As per requested by many friends, Following is an short guide on howto configure payment reminder for Expired users in DMASOFTLAB RADIUS MANAGER 4.x.x
[I wrote this guide because its better to explain in details with snapshots here, rather then explaining every individual)
This guide will demonstrate that if the user account is expired, he still can login to your Mikrotik / NAS, but when he will try to browse, he will be redirected to Non Payment page showing why his access is blocked. Useful in many scenarios.
Scenario -1 :
[Simple one]Mikrotik as pppoe server
LAN IP + DHCP POOL = 192.168.1.0/24
Local Web Server IP = 192.168.1.10
PPPoE IP Pool = 172.16.0.0/24
EXPIRED IP Pool = 172.16.100.0/24
WAN IP = 1.1.1.1
RADIUS MANAGER CONFIGURATION
- Create a new service according to your requirements, like 1mb / 1 month limitation
- in IP pool name , type expired
- in Next expired service optionSelect EXPIRED as next master service, So when primary service expires, user service will be switched to this one. [Note: EXPIRED service is already available in RM by default, but if you are unable to find it, then you can create it manually, just add new service with EXPIRED name and set ip pool accordingly)
As showed in the image below …
.
.
Now Create a user in users section and bind it with the new service you just created above that is 1mb / 1 month limitation
.
.
.
MIKROTIK CONFIGURATION
.
Add IP POOL for Expired Users
Add new IP Pool for EXPIRED pppoe users,
/ip pool add name=expired ranges=172.16.100.1-172.16.100.255
As showed in the image below …
.
.
Enable WEB PROXY and add rules
Now enable WEB PROXY and add deny/redirect rule so that we can redirect the EXPIRED users pool to any web server showing the non payment reminder page. You can also use EXTERNAL proxy to do the redirection like squid proxy. but in this guide i am showing only the mikrotik level things.
# First Enable Mikrotik Web-Proxy (You can use external proxy server also like SQUID) /ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=yes max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \ parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0 # Add rule to allow access to web server, otherwise user wont be able to access the reminder page. this rule must be on top. /ip proxy access add action=allow comment="Allow acess to web server so expired users can view the payment reminder page. it can be locally hosted or external (on internet) as well." disabled=no dst-address=192.168.0.10 \ dst-port="" # Now add rule to redirect expired ip pool users too local or external web server payment reminder page. /ip proxy add action=deny disabled=no dst-port="" redirect-to=192.168.0.10/nonpayment/nonpayment.htm
As showed in the image below …
.
.
.
Add FIREWALL REDIRECT rule in NAT SECTION
Now add REDIRECT rule in FIREWALL/NAT section, and add only pppoe users pool in default NAT rule.
This is to make sure that users with expired users are redirected to web proxy which will be deny there request and redirect to web server reminder page.
and also add pppoe valid users pool in default NAT rule src-address, so that only valid pppoe users can browse the internet.
As showed in the image below …
.
.
.
RESULT
Now when the client primary profile expires, it will switch to NEXT MASTER SERVICE which we configured to EXPIRED, thus he will get ip from EXPIRED pool, and then mikrotik will redirect to proxy which will deny its request and redirect to local payment reminder page.
As showed in the image below …
.
.
SQUID PROXY RULE TO BLOCK EXPIRED POOL RANGE
in squid.conf add these on before other ACL. (or on top)
acl expired-clients src 172.16.100.0/24 http_access deny expired-clients deny_info http://web_server_ip/nonpayment/nonpayment.htm expired-clients
Note: Ideally web server should be on same subnet.
.
.
Regard’s
Syed Jahanzaib
Filed under: Radius Manager
