Syed Jahanzaib Personal Blog to Share Knowledge !

December 3, 2013

Automating Non Payment Reminder for User Manager Expired Accounts

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 2:22 PM


A friend of mine asked me on howto display non payment reminder to users, once there account have been expired on USER MANAGER. By default when any account expired, he gets user id password error, or if hotspot setup, then it shows profile not found. But rather then showing these UN friendly messages, we can display more meaningful message giving confirmation to user that his account is expired and he should pay in order to continue with the service.

To achieve this we have to follow this.

1. In user manager, we have to create another profile name ‘expired-users-profile’ and and either give it a limited uptime like 7 days, or 1 month or for ever. It depends on your policies. Also you have to define an IP POOL name ‘expired-users-pool’

2. In Mikrotik, First create IP pool name ‘expired-users-pool‘ and then create a NAT rule that redirects port 80 request to local proxy or squid proxy server. If using SQUID proxy, then you dont need to enable mikrotik web proxy, simply redirect the expired pool to squid proxy, and in squid proxy, create an ACL for this range and deny it, and in deny_info redirect it to local web page. as i showed on ‘howto block ads in squid’ article.

If you dont have SQUID proxy, then You can enable Mikrotik web proxy and redirect request to it. Then create another firewall rule that blocks all traffic coming from this ‘expired-users-pool’ traffic except port 80. OR in default NAT rule, in src-address add only valid series.

3. In Web Proxy, create a rule that deny all traffic coming from the ‘expired-users-pool‘ and in redirect, point it to any web page showing your non payment advertisement page.

Ok here we go . . .

I assume you have a Mikrotik PPPoE server with User Manager already configured  and working.


PPPoE Pool = –
PPPoE Expired Pool =
WEB Server =


Login to User Manager,
Goto Profiles / Limitations
Add new Limitation and name it “expired-users-profile
As showed in the image below . . .


Now add user and add any profile , for example 512k , and save.
As showed int he image below . . .

2- add user and add single profile

Open that User Properties again, and in ‘All profiles’ select ‘expired-users-profile” and click on + sign to add it. and click on SAVE.
As showed int he image below . . .

3-add-second profile

User Manager Section done. Now moving to Mikrotik section.


Connect to Mikrotik via Winbox,
Goto IP / Pools and add new pool and name it ‘expired-pool‘ (or same as you defined in User manager expired profiles section)

As showed in the image below . . .


Now enable Web-proxy [Or you can redirect these requests to another proxy server like squid proxy and block the expired-pool series there)
As showed in the image below . . .


Now click on ACCESS button and add a new rule (by clicking on + sign)

> in Src. Address, enter ip range of expired-pool (that you defined in mikrotik earlier, so that request coming from ONLY this ip series should be denied)
> in Dst. Address , click on invert sign, and enter your web server (this is to make sure that request going to your web server where non payment reminder is placed dont get blocked.
> in Action, select DENY
> in Redirect to, Enter your web server full path where the non payment advertisement pag eis located. It can be your local web server like IIS/Apache or it can be remote server too (but for remote Internet server, you ahve to allow the URLs before this deny rule)
As showed in the images below . . .


Now create a NAT rule that will redirect port 80 request to local web proxy, which will already have the rule to deny all requests for expired-users pool.


OR CLI version . ..

/ip firewall nat
add action=redirect chain=dstnat comment="Redirect Expired Pool Users to local Web Proxy for redirecting them to Non Payment Page." disabled=no dst-port=80 protocol=tcp src-address=\ to-ports=8080

add action=masquerade chain=srcnat comment="Allow Internet (Masquerade rule for PPPoE Allowed seires only)" disabled=no src-address=

All Done !


Once the main profile(for example 512k)  expire after 30 days , next profile (expired-users-profile) will automatically get active and user will get IP from the EXPIRED pool and mikrotik will redirect it to local web proxy and it will will deny all the request and redirect it to your defined non payment page.
As showed in the image below . . .

7- expired profile

and at client you will be seeing this,



When you want to activate this account again, simply take user properties, and remove its profiles by pressing minus sign on each profile, and add 512k or required profile again.

another guide for manual controlling ↓

Syed Jahanzaib


  1. same applied for hotspot userman????

    Comment by Asim — December 3, 2013 @ 4:01 PM

  2. I have a query on Mikrotik regarding the BGP Configuration.

    Thanks & Best Regards


    Vice President – Internet Operations

    +91 8886609828

    Comment by RAJ@RVR — December 3, 2013 @ 5:47 PM

  3. salam janzaib bahi user man me expire pool banaty howy ap nay jo web server adress dia ha ye kia ha or me kon sa don ga zara mujy asan lafzu me batho or expire pool ki baqi profile ki tara pore profile banho ga

    Comment by Naseer Ahmad — December 3, 2013 @ 11:16 PM

  4. This solution works like a clock and not “kill” the Mikrotik CPU and is scheduled for a “notice of unpaid bills.” Similar can be done for any commercial or redirection. It also can handle the “warning” and “advertising.”
    We just need to set redirection in different TCP port of the web proxy.

    /ip proxy
    set always-from-cache=no cache-administrator=”freenet” cache-hit-dscp=4 \
    cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
    2000 max-fresh-time=2m max-server-connections=2000 parent-proxy= \
    parent-proxy-port=0 port=5555 serialize-connections=\
    no src-address=212.200.12.x
    /ip proxy access
    add action=deny comment=”Non Payment reminder” disabled=no local-port=5555 \
    2. In firewall you make ip adress list for warning users (When you want advertise, you put all class)
    /ip firewall address-list
    add address= list=for_warning disabled=no
    add address= list=for_warning disabled=no

    2. Mangle NEW WEB “not warned users” in “stage1”, as “stage1 not warned user” in “stage2”
    /ip firewall mangle
    add action=mark-connection chain=prerouting comment=WARNING connection-state=new disabled=no dst-port=80 new-connection-mark=warning_st1 \
    passthrough=yes protocol=tcp src-address-list=for_warning
    add action=mark-connection chain=prerouting connection-mark=warning_st1 disabled=no new-connection-mark=warning_st2 passthrough=no \

    3. Nat “stage2″ user in web-proxy
    /ip firewall nat
    add action=redirect chain=dstnat comment=”WARNING redirect to proxy” connection-mark=warning_st2 disabled=no dst-port=80 protocol=tcp src-address-list=\
    !not_warning to-ports=5555

    4. In INPUT chain determine “interval time” in which the user will be redirected to the notice (mine is every 59 minutes)
    /ip firewall input
    add action=add-src-to-address-list address-list=warned address-list-timeout=59m chain=input comment=WARNED connection-mark=warning_st2 \

    The site redirection to make a simple javascript that will do back in the browser (the user will be “informed” say 5-6 seconds, and then will return to the site where it was before the redirection “).
    This is important because many people bothering to click on the notification.

    window.onload = function(){
    window.setTimeout(“history.back();”, 8000); <——- this sets the length of notice.

    Comment by sloba — December 4, 2013 @ 12:14 PM

    • Great TIP. Thank you

      Comment by Syed Jahanzaib / Pinochio~:) — December 4, 2013 @ 2:03 PM

      • you can use this in your blog
        %SCRIPT Language=JavaScript@
        window.onload = function(){
        window.setTimeout(“history.back();”, 8000);
        add where @

        Comment by sloba — December 4, 2013 @ 5:58 PM

  5. window.onload = function(){
    window.setTimeout(“history.back();”, 8000); <——- this sets the length of notice.

    Comment by sloba — December 4, 2013 @ 12:15 PM

  6. “”
    window.onload = function(){
    window.setTimeout(“history.back();”, 8000); <——- this sets the length of notice.

    Comment by sloba — December 4, 2013 @ 12:16 PM

  7.  Thanx It workd

    smile always

    Comment by adejumokojo — December 4, 2013 @ 2:25 PM

  8. how can this method work with squid server ??

    Comment by skiesblueheartstrueyousef mohamed — December 8, 2013 @ 3:47 AM

  9. Wow……. It’s Working
    Syed Jahanzaib Brother Thank You
    And Mr.Sloba Very Nice Tips Share (Y)

    Comment by deallink — December 9, 2013 @ 7:13 AM

  10. it seems that this is not working anymore on RouterOS 6.7.

    Comment by mr — December 23, 2013 @ 4:11 AM

    • I have not tried it with 6.x, lot of things have been changed in 6.x

      Comment by Syed Jahanzaib / Pinochio~:) — December 23, 2013 @ 8:14 AM

      • I got it work.
        before your access rule in web-proxy i must allow simple access from the “expired” ip address pool to the ip with the warning page. after this your rule with the redirect comes.
        while testing everything out i configured a simple profile with only 1 mbyte transfer. i noticed, if the pppoe session is open i can download much more. for example open office with 155mbyte.
        if i disconnect the pppoe user and reconnect, i hit against the “limit reached” wall.

        no i am hunting behind a solution to grab the traffic limit while a session is active and switch from the example 1mbyte profile to the “expired” profile.
        any hints, suggestions?

        thanx man!

        Comment by mr — December 25, 2013 @ 7:15 PM

  11. which version of ROS you have tried. Currently, I am using ROS v5.18. For the second profile it says paused, not waiting.

    Comment by Arjun Neupane — February 13, 2014 @ 9:35 AM

  12. Do work on ROW ver6.x?

    Comment by ehsannasiri1366 — August 23, 2015 @ 10:39 AM

  13. How to block Skype as well, because this method only block port 80?

    Comment by heratweb — July 13, 2016 @ 5:09 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: