A friend of mine asked me on howto display non payment reminder to users, once there account have been expired on USER MANAGER. By default when any account expired, he gets user id password error, or if hotspot setup, then it shows profile not found. But rather then showing these UN friendly messages, we can display more meaningful message giving confirmation to user that his account is expired and he should pay in order to continue with the service.
To achieve this we have to follow this.
1. In user manager, we have to create another profile name ‘expired-users-profile’ and and either give it a limited uptime like 7 days, or 1 month or for ever. It depends on your policies. Also you have to define an IP POOL name ‘expired-users-pool’
2. In Mikrotik, First create IP pool name ‘expired-users-pool‘ and then create a NAT rule that redirects port 80 request to local proxy or squid proxy server. If using SQUID proxy, then you dont need to enable mikrotik web proxy, simply redirect the expired pool to squid proxy, and in squid proxy, create an ACL for this range and deny it, and in deny_info redirect it to local web page. as i showed on ‘howto block ads in squid’ article.
If you dont have SQUID proxy, then You can enable Mikrotik web proxy and redirect request to it. Then create another firewall rule that blocks all traffic coming from this ‘expired-users-pool’ traffic except port 80. OR in default NAT rule, in src-address add only valid series.
3. In Web Proxy, create a rule that deny all traffic coming from the ‘expired-users-pool‘ and in redirect, point it to any web page showing your non payment advertisement page.
Ok here we go . . .
I assume you have a Mikrotik PPPoE server with User Manager already configured and working.
Example:
LAN = 10.0.0.0/8
WAN = 192.168.1.0/24
PPPoE Pool = 172.16.0.1 – 172.16.0.255
PPPoE Expired Pool = 172.16.1.1-172.16.1.255
WEB Server = 101.11.11.240
↓
↓
USER MANAGER SECTION
Login to User Manager,
Goto Profiles / Limitations
Add new Limitation and name it “expired-users-profile”
As showed in the image below . . .
Now add user and add any profile , for example 512k , and save.
As showed int he image below . . .
Open that User Properties again, and in ‘All profiles’ select ‘expired-users-profile” and click on + sign to add it. and click on SAVE.
As showed int he image below . . .
User Manager Section done. Now moving to Mikrotik section.
↓
↓
MIKROTIK SECTION
Connect to Mikrotik via Winbox,
Goto IP / Pools and add new pool and name it ‘expired-pool‘ (or same as you defined in User manager expired profiles section)
As showed in the image below . . .
↓
↓
Now enable Web-proxy [Or you can redirect these requests to another proxy server like squid proxy and block the expired-pool series there)
As showed in the image below . . .
↓
↓
Now click on ACCESS button and add a new rule (by clicking on + sign)
> in Src. Address, enter ip range of expired-pool (that you defined in mikrotik earlier, so that request coming from ONLY this ip series should be denied)
> in Dst. Address , click on invert sign, and enter your web server (this is to make sure that request going to your web server where non payment reminder is placed dont get blocked.
> in Action, select DENY
> in Redirect to, Enter your web server full path where the non payment advertisement pag eis located. It can be your local web server like IIS/Apache or it can be remote server too (but for remote Internet server, you ahve to allow the URLs before this deny rule)
As showed in the images below . . .
↓
Now create a NAT rule that will redirect port 80 request to local web proxy, which will already have the rule to deny all requests for expired-users pool.
OR CLI version . ..
/ip firewall nat add action=redirect chain=dstnat comment="Redirect Expired Pool Users to local Web Proxy for redirecting them to Non Payment Page." disabled=no dst-port=80 protocol=tcp src-address=\ 172.16.100.1-172.16.100.255 to-ports=8080 add action=masquerade chain=srcnat comment="Allow Internet (Masquerade rule for PPPoE Allowed seires only)" disabled=no src-address=172.16.0.1-172.16.0.255
All Done !
☺
TESTING . . .
Once the main profile(for example 512k) expire after 30 days , next profile (expired-users-profile) will automatically get active and user will get IP from the EXPIRED pool and mikrotik will redirect it to local web proxy and it will will deny all the request and redirect it to your defined non payment page.
As showed in the image below . . .
and at client you will be seeing this,
.
When you want to activate this account again, simply take user properties, and remove its profiles by pressing minus sign on each profile, and add 512k or required profile again.
another guide for manual controlling ↓
https://aacable.wordpress.com/2012/11/14/non-payment-reminder-for-pppoe-clients-in-mikrotik/
Regard’s
Syed Jahanzaib
[…] https://aacable.wordpress.com/2013/12/03/automating-non-payment-reminder-for-user-manager-expired-acc… […]
LikeLike
Pingback by Non Payment Reminder for PPPoE/HOTSPOT Clients in Mikrotik | Syed Jahanzaib Personnel Blog to Share Knowledge ! — December 3, 2013 @ 3:33 PM
same applied for hotspot userman????
LikeLike
Comment by Asim — December 3, 2013 @ 4:01 PM
I have a query on Mikrotik regarding the BGP Configuration.
Thanks & Best Regards
RAJA SEKHAR B
Vice President – Internet Operations
+91 8886609828
LikeLike
Comment by RAJ@RVR — December 3, 2013 @ 5:47 PM
Sorry bro, I have not much experience in routing side.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 4, 2013 @ 2:03 PM
salam janzaib bahi user man me expire pool banaty howy ap nay jo web server adress dia ha ye kia ha or me kon sa don ga zara mujy asan lafzu me batho or expire pool ki baqi profile ki tara pore profile banho ga
LikeLike
Comment by Naseer Ahmad — December 3, 2013 @ 11:16 PM
This solution works like a clock and not “kill” the Mikrotik CPU and is scheduled for a “notice of unpaid bills.” Similar can be done for any commercial or redirection. It also can handle the “warning” and “advertising.”
We just need to set redirection in different TCP port of the web proxy.
/ip proxy
set always-from-cache=no cache-administrator=”freenet” cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
2000 max-fresh-time=2m max-server-connections=2000 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=5555 serialize-connections=\
no src-address=212.200.12.x
/ip proxy access
add action=deny comment=”Non Payment reminder” disabled=no local-port=5555 \
redirect-to=http://infostranafreenet.blogspot.com
2. In firewall you make ip adress list for warning users (When you want advertise, you put all class)
/ip firewall address-list
add address=172.29.98.2 list=for_warning disabled=no
add address=172.29.102.182 list=for_warning disabled=no
…
2. Mangle NEW WEB “not warned users” in “stage1”, as “stage1 not warned user” in “stage2”
/ip firewall mangle
add action=mark-connection chain=prerouting comment=WARNING connection-state=new disabled=no dst-port=80 new-connection-mark=warning_st1 \
passthrough=yes protocol=tcp src-address-list=for_warning
add action=mark-connection chain=prerouting connection-mark=warning_st1 disabled=no new-connection-mark=warning_st2 passthrough=no \
src-address-list=!warned
3. Nat “stage2″ user in web-proxy
/ip firewall nat
add action=redirect chain=dstnat comment=”WARNING redirect to proxy” connection-mark=warning_st2 disabled=no dst-port=80 protocol=tcp src-address-list=\
!not_warning to-ports=5555
4. In INPUT chain determine “interval time” in which the user will be redirected to the notice (mine is every 59 minutes)
/ip firewall input
add action=add-src-to-address-list address-list=warned address-list-timeout=59m chain=input comment=WARNED connection-mark=warning_st2 \
disabled=no
Tweak:
The site redirection to make a simple javascript that will do back in the browser (the user will be “informed” say 5-6 seconds, and then will return to the site where it was before the redirection “).
This is important because many people bothering to click on the notification.
Javascript:
window.onload = function(){
window.setTimeout(“history.back();”, 8000); <——- this sets the length of notice.
};
LikeLike
Comment by sloba — December 4, 2013 @ 12:14 PM
Great TIP. Thank you
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 4, 2013 @ 2:03 PM
you can use this in your blog
%SCRIPT Language=JavaScript@
window.onload = function(){
window.setTimeout(“history.back();”, 8000);
};
%/SCRIPT@
add where @
LikeLike
Comment by sloba — December 4, 2013 @ 5:58 PM
window.onload = function(){
window.setTimeout(“history.back();”, 8000); <——- this sets the length of notice.
};
LikeLike
Comment by sloba — December 4, 2013 @ 12:15 PM
“”
window.onload = function(){
window.setTimeout(“history.back();”, 8000); <——- this sets the length of notice.
};
“
LikeLike
Comment by sloba — December 4, 2013 @ 12:16 PM
Thanx It workd
smile always
LikeLike
Comment by adejumokojo — December 4, 2013 @ 2:25 PM
how can this method work with squid server ??
LikeLike
Comment by skiesblueheartstrueyousef mohamed — December 8, 2013 @ 3:47 AM
just create an ACL in squid and deny requests for expired ip pool, and redirect it to local server or whatever you like.
ACL example is here.
and look for heading
Howto block User IP or series in SQUID ACL
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 9, 2013 @ 10:57 AM
Wow……. It’s Working
Syed Jahanzaib Brother Thank You
And Mr.Sloba Very Nice Tips Share (Y)
LikeLike
Comment by deallink — December 9, 2013 @ 7:13 AM
it seems that this is not working anymore on RouterOS 6.7.
LikeLike
Comment by mr — December 23, 2013 @ 4:11 AM
I have not tried it with 6.x, lot of things have been changed in 6.x
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 23, 2013 @ 8:14 AM
I got it work.
before your access rule in web-proxy i must allow simple access from the “expired” ip address pool to the ip with the warning page. after this your rule with the redirect comes.
while testing everything out i configured a simple profile with only 1 mbyte transfer. i noticed, if the pppoe session is open i can download much more. for example open office with 155mbyte.
if i disconnect the pppoe user and reconnect, i hit against the “limit reached” wall.
no i am hunting behind a solution to grab the traffic limit while a session is active and switch from the example 1mbyte profile to the “expired” profile.
any hints, suggestions?
thanx man!
LikeLike
Comment by mr — December 25, 2013 @ 7:15 PM
which version of ROS you have tried. Currently, I am using ROS v5.18. For the second profile it says paused, not waiting.
LikeLike
Comment by Arjun Neupane — February 13, 2014 @ 9:35 AM
Don’t remember exact version, probably 5.20 or 6.5
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 13, 2014 @ 9:56 AM
Do work on ROW ver6.x?
LikeLike
Comment by ehsannasiri1366 — August 23, 2015 @ 10:39 AM
How to block Skype as well, because this method only block port 80?
LikeLike
Comment by heratweb — July 13, 2016 @ 5:09 PM
in default NAT rule, you should allow only valid (pppoe) customers ip pool only.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 18, 2016 @ 4:32 PM
how fo i redirect to a site which i created and placed in the router files
LikeLike
Comment by Ebenezer Amaah — May 23, 2019 @ 3:19 PM
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — May 25, 2019 @ 2:20 PM
[…] Automating Non Payment Reminder for User Manager Expired Accounts […]
LikeLike
Pingback by Non Payment Reminder for PPPoE/HOTSPOT Clients in Mikrotik – Welcome To My Blog — July 16, 2019 @ 6:16 AM
[…] Why use script for this function? why not assign it directly using user manager? Something like discussed here […]
LikeLike
Pingback by Mikrotik auto user-manager user script needs improvement - Linux2You — March 15, 2023 @ 2:49 AM