tcp to-ports=8080
Remember, in HOTSPOT default masquerading rule, you must add only allowed users ip range. so add second rule in the last which will actually redirect only expired ip pool to local web proxy. (the red one)
Create Firewall Filter to Restrict Access for expired/non payment users only. Move this rule at the end in Filter list.
/ip firewall filter add action=reject chain=input disabled=no dst-port=!80,8080,53 protocol=tcp reject-with=icmp-network-unreachable src-address=101.11.21.0/24
Finally create user and tag him with expired-profile.
/ip hotspot user add disabled=no name=admin password=admin profile=default add disabled=no name=test password=test profile=expired-profile server=hotspot1
Now from user end, try to browse any site, hotspot login page will appear, login with the test id, and try to browse, you will be redirected to your local web server page showing non payment reminder.
Remember: Rules placement is very important in this method. if you misplace rules, you will not get desired results.
Regard’s
Syed Jahanzaib
Nice info sir, many thanks
Regards.
LM
Sent from my BlackBerry® via Smartfren EVDO Network
LikeLike
Comment by projectionistlutful@gmail.com — November 14, 2012 @ 10:49 AM
Good Info Jahanzaib bhai
LikeLike
Comment by Amjad Iqbal — November 14, 2012 @ 1:55 PM
Hi Sayd, nice tutorial as allways:)!!!
I have one question how to configure it if we use mikrotik UserManager?..
Thank you in advance
LikeLike
Comment by Nick — November 14, 2012 @ 7:06 PM
This can work with UserMAN only if you are not using any time limit for user.
If you are using Time base Voucher, like account will expire after one month, then you wont be able to use this feature. You can manually change the profile via user man, .
Some testing is required for this purpose. Go ahead and test.
I havent tested it yet.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 15, 2012 @ 10:10 AM
Very nice job.. thanks a lot. I am sure I will be using it soon..!
Thanks again
George V.
Rhodes, Greece
LikeLike
Comment by George Vangopoulos — November 15, 2012 @ 4:57 AM
Nice sharing Jahanzaib bhai !!
LikeLike
Comment by faizan — November 15, 2012 @ 12:34 PM
Zaib Bhai Ips Main thori Confusion hai plz solved mera lan ip 192.168.0.1 hai or wan ip 192.168.1.2 hai
LikeLike
Comment by Saim — November 15, 2012 @ 6:55 PM
what should i do if i have placed error message on internet??
LikeLike
Comment by waqar ahmad — November 15, 2012 @ 7:26 PM
allow the required sites/domains folder for expired users, where the page is hosted and move this rule before NAT rule which redirects the expired users to local proxy. OR in proxy allow the required sites and move them on top,
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 18, 2012 @ 3:46 PM
thanks for sharing nice article, in hotspot skype is still working
LikeLike
Comment by alikhan — November 16, 2012 @ 1:16 AM
Dear Sir Great Job,s , this perofile pictures attached Please
LikeLike
Comment by Matloob Hussain — November 16, 2012 @ 11:23 AM
great sir, but i have issue with both, hotspot and PPPOE server. neither worked for me while testing.
hotspot and PPPOE work with normal profiles to access internet. but when expired-profile is selected user login but neihter local web server, mikrotik server can be PING nor the nonpayment page can be seen or browsed.
tu kia is k ilawa be koi ROUTE or firewall setting karni hai jo uper nahi hain ?
LikeLike
Comment by Abdur Rehman — November 17, 2012 @ 9:41 AM
sir plz you talk to me
how add webpage html past
sir mujh bata saky tha ke ke haam yeh html ka page kuhdbana sakta hai aur bana kar kese pest kar sakty hai kia yeh file main yeh page pest hoga plz is ke bare main full infromistion de
LikeLike
Comment by mani — November 17, 2012 @ 6:15 PM
You can create web page using any html editor like FRONTPAGE or any other.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 18, 2012 @ 3:42 PM
Nice sharing Jahanzaib bhai
LikeLike
Comment by SHAHBAZ COMMANDO — November 17, 2012 @ 10:36 PM
sir plz user main ki link send karen plz
LikeLike
Comment by shaeelmemon — November 18, 2012 @ 11:43 PM
Dear sir,
My preferred scenario is 01 = WAN (with so many dsl routers on the same wan with different ips or different range of ips) 01 = LAN (with hotspot and PPPOE service running)
I need 01. My Hotspot/PPPOE clients messenger, skype, yahoo, fring and other messenger may use one of my designated dsl router. 02. Browsing services may also be designated by me on atleast 02 alternate dsl routers. 03. My clients may look for their downloading on again one of my choice dsl router. 04. Expired hotspot/pppoe clients may be redirected to non-payment. *if above is not possible My every single PPPOE client may get the service UP/DOWN from one of dsl routers on MY MIKROTIK wan.
hoping for a positive response. Muhammad Abrar sky2serv@gmail.com ………………………………………………………………………………………………………………………………… * On Wed, Nov 14, 2012 at 10:44 AM, Syed Jahanzaib Personnel Blog to Share Knowledge ! wrote:
> ** > Syed Jahanzaib / Pinochio~:) posted: ” Following is a small howto > (written on request of a friend) on how you can redirect non payment / > expired users to a page where he can be informed that his/her account have > been suspended due to non payment. For example when you want to block user > due”
LikeLike
Comment by Muhammad Abrar — November 20, 2012 @ 3:02 PM
Dear sir
I also get errors when putting the nonpayment page on internet.Page not found can you please give us tutorial on how to configure correct rules for it to work?
I love your tutorials.
LikeLike
Comment by Lascel — November 21, 2012 @ 11:47 AM
You have to allow the required url’s and allow them before any deny / redirect rule.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 21, 2012 @ 3:43 PM
“You have to allow the required url’s and allow them before any deny / redirect rule.”
sir please can u tell me these steps to create the rule for this, like i want to redirect user to http://example.com/nonpayment.html
LikeLike
Comment by Asim — November 26, 2012 @ 2:57 AM
Yes its possible, but due to the very high customization you require, its not possible to give you the complete step by step guide. Only paid support can fulfill your requirements.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 21, 2012 @ 3:57 PM
Hello again sir
I did not mean you should do my complete config just some pointers in the right direction,but not necesary anymore cause I’ve noticed that in the webproxy you must not put the ip address of your website but instaed use the complete site name to redirect to.
And voila it worked like a charm
LikeLike
Comment by Lascel — November 21, 2012 @ 7:18 PM
Hi sir i tried many times to post a question on your blog but I don’t know what going out I can’t see any of my post
maybe i’m doing error some where
LikeLike
Comment by Marcel Fossua — November 26, 2012 @ 1:35 AM
the post requires admin approval.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 26, 2012 @ 8:16 AM
cool seems to be ok now
then Please I would like to have some help on this issue
I have a vsat installation with /28 publics ip then I would like to set an RB750 on top of the installation as on the chart below
_______________ ____________ 66.86.98.xx4/28 ___________
Vsat———–| Cisco 2800 |—-66.86.98.x2/28—-e1—————|RB 750 |–e3—–Client A——-| FW |
|_______________| |___________ | |___________|
66.86.98.x1/28 e2 | 66.86.98.xx3/28
|
Client B
but I need the RB 750 just for bandwidth management I have some tips how to handle the queues
but now my main problem is the public ip without any nat
let say Client A on ether2 and clientB on ether3 just like a switch but with bandwidth management (CIR/MIR and bursting)
please I don’t know if my explanation of the problem is clear so please can you give me some solution?? Thanks very much
LikeLike
Comment by Marcel Fossua — November 26, 2012 @ 1:54 AM
finaly I will try this setup looks more or less what I want http://wiki.mikrotik.com/wiki/TransparentTrafficShaper
thanks anyway
LikeLike
Comment by Marcel Fossua — November 26, 2012 @ 4:45 AM
Hello Sir ,
Is it necessary to configure any other proxy settings on the clients pc-s ?
Thank you !
LikeLike
Comment by Gjergji — December 12, 2012 @ 12:41 AM
No need to configure proxy setting on user end.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 12, 2012 @ 8:51 AM
hello i want to get a cracked version of radius manager 4 , and install it , how i can get it plz
LikeLike
Comment by joe — December 31, 2012 @ 5:11 AM
No support for cracked versions. Sorry.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 31, 2012 @ 9:26 AM
Sir,
How to config squid on fedora 15 with single NIC
I want to config Mikrotik 750 all are on public ip
1. ether1 WAN link
2. ether2 Cybroam usermanager
3. ether3 Squid/lusca in fedora 15
give my any idea
LikeLike
Comment by lalit — January 20, 2013 @ 9:58 PM
On SQuid server, set its default gateway pointing to mikrotik. Also create a NAT rule that nat all traffic coming from squid ip to WAN itnerface.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 21, 2013 @ 10:53 AM
salaam sir keese hai aap sir mujh yeh bata sakty hai ke html ka page khaa par pest karna hai aur pppoe main jo aapne likh hai wo main ne kardiya hai par aap waliya koi page samne nah arahaa bata sakty hai kia waja hai
LikeLike
Comment by noman — January 21, 2013 @ 12:09 PM
You have to place the non payment html page to any of your local server which is running web server.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 23, 2013 @ 11:15 AM
Dear Sir,
i have a problem, Some time i check the 1 Mb Shared user on my Mikrotik RB750GL, speed will not be shared as a 0.5 & 0.5 on Shared account. 1 Mb & 1 MB is using Same ID. kindly check it plz
kindly check it plz.
LikeLike
Comment by adeelhafeez786 — January 22, 2013 @ 1:13 AM
aslam-alikum…
i am new person of ubuntu .now iam installing your guideness of dma softlab rm.but installing process i have some command problems please send my email me full details of commands please..please
LikeLike
Comment by prasad — January 27, 2013 @ 10:28 AM
Great sir, At last i successed, i do expriment in VMWare as hobby.
i config it with user-manger by creating two profiles in user-manager, and it worked for both, PPPOE and Hotsopt. but i have to switch the profile from user-manger web interface. is there any way to switch these profile from terminal (console) in user-manager ??
thax in adv
LikeLike
Comment by Abdul Rehman — February 5, 2013 @ 12:38 PM
Assalamualikum sir
how to share folder like cable network they have own link of share folder like Songs movies and manay thing softwaer in cable network .. how can i made like this on mikrotik ppoe server or hotspot ?
LikeLike
Comment by Ali Khan — February 18, 2013 @ 5:46 AM
If you want to do it in a simple way , Use HFS servers, its simple and do the job nicely.
For more info, visit following link . . .
Youtube video for HFS installation
(http://www.youtube.com/watch?v=HkTlz7qWNqQ)
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 18, 2013 @ 12:38 PM
thanks Sir
LikeLike
Comment by Ali Khan — February 19, 2013 @ 4:00 AM
mainay try kya hy hotspot per per wo web proxy main hits nahein de rha.
redirect wala rule end main he paste kya hy nat main
aur filter wala rule bhi end main he paste kiya hy reject wala
filter rule per hit ho rhe hy per redirect walay per nahein hit ho rhe
jaise ap nay kaha tha ky redirect wala end main rakhna hy aur sirf lan ki ip ko he masqurade karwana hy wahi karwaya hy per redirect walay rule per hit nahein ho rhe can you please tell me about this
LikeLike
Comment by Taher Ahmed Ghouri — March 16, 2013 @ 3:08 AM
Thanks For Sharing Jehanzaib Bhai!!!!
LikeLike
Comment by Suleman Mughal — March 30, 2013 @ 12:23 PM
friend.
You’ve done a very good job.
I ask you to do me a tutorial on how to make website with photos.
we do not accept html web proxy with photos.
like and how to make the notification two days before the final payment by a certain time.
I used http://translate.google.com/
LikeLike
Comment by denet — May 6, 2013 @ 2:27 AM
Hello Sir
How can i do it in “Queues – PCQ” System
LikeLike
Comment by Molla S. Islam Rabby — July 29, 2013 @ 9:23 AM
Salam
As per you advised me today on fb i designed the same on my mikrotik box, but it is not working with the radius manager is it possible it also redirect the radius user to that page???
LikeLike
Comment by Abidali — August 18, 2013 @ 6:08 PM
Asalam o Alikum sir, is these rules are work with load balancing i m using your script of 2 wan load balancing and hotspot server can i use these scripts for reminder.
LikeLike
Comment by Ip Man — October 29, 2013 @ 10:46 PM
[…] https://aacable.wordpress.com/2012/11/14/non-payment-reminder-for-pppoe-clients-in-mikrotik/ […]
LikeLike
Pingback by Automating Non Payment Reminder for User Manager Expired Accounts | Syed Jahanzaib Personnel Blog to Share Knowledge ! — December 3, 2013 @ 3:34 PM
hi,
how to reject all person not connected pppoe to access the Internet. Even if he has the address of my pppoe Network.
LikeLike
Comment by Alex Monkam — December 26, 2013 @ 4:32 PM
any difference between 101.11.11.241 and 101.11.11.240 ??? i am confused… Help
LikeLike
Comment by Asad Ali — January 27, 2014 @ 3:10 PM
Please giv e a picture or video tutorial for hotspot non payment reminder or recommend me any other post… i done the above steps but unsuccessful…
LikeLike
Comment by Asad Ali — January 27, 2014 @ 3:31 PM
ye kon se adress han or web server kopn sa hota ha yha pe pppoe no payment page load kia jay
Mikrotik PPPoE Serve rIP = 10.0.0.1
Mikrotik User DHCP Pool = 10.0.0.0/8
Mikrotik PPPoE Pool = 172.16.0.0/16
LikeLike
Comment by Naseer Ahmad — June 8, 2014 @ 11:08 PM
Skype is still working
LikeLike
Comment by Hassan zia — August 22, 2015 @ 12:27 PM
Asalam o Alikum sir mary passs mikrotik ka new 6.38 ha is ma nai ho raha please btain kuch help kar dain thanks
LikeLike
Comment by Zohaib Bin Khalid — March 13, 2017 @ 9:46 AM
Is there a way to implement a similar page so that it can work with the Hotspot Users? the pppoe method works with the assumption that once the user is authenticated and is on a expired profile the account is given a specific IP address so that the message can be displayed. (worked like a charm! Thanks) But with the hotspot user already getting an ip address before authenticating that is a problem with this method. Any ideas?
LikeLike
Comment by foti — March 18, 2017 @ 11:18 AM
Asalam o Alikum sir non payment not working v6.38 please help me any solution thanks
LikeLike
Comment by Zohaib Bin Khalid — April 13, 2017 @ 2:31 PM
there is no difference in rules for any version, this is just a generic method irrespective of versions.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 17, 2017 @ 11:13 AM
how to to this for https URL
LikeLike
Comment by Amit Upadhyay — June 20, 2017 @ 10:22 PM
you cannot redirect HTTPS requests. not supported
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — June 23, 2017 @ 10:21 AM
Is it working for http and https protocol?
LikeLike
Comment by aalokit — January 14, 2019 @ 4:58 PM