I had a client today who is doing some manual things as they are using Quickbooks for billing and such. \u00a0One thing they kind of struggle with is turning off people for non-payment and such. \u00a0Their current method is adding a que and throttling someone to a low-speed to make them call. \u00a0Their network is a routed network utilizing DHCP to the CPE at the customer. \u00a0Everything is in router mode and they control the addressing of the units via DHCP reservations. \u00a0So how do we make this better without adding radius and all kinds of stuff into the network?<\/p>\n
First we set up a web-proxy<\/p>\n
\/ip proxy\r\nset enabled=yes port=8089\r\n\r\n\/ip proxy access\r\nadd dst-host=mtin.net dst-port=80\r\nadd dst-host=*.mtin.net dst-port=80\r\nadd dst-port=53\r\nadd action=deny redirect-to=www.mtin.net<\/pre>\nWhat the above code does is says anyone coming into the proxy is only allowed to go to mtin.net (used our domain as an example), use port 53 (DNS), and anything else gets redirected to www.mtin.net. We chose port 53 because they are in the process of cleaning up some of the radios and such which are using 8.8.8.8 and other DNS servers.<\/p>\n
Next we set up a nat rule<\/p>\n
\/ip firewall nat\r\nadd action=redirect chain=dstnat dst-port=80 protocol=tcp src-address-list=\\\r\nSHUTOFF to-ports=8089<\/pre>\nThis nat rule says anyone making a port 80 request coming from our SHUTOFF address-list gets redirected to port 8089 (our proxy port setup earlier).<\/p>\n
Our third step is to setup our address list. this is very straightforward. \u00a0Just modify and add users to this list when they are to be turned off.<\/p>\n
\/ip firewall address-list\r\nadd address=10.20.0.192 list=SHUTOFF<\/pre>\nLastly, we add a filter rule which denies the SHUTOFF folks from using anything except port 53 and port 80. \u00a0We do this because we can’t proxy port 443 and other SSL traffic. If folks go to a HTTPS site it simply fails. \u00a0This is a drawback of using a web-proxy.<\/p>\n
\/ip firewall filter\r\nadd action=drop chain=forward dst-port=!53,80 protocol=tcp src-address-list=\\\r\nSHUTOFF<\/pre>\nIf you have an SSL payment gateway you can modify your filter rules to allow traffic to it. This is just one quick and dirty way of letting customers know they have been turned off.<\/p>\n
\n","protected":false},"excerpt":{"rendered":"
I had a client today who is doing some manual things as they are using Quickbooks for billing and such. \u00a0One thing they kind of struggle with is turning off people for non-payment and such. \u00a0Their current method is adding a que and throttling someone to a low-speed to make them call. \u00a0Their network is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[24,156,2],"tags":[367,364,25,366,296,365],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-mf","jetpack-related-posts":[{"id":2250,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-destination-nat\/","url_meta":{"origin":1379,"position":0},"title":"Mikrotik Destination Nat","author":"j2sw","date":"May 1, 2018","format":false,"excerpt":"Scenario You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN. Solution add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2277,"url":"http:\/\/www.mtin.net\/blog\/winbox-brute-force\/","url_meta":{"origin":1379,"position":1},"title":"Winbox brute Force","author":"j2sw","date":"June 1, 2018","format":false,"excerpt":"You really should not have your winbox port open to anything but a management network, but if you need a script to help with brute force on the Mikrotik. add action=drop chain=input comment=\"drop winbox brute forcers\" dst-port=8291 \\ protocol=tcp src-address-list=winbox_blacklist add action=add-src-to-address-list address-list=winbox_blacklist \\ address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \\ protocol=tcp\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2755,"url":"http:\/\/www.mtin.net\/blog\/basic-ipv6-mikrotik-firewall\/","url_meta":{"origin":1379,"position":2},"title":"Basic IPV6 Mikrotik Firewall","author":"j2sw","date":"January 24, 2019","format":false,"excerpt":"Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices.\u00a0 This is a good start for customer-facing CPE. \u00a0 \/ipv6 firewall filter add chain=forward comment=\"allow forwarding established, related\" connection state=established,related add chain=forward comment=\"allow forward lan->wan\" in-interface=lan out-interface=wan add chain=forward comment=\"allow ICMPv6 forwarding\" in-interface=wan protocol=icmpv6 add action=reject chain=forward comment=\"reject\u2026","rel":"","context":"In "IPV6"","block_context":{"text":"IPV6","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/ipv6\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":297,"url":"http:\/\/www.mtin.net\/blog\/protecting-your-mikrotik-from-dns-amplification\/","url_meta":{"origin":1379,"position":3},"title":"Protecting your Mikrotik from DNS Amplification","author":"j2sw","date":"May 8, 2015","format":false,"excerpt":"There are several reasons and benefits to using your Mikrotik as a DNS caching server. \u00a0Queries to the client are just a tad faster, which makes the overall user experience seem snappier. \u00a0It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.\u2026","rel":"","context":"In \"amplification\"","block_context":{"text":"amplification","link":"http:\/\/www.mtin.net\/blog\/tag\/amplification\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":47,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-chains-explained\/","url_meta":{"origin":1379,"position":4},"title":"Mikrotik Chains Explained","author":"j2sw","date":"March 31, 2014","format":false,"excerpt":"What the wiki says: input\u00a0- used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain (DST address of the router) forward\u00a0-\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2165,"url":"http:\/\/www.mtin.net\/blog\/ipv6-firewall-rules-for-mikrotik\/","url_meta":{"origin":1379,"position":5},"title":"IPV6 Firewall rules for Mikrotik","author":"j2sw","date":"March 23, 2018","format":false,"excerpt":"Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=\"\" with your appropriate interface. \/ipv6 firewall filter add chain=input protocol=icmpv6 add chain=input connection-state=established,related add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547 add action=drop chain=input connection-state=invalid add action=drop chain=input connection-state=new in-interface=ether1-wan add chain=forward protocol=icmpv6 add chain=forward connection-state=established,related add chain=forward connection-state=new in-interface=!ether1-wan add action=drop chain=forward\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1379"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=1379"}],"version-history":[{"count":2,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1379\/revisions"}],"predecessor-version":[{"id":1381,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/1379\/revisions\/1381"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=1379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=1379"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=1379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}