Following is a small howto (written on request of a friend) on how you can redirect non payment / expired pppoe users to a page where he can be informed that his/her account have been suspended due to non payment. In this guide I used PPPoE server only, but you can apply this theory to HOTSPOT or other services also. Remember, methods can vary, but the logic remains same in most cases.
For example when you want to block user due to non payment, just change the user profile to expired users , Then the User will still be able to connect using his ID (pppoe dialer), but when he will try to surf the internet, he will be redirected to you local web server page where he will be informed that his/her account have been suspended due to non payment {As showed in the image above} . This is sometimes helpful for some other purposes too, for example you can also configure / schedule Payment Reminder, that can show payment reminder to users at specific dates/time for few seconds / minutes and then user can resume surfing after few seconds/minutes. but that’s another story.
To shorten this guide, I assume you have a working pppoe server in place with following config.
[Change the ip scheme as per your local requirement/network]
For example you may have pppoe server configured for following scheme,
Mikrotik PPPoE Serve rIP = 10.0.0.1
Mikrotik User DHCP Pool = 10.0.0.0/8
Mikrotik PPPoE Pool = 172.16.0.0/16
Now You have to create expired ip pool so we can distinguish non payment users and expired users profile so if we want to block any user , we will simply change this user profile to expired profile.
/ip pool
add name=Expired-Pool ranges=172.16.1.1-172.16.1.255
/ppp profile
add change-tcp-mss=default dns-server=10.0.0.1 local-address=10.0.0.1 name=pppoe-expired only-one=default rate-limit=128k/128k remote-address=\
Expired-Pool use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=default
Now enable Web proxy, so that expired pool users can be redirected to local proxy where they will be denied and redirected to non payment page on any local web server.
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
Now creating rule in web.proxy to block non payment / expired ip pool access and redirect to local web server page.
/ip proxy access
add action=deny disabled=no dst-port=”" redirect-to=10.0.0.2/nonpayment/nonpayment.htm src-address=172.16.1.0/24
10.0.0.2 is a local web server where non payment page is uploaded.
You must create any normal html page (which have the non payment message) and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.
Now add NAT rule so that only users with expired ip pool should be redirected to local web proxy where he will be redirected to any local web server page.
/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=172.16.1.0/24 to-ports=8080
Now add filter rule to restrict expired ip pool users so they cannot access other internet services.
/ip firewall filter
add action=reject chain=forward disabled=no dst-port=!80,8080 protocol=tcp reject-with=icmp-network-unreachable src-address=172.16.1.1-172.16.1.255
Now when you want to block any users for non payment, just change his profile to pppoe-expired profile.
As showed in the image below . . .
Now the user will still be able to connect to pppoe server, but he will get expired ip pool, and therefore will be treated accordingly to the rules we created for these users :~) As showed in the image below . . .
Note: You must create any normal page and upload it to any web server of your choice, Either It can be local (Preferred) or remote. If its local you won’t have to create any further rules , otherwise if its on remote server like internet, you have to allow user to access that specific particular site folder and place them on top.
Using above method you can also implement non payment reminder for HOTSPOT users also. I assume you already have working HOTSPOT already running in place.
Mikrotik HOTSPOT Serve rIP = 101.11.11.241
Mikrotik HOTSPOT DHCP Pool = 101.11.11.0/8
Mikrotik HOTSPOT Expired/NON_Payment Users Pool = 101.11.21.0/24
First add expired ip pool for expired/non payment users.
/ip pool
add name=expired-pool ranges=101.11.21.1-101.11.21.255
Now add profile for expired/non payment users.
/ip hotspot user profile
add address-pool=expired-pool idle-timeout=none keepalive-timeout=2m name=expired-profile shared-users=1 status-autorefresh=1m transparent-proxy=no
Now enable web proxy service so that we can redirect expired users to web proxy where they will be redirected to local web server showing non payment page.
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
In proxy, add rule to block and redirect only expired/non payment ip pool.
/ip proxy access
add action=deny disabled=no dst-port=”" redirect-to=101.11.11.240/nonpayment/nonpayment.htm src-address=101.11.21.0/24
101.11.11.240 is the local web server ip.
Create NAT rule to redirect expired/non payment users to local web proxy. Move this rule at the end in the NAT List.
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=”place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=”masquerade hotspot network-DEFAULT RULE, ADD ONLY ALLOWED USER IPS RANGE HERE e.g” disabled=no src-address=101.11.11.1-101.11.11.255
add action=redirect chain=dstnat comment=”Redirect Expired Users to Proxy” disabled=no dst-address=!101.11.11.241 dst-port=80 protocol=tcp to-ports=8080
Remember, in HOTSPOT default masquerading rule, you must add only allowed users ip range. so add second rule in the last which will actually redirect only expired ip pool to local web proxy. (the red one)
Create Firewall Filter to Restrict Access for expired/non payment users only. Move this rule at the end in Filter list.
/ip firewall filter
add action=reject chain=input disabled=no dst-port=!80,8080,53 protocol=tcp reject-with=icmp-network-unreachable src-address=101.11.21.0/24
Finally create user and tag him with expired-profile.
/ip hotspot user
add disabled=no name=admin password=admin profile=default
add disabled=no name=test password=test profile=expired-profile server=hotspot1
Now from user end, try to browse any site, hotspot login page will appear, login with the test id, and try to browse, you will be redirected to your local web server page showing non payment reminder.
Remember: Rules placement is very important in this method. if you misplace rules, you will not get desired results.
Regard’s
Syed Jahanzaib
For Personnel Reference
Recently I received email from a friend who was annoyed by the RB date/time resetting upon every reboot. He had USERMAN with above 500 users, so it was a big problem from the accounting perspective. He thought RB also have the battery to save the time/data 
, He asked me how he can replace the battery :p
Routerboards do not have an internal clock to keep time between reboots. You have to configure NTP client to obtain ip from Time Server. Following are the scripts to update your NTP client and set time zone to +5 (for Karachi/Pakistan). Make sure you have enabled internet access on the router before configuring NTP.After configuring NTP, you wont have to manually configure the time CLOCK. This is very crucial for mikrotik to obtain correct time specially for LOG purposes and if you are doing user accounting by using Radius Server like USERMAN on it. For example if the RB reboots and the date/time resets to previous dates, then it can create lot of problems for user accounting. Thats why NTP client ensures that you always get the proper date/time upon every reboot or in routine. Use the following script to setup NTP client.
/system clock set time-zone-name=manual /system clock manual set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+05:00 /system ntp client set enabled=yes mode=unicast primary-ntp=82.165.36.179 secondary-ntp=0.0.0.0
It is recommended that you reboot the router after time change. After 7-8 seconds you will get the correct date/time …
For other countries, change the timezone according to there local timings.
First install NTP service on Ubuntu sing below command,
apt-get install ntp
Now edit ntp.conf file to add NTP server.
nano /etc/ntp.conf
Add this parameter anywhere in this file.
server 82.165.36.179
Save & exit.
Now copy PK Time zone to /etc
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
Use the below command to update the time.
ntpdate -u 82.165.36.179
Now type date to verify time.
Regard’s
Syed Jahanzaib
This guide is divided in two parts
1) Adding Script
2) Adding Email Server
3) Adding Scheduler to run the script on daily basis
The below script does the following function.
1) Backup Complete Mikrotik Configuration
2) Backup User Manager Database
3) Export Complete Mikrotik Configuration
After creating 3 files, it will email them using PTCL SMTP server (You can change it in the script if you are using some other isp smtp server) , and then deletes the files after sending Email to save space on RB (as we all know that RB have very limited storage, so if you dont delete the files created on daily basis, it will soon fill up the storage)
Goto System > Scripts
Click on + icon to add script.
Name it backup-script
In the Source box, paste the below script.
:log info "Backup JOB Started . . . " :global backupfile configbackup :global umbackup um_backup :global mikrotikexport mtexport_backup :log info "Deleting old Backup File If available otherwise ignore & process further . . . " /file remove $backupfile /file remove $umbackup /file remove $mikrotikexport</pre> /system backup save name=$backupfile /tool user-manager database save name=$umbackup /export file=$mikrotikexport :log info "Backup process pausing for 10s so it complete creating backup file" :delay 20s :log info "Start Sending Backup File via Email using PTCL SMTP . . ." /tool e-mail send to="aacable@hotmail.com" subject=([/system clock get date] . \ " Mikrotik Config Backup") from=mikrotikuser@ptcl.com.pk file=$backupfile server=119.159.253.205 /tool e-mail send to="aacable@hotmail.com" subject=([/system clock get date] . \ " Mikrotik UM Backup") from=mikrotikuser@ptcl.com.pk file=$umbackup server=119.159.253.205 :delay 50s /tool e-mail send to="aacable@hotmail.com" subject=([/system clock get date] . \ " Mikrotik Export Backup") from=mikrotikuser@ptcl.com.pk file=$mikrotikexport server=119.159.253.205 :delay 40s :log info "Backup Finished" :log info "Deleting Backup File. All Done. Allah Hafiz" /file remove $backupfile /file remove $umbackup /file remove $mikrotikexport
Click on OK to save the script.
Following parameters should be changed as per your local requirements.
to=”aacable@hotmail.com”
Replace it with your email address.
server=119.159.253.205
Replace it with your ISP SMTP Server IP.
from=mikrotikuser@ptcl.com.pk
Replace it with your ISP EMAIL Domain. User name can be anyone, but the domain must be matched with the connected ISP.
Open Terminal & paste the following config (The server ip will work only If you are connected with the PTCL link)
/tool e-mail set address=119.159.253.205 from=mikrotikuser@ptcl.com.pk password=”" port=25 starttls=no user=”"
Now Test the script by using following command at terminal. (Also open the log window so you can see the script results or any error)
First we will enable script logging, so we can see its result / errors etc.
/system logging
add action=echo disabled=no prefix=”" topics=scrip
Now execute the script.
/sys script run backup-script
You may see the following screens if every thing is setup correctly. Also open the LOG window.
(Screenshot Posting Pending)
Open Terminal & paste the following command
/system scheduler add comment="Execute Backup Script Daily at 1am" disabled=no interval=1d name=BackupnMail on-event=backup-script policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive start-date=nov/05/2012 start-time=01:00:00
.
Regard’s
Syed Jahanzaib
Scenario # 1 = 1 mbps Speed limit, Fix Monthly Quota Base Service with Daily 300 Mb Download Quota limit, if the user cross the daily quota limit, his service will shift to lower speed profile i.e 256k for the current day, after date change, the user profile will revert back to 1mb.
Details:
Bandwidth Allowed = 1 mb
User Expiry = 1 Month
(after one month, user accounts will expire)
User Monthly Traffic Quota = 1 gbps
(after consuming 1gb total, account will expire)
User Daily Traffic Quota = 300mb
(After downloading 300mb in a day, user service will be changed to NEXT DAILY SERVICE of less speed i.e 256k daily service for the rest of the day. after the date change, user service will be returned to normal i.e 1mb)
Ok here we go . . .
First Create New Service in RM using the following screenshots.
.
===========================================================================
Now create another new service using following screenshots.
.
That’s it. Now When the user will be registered using the user.php, he will first see the below account details.
.
After the user refills his account and purchase credit via user panel, his ID will be ACTIVE with the following info.
.
.
After the user reaches above 300 MB in a single day, his service will be switched to NEXT DAILY SERVICE of zaib-256k-daily.
NOTE: The Service change will not be implemented on the FLY, the user hotspot/pppoe session will be auto disconnected by Mikrotik on radius request, and when it will reconnect , the user will be using 256k service profile.
.
Regard’s
Syed Jahanzaib
You can configure various notifications for Administrator and Users, about the New Account Info, Renewal of Account, Account Expiry Warnings, Mass email to all users using RM Admin Panel etc.
You need to edit following files.
/etc/radiusmanager.cfg
/var/www/radiusmanager/config/system_cfg.php
Now when the user will create his ID using self register option via user.php, administrator and the user both will get the email Notification.
As showed in the image below . . .
Upon Renewal, User will receive following email
Note: Please check JUNK email folder, because sometimes email gets in JUNK folder if the domain/ip are identified as spam. Mark it safe so future mails comes into INBOX directly.
.
Regard’s
Syed Jahanzaib
We have created 512k service for the users, In late night, our bandwidth is usually not much used because only limited number of users uses the internet in late timings. Therefore we want to increase users bandwidth from 512k to 1mb automatically in night 12:00am till 12:00pm
we will divide this article in three sections.
1) Mikrotik Section (For Adding API):
2) Radius Manager Section (For Adding API):
3) Adding Service & Plan in Radius Manager:
We have to first configure API both in Mikrotik & DMASOFTLAB RM Panel.
Goto IP > Services & enable API service.
As showed in the image below . . .
.
.
Now create API user so it can be used by RM to connect to MT.
Goto SYSTEM > USERS and add new user by click on + icon.
User name = api
Password = api (or anything else)
As showed in the image below . . .
Open Radius Manager Admin Panel,
Goto NAS > LIST NAS
Select your Mikrotik NAS
Click on ENABLE MIKROTIK API
Define API user name & Password that we added in mikrotik section.
As showed in the image below . . .
.
First Create a normal service profile (512k) using Radius Manager Admin Panel.
As showed in the image below . . .
.
.
.
.
Now Click on EDIT button on Special Bandwidth Periods section at the bottom of the page . . .
As showed in the image below . . .
.
.
.
.
Now click on NEW PERIOD
As showed in the image below . . .
.
.
.
.
Enter your desired timings (in this example I used night 12 till day 12) in which you want to allow excess/reduced bandwidth. After done, click on ADD PERIOD
As showed in the image below . . .
.
.
.
.
After You see the new Special Bandwidth Periods close this popup window.
As showed in the image below . . .
.
.
.
.
Click on the UPDATE SERVICE on main service window.
Now create any user and test it by modifying timings (for test or quick results)
As showed in the image below . . .
.
.
.
Regard’s
Syed Jahanzaib
If you have different network on single mikrotik box, and you want that every network should have there own login page, instead of one single universal login page, you can create multiple login page for each network.
For example client on wire should get some fancy heavy login page, and wireless client or other dealer client should get some other light size login page.
Example:
LAN = 10.0.0.1/8
LAN2-wifi = 192.168.50.1/24
WAN = 192.168.30.1/24
.
Now you have to create two hotspot server for each interface i.e LAN and LAN2-wifi ,
As showed in the image below . . .
.
.
.
.
.
.
.
.
Ok Hotspot 1 setup is completed. You should be now able to see default login page from LAN network.
Moving forward to configure Hotspot 2
Run the Hotspot Setup again but this time select LAN2-wifi interface
As showed in the image below . . . (Only major steps are posted)
.
.
.
.
Now copy the HOTSPOT Folder from Mirkotik FILES onto your desktop. Rename it to ‘HOTSPOT2′ .
Edit the login.html page & add your logo and other info.
Now upload it to root folder of FILES section.
As showed in the image below . . .
.
Now goto IP > HOTSPOT > SERVER PROFILES
Select
Select second profile ‘hsprof2‘
in HTML Directory section, select hotspot2 folder (or whatever folder name you have created for second hotspot page)
Click OK.
As showed in the image below . . .
Now goto IP > HOTSPOT > SERVERs
Select second server hs-LAN2-wifi
in Profile Select hs-LAN2-wifi
.
.
Now its time to test the setup.
LAN CLIENT
From LAN client , try to open any page and you will be redirected to HOTSPOT 1 page.
As showed in the image below . . .
.
LAN2-wifi CLIENT
From LAN2-wifi client , try to open any page and you will be redirected to HOTSPOT 2 page.
As showed in the image below . . .
.
More to come . . .
Regard’s
Syed Jahanzaib
Last day someone asked me howto block Adult websites in mikrotik. There is no builtin way to do it as it involves URL filtering and its not the job of ROUTER to do such task. Dedicated proxy server can effectively do it easily since they are built for such purposes like caching/URL filtering/redirecting etc.
We are using Microsoft TMG in our organization which filters URL based on category, so its easier for us to just select the required category that we want to block , for example Porn / Gambling / Spywares etc but Microsoft charge for this service on annual basis (Which I guess is about 12$ per user annually) , It does the job perfectly and very efficiently but its not a cost efective solution specially if you dont have much budget to pay Microsoft.
However following is the free, neat and clean method to block about 80-90% of porn web sites using OpenDNS serveras your primary dns server in your router/proxy or even desktop PC.
Use the below DNS server as your primary dns server in mikrotik / isa server / router or even a desktop. If you are using Mikrotik or other Server, make sure clients are using your server ip as there DNS server, because opendns will work only if the client / router is using there dns server. You can also force users to use your DNS server by adding redirect rule so every request for dns should be redirected to your local server.
208.67.222.123
208.67.220.123
If you are using mikrotik server, then it would look alike something below image . . .
Now if you will try to open any adult web site , it wont open and will give you the default browser ‘Could not open’ error, or the request will will be redirected to OpenDNS block page informing you that your request was blocked by OpenDNS.
As showed in the image below . . .
.
You can also show your own page explaining that Adult web sites are blocked and with your Advertisement. For this purpose, you have to enable web.proxy and redirect user traffic to local proxy, then in proxy access, block the www.blocked-website.com and redirect it to local web server page.
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
/ip proxy access
add action=deny disabled=no dst-host=www.blocked-website.com dst-port=”" \
redirect-to=101.11.11.240/nonpayment/nonpayment.htm
Replace the 101.11.11.240 and the full path with your local web server.
Now enable NAT rule to redirect user traffic to local proxy.
/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp \
to-ports=808
Make sure you move this rule in NAT section above the default masquerading rule. so it captures the http traffic & redirect it, before masquerading it to outside world.
As showed in the image below . . .
If you dont want to use proxy for all request, but for only www.blocked-website.com , then use the below rule that will only redirect blocked-website.com traffic to local web proxy, all other traffic will go directly.
/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-address=208.69.33.135 \
dst-port=80 protocol=tcp to-ports=8080
Now when the user will try to open any adult web site, he will be redirected to local proxy, and proxy will (using access rules we defined above) redirect the request to our local web server page showing our info page.
As showed in the image below . . .
Regard’s
Syed Jahanzaib
Following is a small guide on how you can enable your mikrotik to send SMS using GSM modem. It also demonstrate how you can enable mikrotik to receive SMS via GSM modem and execute script based on the command in SMS 
Its very useful in many situation , for example you can configure multiple script to do various task, Few examples are that you can create/disable users , change queues , reset router admin/user password , send sms that will send you back the current network or internet connectivity information , alert you if any link goes down, & so much other things you can imagine, Or to reboot router remotely by sending SMS message to mikrotik and then it can execute the specified script, it will reboot right away. I have used this SMS function for number of tasks and it performed very well.
Hardware used for this guide
1) Mikrotik 5.20 x86 version installed on PC
2) Teltonika GSM Modem Device. (Picture attached below, you can also use any mobile to do the task)
Teltonika ModemUSB/E12 UM1400 (syed Jahanzaib)
After plugin the device into mikrotik box, reboot the mikrotik once so it can initialize the modem device.
Open Terminal and issue the following command to make view the usb port detail.
/port print
and you will see its result something like below image . . .
If you can see usb listed, it means your device have been detected.
Now goto TOOLS > SMS
Click on ‘Receive Enabled‘ (Only if you want to enable receiving for various functions)
in Port, select Select USB3 (or whatever your usb port name is appearing)
Set the Channel ???
In Secret type any password e.g 12345 [Secret is like your password, it is used if you want mikrotik to execute any script/command when it received appropriate sms]
Click APPLY
As showed in the image below . . .
.
Now its time to send test SMS to any number using mikrotik.
Click on Send SMS
In Port, select USB3 (or whatever name of your USB is detected)
in Phone number, type your destination mobile number
in Message, type your desired message,
and click on SEND SMS
As showed in the image below . . .
If you have selected ‘Receive Enabled‘, then you can receive Messages on Mikrotik in INBOX section of SMS. It can also execute any script of your choice.
For example you want to reboot your router by sending sms, use the following method.
First create appropriate script that can restart router.
/system script add name=reboot policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=”/system reboot”
Now from your own mobile , send the following sms to mikrotik connected GSM Device number.
:cmd 12345 script reboot
Explanation of above command.
:cmd = tell mikrotik that its the command it need to execute
12345 = is the secret/password that we set in the SMS setting
script = it tells mikrotik that it have to execute script function
reboot = is the script name we want mikrotik to run, which we created in above step.
You can do so much interesting stuff using this feature. I did used this option in the past to control my whole company network including Mikrotik/Linux/Microsoft Domain environment. It was used to power OFF / Power ON / Reboot and many other functions.
I will write about them later . . .
Receive Enabled turns off auto when the router reboots, you can schedule a script that runs on every reboot and after 15 minutes of interval.
First below is a simple command to enable the receiving via terminal manually.
/tool sms set receive-enabled=yes
Now we will create script and add scheduler, We will use terminal to do the task quickly.
/system script add name=enable-sms-rec policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=”/tool sms set receive-enabled=yes;”
Now add scheduler so this script runs periodically after 15 minutes each. and on start up also.
/system scheduler
add comment=”execute enable-sms-rec script” disabled=no interval=15m name=\
“execute enable-sms-rec script” on-event=enable-sms-rec policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
start-time=startup
Regard’s
Syed Jahanzaib
