I had a client today who is doing some manual things as they are using Quickbooks for billing and such. One thing they kind of struggle with is turning off people for non-payment and such. Their current method is adding a que and throttling someone to a low-speed to make them call. Their network is a routed network utilizing DHCP to the CPE at the customer. Everything is in router mode and they control the addressing of the units via DHCP reservations. So how do we make this better without adding radius and all kinds of stuff into the network?
First we set up a web-proxy
/ip proxy set enabled=yes port=8089 /ip proxy access add dst-host=mtin.net dst-port=80 add dst-host=*.mtin.net dst-port=80 add dst-port=53 add action=deny redirect-to=www.mtin.net
What the above code does is says anyone coming into the proxy is only allowed to go to mtin.net (used our domain as an example), use port 53 (DNS), and anything else gets redirected to www.mtin.net. We chose port 53 because they are in the process of cleaning up some of the radios and such which are using 188.8.131.52 and other DNS servers.
Next we set up a nat rule
/ip firewall nat add action=redirect chain=dstnat dst-port=80 protocol=tcp src-address-list=\ SHUTOFF to-ports=8089
This nat rule says anyone making a port 80 request coming from our SHUTOFF address-list gets redirected to port 8089 (our proxy port setup earlier).
Our third step is to setup our address list. this is very straightforward. Just modify and add users to this list when they are to be turned off.
/ip firewall address-list add address=10.20.0.192 list=SHUTOFF
Lastly, we add a filter rule which denies the SHUTOFF folks from using anything except port 53 and port 80. We do this because we can’t proxy port 443 and other SSL traffic. If folks go to a HTTPS site it simply fails. This is a drawback of using a web-proxy.
/ip firewall filter add action=drop chain=forward dst-port=!53,80 protocol=tcp src-address-list=\ SHUTOFF
If you have an SSL payment gateway you can modify your filter rules to allow traffic to it. This is just one quick and dirty way of letting customers know they have been turned off.