Redirecting Users for Non Pay (or any other reason)…

One common question I see on forums and other places is how you can use Mikrotik to redirect non-paying users to a “pay me now” page.  This tutorial will cover one of the methods that you can use to accomplish this seemingly confusing function.

The easiest method to accomplish this function is using the web proxy (in transparent mode).  We will use an address list to keep a list of users who will be redirected.  If you are using PPPoE, you can just as easily create a profile for disconnected users that pulls IP addresses from a pool of addresses that will be redirected.  This approach is much easier for PPPoE users for whom you currently provide dynamic IP addresses.

So first, let’s look at creating the address list.  This is very easily done via command line as follows:
/ip firewall address-list
add disabled=no list=disconnected address= comment="disconnected user 1"
add disabled=no list=disconnected address= comment="disconnected user 2"

It’s as easy as that.  As you can see, there are 2 addresses being added to the list we will later use to redirect to the proxy server.  If you are running PPPoE server and wish to create a pool of addresses to redirect, you first need to create the pool as follows:
/ip pool
add name=disconnected-pool ranges=
Then, you create the profile as follows:
/ppp profile
add name=disconnected local-address= remote-address=disconnected-pool
Once this profile is created, you simply change the user you wish to disconnect to use the profile called “disconnected”.  How you accomplish that is dependant upon whether you use the local database of users (/ppp secrets) or radius.  It is beyond the scope of this tutorial to discuss how to do this in a radius server, as there are a number of server platforms and each will have it’s own unique methods.

At this point, you should build the web page that you want users to see.  It is very important that you pay careful attention to securing the proxy.  I recommend securing the proxy both by web proxy configuration AND ensuring nothing gets past by using IP Firewall Filters (not covered in this tutorial).  Here is the configuration for web-proxy:

/ip proxy set enabled=yes port=8080
/ip proxy access
add action=allow disabled=no dst-port=80
add action=deny disabled=no dst-port=80 \
add action=deny disabled=no

This configuration configures the proxy to operate on port TCP/8080.  Additionally, any user redirected to this proxy will have their port tcp/80 traffic redirected to the page  The like that allows access to is there in order to permit the loading of images from that server by the proxy clients.  The final configuration denys ALL other access to the proxy.  As stated earlier, you will want to add the firewall filters to further secure the proxy, but this is the only configuration that is necessary.  Also, you will need to alter the above configuration to point to the page you created and wish users to see.

Finally, the only remaining configuration is to actually redirect users to the proxy and corral their traffic.  We do this in the firewall under filters to corral the traffic and under nat to redirect.  Let’s look at the filter first:
/ip firewall fitler
add chain=disconnected protocol=udp dst-port=53 action=accept comment="Users need DNS to work"
add chain=disconnected protocol=tcp dst-port=80 action=accept comment="We need port 80 to work"
add chain=disconnected action=drop comment="NOTHING ELSE for disconnected users"
add chain=forward src-address-list=disconnected action=jump jump-target=disconnected \
  comment="Redirect disconnected users to the disconnected chain"

If you are redirecting users from the PPPoE pool INSTEAD of disconnected address list, then replace “src-address-list=disconnected” with “src-address=” (assuming you are using the same pool I described above) in that last command.  These commands will permit ONLY port 80, the default http port, to function for these users.  Additionally, we permit their DNS to work, as this is necessary for them to access any web pages.  If you look under IP->Firewall->Filter (in winbox), you should be able to drag that last rule to the top of the list.  Be certain you don’t alter the order of the other rules in the disconnected chain.

Finally, all that’s left is to actually perform the redirect.  As I stated earlier, this is done in NAT.  Specifically, it is dst-nat.  The rule looks like this:
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 src-address-list=disconnected action=redirect to-ports=8080

Again, replace the src-address-list argument with the src-address as in the forward chain if you need to.  This rule will send all http (tcp port 80) traffic from users in the disconnected address list to the proxy.  The proxy is configured to “deny all activity from users by redirecting them to your nonpayers.html page”.  The end result is users will see your nonpay page no matter WHAT they try to view in their browser.  It should be noted that if the user has an SSL page (https) as their home page, they will get an error in their browser, since we are dropping all traffic except tcp port 80.

I hope this short article has helped to clarify this question for you.  You may drop me an email at or call me at 702-537-0979 and I’ll be happy to help you customize these confgurations (there may be a consulting charge for this work).  Feel free to ask questions if something doesn’t make sense and as always, post your comments and post the article to digg if it is useful to you.  THANKS for reading!

One Response to “Redirecting Users for Non Pay (or any other reason)…”

  1. andrewo Says:

    I was able to get this to work, and this will be good addition to our network. Thanks Butch your posts are very helpful.

Leave a Reply

You must be logged in to post a comment.