Syed Jahanzaib Personal Blog to Share Knowledge !

June 4, 2014

Non Payment Reminder for Expired Users in RADIUS MANAGER 4.x.x

Filed under: Radius Manager — Tags: , — Syed Jahanzaib / Pinochio~:) @ 12:31 PM

8-user-seeing-non-payment-page

As per requested by many friends, Following is an short guide on howto configure payment reminder for Expired users in DMASOFTLAB RADIUS MANAGER 4.x.x. I wrote this guide because its better to explain in details with snapshots here, rather then explaining to every individual.

This guide will demonstrate that if the user account is expired, he still can login to your Mikrotik / NAS, but when he will try to browse, he will be redirected to Non Payment page showing why his access is blocked. Please note that only HTTP request will be redirected, HTTPS is not supported. Example if some one tries to open HTTPS://WWW.GOOGLE.COM, he will see default browser error, but if some try to open HTTP://WWW.BBC.COM he will be properly redirected.






Scenario #1 :

[Simple one]

Mikrotik is used as NAS/pppoe server, all clients are connected to it via pppoe dialer/wifi routers.

  • LAN IP + Default DHCP Pool for customers = 192.168.1.0/24
  • Local Web Server IP which is hosting our web site + reminder page = 192.168.1.10
  • PPPoE IP Pool = 172.16.0.0/24
  • EXPIRED IP Pool to be created at Mikrotik = 172.16.100.0/24
  • WAN IP = 1.1.1.1 [irrelevant]

 


1# RADIUS MANAGER CONFIGURATION

In short, perform following steps …

  • Create a new / normal service according to your requirements, like1mb / 1 month limitation

  • in  Next expired service option, Select EXPIRED as Next Master Service, So when primary service expires, user service will be switched to this one.

[Note: EXPIRED service is already available in RM by default, but if you are unable to find it, then you can create it manually, just add new service with EXPIRED name and set ip pool accordingly, no expiration no speed limit, simple)

As showed in the image below …

 

11


Now Create a user in users section and assign it with the new service you just created in  above example  >  1mb / 1 month limitation


2# MIKROTIK CONFIGURATION

 

  • Add IP POOL for Expired Users

Add new IP Pool for EXPIRED pppoe users, when the user will expire, he will be assigned EXPIRED service, which will use this pool for these users

/ip pool
add name=expired ranges=172.16.100.1-172.16.100.255

 

As showed in the image below …

pool

  • Enable WEB PROXY and add rules

Now enable WEB PROXY and add deny/redirect rule so that we can redirect the EXPIRED users pool to any web server showing the non payment reminder page. You can also use EXTERNAL proxy to do the redirection like squid proxy. but in this guide i am showing only the mikrotik level things.


# First Enable Mikrotik Web-Proxy (You can use external proxy server also like SQUID)
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

# Add rule to allow access to web server, otherwise user wont be able to access the reminder page. this rule must be on top.
/ip proxy access
add action=allow comment="Allow acess to web server so expired users can view the payment reminder page. it can be locally hosted or external (on internet) as well." disabled=no dst-address=192.168.0.10 \
dst-port=""

# Now add rule to redirect expired ip pool users too local or external web server payment reminder page.
/ip proxy
add action=deny disabled=no dst-port="" redirect-to=192.168.0.10/nonpayment/nonpayment.htm

As showed in the image below …

access

 

 

Add FIREWALL REDIRECT rule in NAT SECTION

Now add REDIRECT rule in FIREWALL/NAT section, and add only pppoe users pool in default NAT rule.
This is to make sure that users with expired users are redirected to web proxy which will be deny there request and redirect to web server reminder page.
and also add pppoe valid users pool in default NAT rule src-address, so that only valid pppoe users can browse the internet.

As showed in the image below …

3


RESULT

Now when the client primary profile expires, it will switch to NEXT MASTER SERVICE which we configured to EXPIRED, thus he will get ip from EXPIRED pool, and then mikrotik will redirect to proxy which will deny its request and redirect to local payment reminder page.

As showed in the image below …

result


Additional Tip for those who uses Squid Proxy as well.

SQUID PROXY RULE TO BLOCK EXPIRED POOL RANGE

in squid.conf add these on before other ACL. (or on top)

acl expired-clients src 172.16.100.0/24
http_access deny expired-clients
deny_info http://web_server_ip/nonpayment/nonpayment.htm expired-clients

Note: Ideally web server should be on same subnet. Also make sure you allow access to web server it self otherwise page will not be display.

Another Example of code: web server ip address is 192.168.10.2 , and expired pool is 10.0.0.0/24

#first allow access to web server

acl allowed_sites dst 192.168.10.2
http_access allow allowed_sites

# then block further access for expired users  and redirect them to expired clients
acl expired-clients src 10.0.0.0/24
http_access deny expired-clients
deny_info http://192.168.10.2/nonpayment.htm expired-clients

 

Regard’s
Syed Jahanzaib

Advertisements

20 Comments »

  1. thanx for evry thing K but if you can help me about how to configure that in proxy squid

    Like

    Comment by Mohamed Shamallakh — June 4, 2014 @ 1:34 PM

    • simply redirect the expired pool to squid proxy, and in squid proxy, create an ACL for this range and deny it, and in deny_info redirect it to local web page.
      BTW, article updated for squid reference too.

      SQUID PROXY RULE TO BLOCK EXPIRED POOL RANGE

      in squid.conf add these on before other ACL. (or on top)

      
      acl expired-clients src 172.16.100.0/24
      http_access deny expired-clients
      deny_info http://web_server_ip/nonpayment/nonpayment.htm expired-clients
      
      

      Note: Ideally web server should be on same subne

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — June 4, 2014 @ 2:31 PM

  2. thanx : can i write arabic language in web

    Like

    Comment by Mohamed Shamallakh — June 5, 2014 @ 4:43 PM

  3. http_access deny unpaid
    deny_info http://10.10.20.6/priv/ unpaid

    10.10.20.6 is ip web server but dose not work

    page in clinet appear like 10.10.20.6/priv/ in url explore

    please can u help me

    Like

    Comment by Mohamed Shamallakh — June 5, 2014 @ 5:20 PM

  4. Hi,
    I have been following your blog for a long time now!
    I have been waiting for this solution with Radius Manager.
    Unfortunately I could not pull it off with the above example. It seems strange that the NEW SERVICE should have ip pool “expired”!
    Isn’t the idea to get into EXPIRED pool only after the service actually expires and changes to Expired (where you have the expired pool fixed already!)?
    Is it a mistake or am I way off the logic followed?
    Don’t we need few firewall rules as well?

    Your comment will be appreciated!

    Like

    Comment by Vasko Neyov — June 28, 2014 @ 6:01 PM

    • I agree with you , the first service need to have a non-expired ip pool , also i don’t have a “Next Expired Service” in my panel , i have ” Next Maser Service” instead of it , so when i choose it and after the first service expired , the user still expired and didn’t changed to the new “expire” service ! ?

      Like

      Comment by OM — August 5, 2014 @ 11:39 PM

      • salam alaykum Syed Jahanzaib. I’m also trying to redirect expired users to a expired service page. the problem is that my expired clients don’t get an ip from expired pool, which I have created in mikrotik and declared in radius manager. the mikrotik logs shows ‘authentication failed’ for expired clients. I have dma radius manager v4.0.4. can you help me about this please?

        Like

        Comment by sober81 — February 5, 2015 @ 4:25 PM

      • better to upgrade with ver 4.1.6 to avoid un expected errors
        however I have tested long time ago, the redirection do work properly in that version too. maybe you are skipping any step.
        first create an ip pool in the mikrotik with exact NAME which is defined in the RM service section.

        Like

        Comment by Syed Jahanzaib / Pinochio~:) — February 9, 2015 @ 3:35 PM

  5. Anyone working this method with V 6.15 ? this is not working even for PPPoE or Hotspot? DNS look up creates the problem, i think the DNS must be accepted in FW, It would be nice if some one shares the working method

    Like

    Comment by anupam das — September 29, 2014 @ 5:42 PM

    • by default, dns access is allowed in general cases. and for nat, we have allowed only local pppoe / hotspot series. if you are having trouble it making work, we can help.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — September 30, 2014 @ 10:10 AM

      • this method has a bug, it works only with http, sites without SSL is redirected to proxy and hence reminder page, but if a user after Login with expired ip pool, he can browse internet if the site is https . it kills data , any solution?

        Like

        Comment by Anupam das — April 28, 2015 @ 4:56 PM

      • No proper solution for it yet EXCEPT to buy PAID SSL certificate from good repo company. So usually its not feasible for smaller networks.

        Like

        Comment by Syed Jahanzaib / Pinochio~:) — May 8, 2015 @ 4:44 PM

  6. please help, have tried this mehtod too ..http://wiki.mikrotik.com/wiki/Payment_Reminders

    Like

    Comment by anupam das — September 30, 2014 @ 12:53 PM

  7. dear syed jee, waiting for your kind help and knowledge ..

    Like

    Comment by anupam das — October 1, 2014 @ 6:24 PM

  8. yes…. this method is not working. tried for pppoe first , shows error, the second way for hotspot is the same … we are using the latest release of MT V 6.19 ,, the author may have the clues , we would be grateful to him if he can show us the correct working method. thanks

    Like

    Comment by htal ukkady — October 2, 2014 @ 6:29 PM

  9. i am ready , please tell me how to proceed? team viewer ?

    Like

    Comment by anupam das — October 3, 2014 @ 9:32 AM

  10. Thanks for your help, the expired IPs given to non payment customers should comes from the same IP pool where the hotspot gateway resides , used starting few ips for the non payment expired pool within the allowed ips, this only makes the method working perfectly, for the starting IPs a address list can be created in /ip firewall add list for easy NAT and forwarding, Thanks Syed

    Like

    Comment by anupam das — October 3, 2014 @ 1:42 PM

  11. Dear Bro..
    whats change we can do in this for DHCP SERVER Radius Login By Mac Auth

    Like

    Comment by Deep Patel — February 25, 2015 @ 4:23 PM

  12. hi the above method works, however the redirect doesn’t work for https:// website. How do i go about the same thanks?

    Like

    Comment by Ians — October 10, 2015 @ 7:27 PM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: