Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

What can be done for effective blocking?

Provide access to the customer portal for blocked clients.

  • If the provider, when customers contacting technical support, sends debtors to the portal, over time, some customers will become accustomed to entering the portal if there are problems with the network. This fact can also serve as an additional tool for quick network diagnostics. In the future, this may reduce the number of calls to technical support.
  • A person who has learned that he is blocked for non-payment, after payment will be able to independently track the flow of money to the account.

All HTTP traffic of blocked customers should be redirected to the customer's portal or stub page.

  • When blocked customer try to open any web page using the HTTP protocol, he will see a portal or a stub page that says what could be the problem (no money, wrong password, etc.).
  • Most modern OS has mechanism for detecting state of internet. The OS checks the network access when connected, if the system detects a stub page, it notifies the user about it by opening the stub page in a separate window/frame, displaying a notification in the notification panel, etc.

For example, Ubuntu

 

DNS

When the dns service does not work, the customer's computer spends about 10 seconds on each dns request until it realizes that the Internet does not work.

time host wikipedia.org ;; connection timed out; no servers could be reached real 0m10,031s 

Some software is constantly trying to connect, often at this point the program interface may freeze.

A good solution is to set up your own caching dns server, the traffic to which for users will not limit. This is generally a good way to increase web responsiveness for all customers at minimal cost.

If you use external DNS servers, you can limit the amount of traffic for them. Having adding a burst at the beginning is useful during system boot.

For all other traffic, we will respond that the network is blocked.

by sending ICMP packet type 3 code 9. "3/9 Communication with Destination Network is Administratively Prohibited".

This solution will remove all other delays, since the program sending the request will immediately be refused, instead of waiting for an answer for a while, and then trying again.

Below 2 screenshots, with an attempt to open the website, they display the time after which the browser showed that the website is not available.

7ms (icmp3/9) vs 91645ms (drop rule)

DROP

ICMP 3/9

Practice

An example of setting up all of the above on mikrotik.

This is a universal example that covers all types of locks, if you are sure that you do not need any of them, you can skip the relevant rules.

WebProxy settings

192.168.208.239 is the ip of my splynx server. Don't forget to change it to your ip.

/ip proxy> set enabled=yes port=8080,8101,8102,8103,8104 /ip proxy access add dst-address=192.168.208.239 dst-port=80 action=allow /ip proxy access add src-address=!192.168.208.239 dst-port=80 local-port=8080 action=deny redirect-to="192.168.208.239/portal" /ip proxy access add src-address=!192.168.208.239 dst-port=80 local-port=8101 action=deny redirect-to="192.168.208.239:8101" /ip proxy access add src-address=!192.168.208.239 dst-port=80 local-port=8102 action=deny redirect-to="192.168.208.239:8102" /ip proxy access add src-address=!192.168.208.239 dst-port=80 local-port=8103 action=deny redirect-to="192.168.208.239:8103" /ip proxy access add src-address=!192.168.208.239 dst-port=80 local-port=8104 action=deny redirect-to="192.168.208.239:8104" /ip proxy access add dst-port="" action=deny 

Winbox WebProxy

Winbox WebProxy Access

Firewall settings

NAT

All these rules redirect HTTP traffic to the appropriate stub pages. If you want in some cases to redirect the customer to the customer's portal, use to-ports=8080 for the necessary rules.

# For mikrotik API /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8102 src-address-list=SpLBL_blocked comment="Blocked -> 8102" /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8101 src-address-list=SpLBL_new comment="new -> 8101" /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8102 src-address-list=SpLBL_active comment="FUP or CAP -> 8102" # If you're using radius /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8101 src-address-list=Reject_0 comment="user not found" /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8101 src-address-list=Reject_1 comment="blocked, not active or not in system" /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8102 src-address-list=Reject_2 comment="negative balance or FUP/CAP" /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8104 src-address-list=Reject_3 comment="wrong MAC" /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=80 to-ports=8103 src-address-list=Reject_4 comment="wrong password" 

Filter rules

If there are any resources that you want to keep available for blocked customers, add them to the address list with the name "white-resource"

/ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=SpLBL_blocked /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=SpLBL_new /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=SpLBL_active /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=Reject_0 /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=Reject_1 /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=Reject_2 /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=Reject_3 /ip firewall filter add chain=forward action=jump jump-target=Blocked dst-address-list=!white-resource src-address-list=Reject_4 /ip firewall filter add chain=Blocked action=accept protocol=udp dst-port=53 dst-limit=2,0,src-address/1m40s /ip firewall filter add chain=Blocked action=accept protocol=tcp dst-address=192.168.208.239 dst-port=80,8101,8102,8103,8104 /ip firewall filter add chain=Blocked action=reject reject-with=icmp-admin-prohibited dst-limit=10,0,src-address/1m40s /ip firewall filter add chain=Blocked action=drop 



Mikrotik API blocking of non payers

...