Forum

Redirecionamento de cliente bloqueado para página de aviso.

Postado por Josué Fernandes em 22 de Maio de 2016 às 11:13pm

Boa noite a todos. Sei que não sou o único que enfrentou essa mesma dúvida, acredito pela peculiaridade de cada rede, não consegui fazer funcionar o redirecionamento de cliente bloqueado para página de aviso. Já olhei dezenas de tópicos do fórum, e estou tentando fazer funcionar a dias, criando e re-fazendo regras, sem sucesso. 

Como tenho balanceamento de carga na mesma RB que se comunica com o MK-auth, tenho a suspeita de que possa haver algo relacionado as regras no firewall. Caso alguém possa apontar alguma possível falha eu estarei feliz em agradecer.

Obrigado a todos!

Configuração:

/interface bridge
add name=bridge1
add name=wireless-01 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=NET1
set [ find default-name=ether2 ] mac-address=D4:CA:6D:AA:80:E4 name=NET2
set [ find default-name=ether5 ] mac-address=D4:CA:6D:AA:80:E7 name=TORRE
set [ find default-name=ether3 ] mac-address=D4:CA:6D:AA:80:E5
set [ find default-name=ether4 ] mac-address=D4:CA:6D:AA:80:E6
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 5 vlan-mode=fallback
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot login-by=\
mac,cookie,http-chap mac-auth-password=64-1C-67-31-72-61
add dns-name=google1 hotspot-address=192.168.129.1 html-directory=flash/hotspot \
name=hsprof1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=wireless-01 ranges=10.0.0.2-10.0.0.254
add name=hs-pool-3 ranges=192.168.129.20-192.168.129.253
add name=dhcp_pool2 ranges=192.168.87.2-192.168.87.254
add name=LOCAL-1 ranges=10.2.0.1-10.2.5.254
add name=REMOTO-1 ranges=10.3.0.1-10.3.5.254
add name=PGCORTE ranges=10.4.0.2-10.4.3.255
add name=pgcorte ranges=10.4.0.2-10.4.3.255
/ip dhcp-server
# DHCP server can not run on slave interface!
add add-arp=yes address-pool=dhcp_pool2 always-broadcast=yes bootp-support=\
dynamic disabled=no interface=ether4 lease-time=1d10m name=dhcp2
/ip hotspot
add address-pool=hs-pool-3 disabled=no interface=ether3 name=hotspot1 profile=\
hsprof1
/ppp profile
add dns-server=201.17.0.92,201.17.0.64 idle-timeout=10h local-address=10.0.0.1 \
name=PPPOE-CLIENTE-IP remote-address=wireless-01
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
5mega rate-limit=900k/5450k remote-address=wireless-01
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.0.0.1 name=\
1mega rate-limit=300k/1300k remote-address=wireless-01
add change-tcp-mss=yes local-address=10.0.0.1 name=2mega rate-limit=500k/2450k \
remote-address=wireless-01
add change-tcp-mss=yes local-address=10.0.0.1 name=3mega rate-limit=650k/3450k \
remote-address=wireless-01
add change-tcp-mss=yes local-address=10.0.0.1 name=10mega rate-limit=\
1800k/10600k remote-address=wireless-01
add dns-server=201.17.0.92,201.17.0.64 local-address=LOCAL-1 name=PPPOE-MK \
remote-address=REMOTO-1 use-encryption=yes
/snmp community
set [ find default=yes ] addresses=172.31.255.2/32
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=wireless-01 interface=TORRE
add bridge=wireless-01 comment="rede casa" interface=ether4
add bridge=wireless-01 interface=ether3
/interface bridge settings
set use-ip-firewall=yes
/interface pppoe-server server
add authentication=pap,chap default-profile=PPPOE-CLIENTE-IP interface=\
wireless-01 keepalive-timeout=600000 max-mru=1492 max-mtu=1492 mrru=1600 \
one-session-per-host=yes service-name=wireless-01
add authentication=pap,chap default-profile=PPPOE-MK disabled=no interface=\
wireless-01 keepalive-timeout=5000 max-mru=1492 max-mtu=1492 mrru=1600 \
one-session-per-host=yes service-name=SERVIDOR-POE-MK
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.0.2/24 interface=NET2 network=192.168.0.0
add address=192.168.1.2/24 interface=NET1 network=192.168.1.0
add address=192.168.87.1/24 interface=ether4 network=192.168.87.0
add address=192.168.86.1/24 interface=ether4 network=192.168.86.0
add address=172.31.255.1/24 comment=MK-AUTH interface=wireless-01 network=\
172.31.255.0
add address=10.4.0.1/22 comment=PGCORTE interface=wireless-01 network=10.4.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid
/ip dhcp-server network
add address=192.168.87.0/24 dns-server=201.17.0.92,201.17.0.64 gateway=\
192.168.87.1
/ip dns
set cache-max-ttl=4w2d cache-size=20480KiB query-server-timeout=3s servers=\
172.31.255.2,201.17.0.92,201.17.0.64,208.67.222.220,8.8.8.8
/ip firewall address-list
add address=172.31.255.2 list=mkauth
add address=10.4.0.20 comment=ssh_corte_josue.123 list=pgcorte
/ip firewall filter
add action=drop chain=forward dst-port=!53 protocol=udp src-address=\
10.4.0.2-10.4.3.254
add action=drop chain=forward dst-port=!80 protocol=tcp src-address=\
10.4.0.2-10.4.3.254
add action=drop chain=forward dst-port=!85 protocol=tcp src-address=\
10.4.0.2-10.4.3.254
add chain=forward comment="PERMISSAO DE ACESSO A PAGINA DE CORTE (Radius Pool)" \
dst-port=85 protocol=tcp src-address=10.4.0.2-10.4.3.254
add chain=forward comment=\
"PERMISSAO DE ACESSO A PAGINA DE CORTE (Radius LIST/SSH)" dst-port=85 \
protocol=tcp src-address-list=pgcorte
/ip firewall mangle
add action=jump chain=prerouting comment="====================" \
connection-mark=no-mark in-interface=wireless-01 jump-target=\
"politica de roteamento"
add action=mark-connection chain=prerouting connection-state=new \
dst-address-list=LINK1 in-interface=wireless-01 new-connection-mark=Sites1
add action=add-dst-to-address-list address-list=ftp_con address-list-timeout=6h \
chain=prerouting comment="FTP FORA DO BALANCE" dst-port=21 in-interface=\
wireless-01 protocol=tcp
add chain=prerouting dst-address-list=ftp_con in-interface=wireless-01
add chain=prerouting comment="OUTRAS PORTAS FORA DO LOADBALACED" dst-port=\
21,2285,83,445,443,5000-6999,8080 in-interface=wireless-01 protocol=tcp
add chain=prerouting dst-port=21,2285,83,445,443,5000-6999,8080 in-interface=\
wireless-01 protocol=udp
add chain=prerouting comment="ACEITA REDE" dst-address=192.168.1.0/24 \
in-interface=wireless-01
add chain=prerouting dst-address=192.168.0.0/24 in-interface=wireless-01
add action=mark-connection chain=prerouting comment=\
"MARCA CONEXAO ENTRADA PARA VOLTAR PELO MESMO LINK" connection-state=new \
in-interface=NET1 new-connection-mark=NET1_conn
add action=mark-connection chain=prerouting connection-state=new in-interface=\
NET2 new-connection-mark=NET2_conn
add action=mark-routing chain=output connection-mark=NET1_conn \
new-routing-mark=to_NET1
add action=mark-routing chain=output connection-mark=NET2_conn \
new-routing-mark=to_NET2
add action=mark-connection chain=prerouting comment="BALANCEANDO CONEXAO" \
connection-state=established dst-address-type=!local in-interface=\
wireless-01 new-connection-mark=NET2_conn per-connection-classifier=\
both-addresses-and-ports:7/0
add action=mark-connection chain=prerouting connection-state=established \
dst-address-type=!local in-interface=wireless-01 new-connection-mark=\
NET1_conn per-connection-classifier=both-addresses-and-ports:7/1
add action=mark-connection chain=prerouting connection-state=established \
dst-address-type=!local in-interface=wireless-01 new-connection-mark=\
NET1_conn per-connection-classifier=both-addresses-and-ports:7/2
add action=mark-connection chain=prerouting connection-state=established \
dst-address-type=!local in-interface=wireless-01 new-connection-mark=\
NET1_conn per-connection-classifier=both-addresses-and-ports:7/3
add action=mark-connection chain=prerouting connection-state=established \
dst-address-type=!local in-interface=wireless-01 new-connection-mark=\
NET1_conn per-connection-classifier=both-addresses-and-ports:7/4
add action=mark-connection chain=prerouting connection-state=established \
dst-address-type=!local in-interface=wireless-01 new-connection-mark=\
NET1_conn per-connection-classifier=both-addresses-and-ports:7/5
add action=mark-connection chain=prerouting connection-state=established \
dst-address-type=!local in-interface=wireless-01 new-connection-mark=\
NET1_conn per-connection-classifier=both-addresses-and-ports:7/6
add action=mark-routing chain=prerouting comment=\
"DIRECIONA MARCACAO PARA ROTEAMENTO" connection-mark=NET1_conn \
in-interface=wireless-01 new-routing-mark=to_NET1
add action=mark-routing chain=prerouting connection-mark=NET2_conn \
in-interface=wireless-01 new-routing-mark=to_NET2
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT PPPoE" src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="### MASQUERADE ###" out-interface=\
NET1
add action=masquerade chain=srcnat out-interface=NET2
# in/out-interface matcher not possible when interface (ether4) is slave - use mas
er instead (wireless-01)
add action=masquerade chain=srcnat out-interface=ether4
add action=dst-nat chain=dstnat dst-address=!172.31.255.2 dst-port=80 protocol=\
tcp src-address=10.4.0.2-10.4.3.254 to-ports=85
add action=dst-nat chain=dstnat dst-address=!172.31.255.2 protocol=tcp \
src-address=10.4.0.2-10.4.3.254 to-addresses=172.31.255.2 to-ports=85
add action=masquerade chain=srcnat dst-address=172.31.255.2 out-interface=NET1 \
protocol=tcp src-address=10.4.0.2-10.4.3.254
/ip hotspot ip-binding
add address=192.168.129.1 to-address=192.168.1.253 type=bypassed
add comment="Smart CCE Josu\E9" mac-address=64:1C:67:31:72:61 server=hotspot1 \
type=bypassed
add comment=julio mac-address=CC:C3:EA:70:86:2B type=bypassed
add comment="Nathy iphone" mac-address=44:4C:0C:E7:D4:6C type=bypassed
add comment="Thiago dantas" mac-address=10:3B:59:B9:13:92 type=bypassed
add comment="Moto x play" mac-address=84:10:0D:D6:41:B3 server=hotspot1 type=\
bypassed
/ip hotspot user
add mac-address=64:1C:67:31:72:61 name=josue
/ip route
add distance=1 gateway=192.168.57.1 routing-mark=to_NET1
add distance=2 gateway=192.168.56.1 routing-mark=to_NET1
add distance=1 gateway=192.168.57.1 routing-mark=to_NET2
add distance=2 gateway=192.168.56.1 routing-mark=to_NET2
add distance=1 gateway=192.168.56.1 routing-mark=Rota0
add distance=2 gateway=192.168.57.1 routing-mark=Rota0
add distance=1 gateway=192.168.57.1 routing-mark=Rota1
add distance=2 gateway=192.168.56.1 routing-mark=Rota1
add distance=1 gateway=192.168.57.1
add distance=2 gateway=192.168.56.1
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10
add distance=20 dst-address=8.8.4.4/32 type=blackhole
add check-gateway=ping distance=1 dst-address=192.168.56.1/32 gateway=\
200.160.2.3 scope=10
add check-gateway=ping distance=1 dst-address=192.168.56.1/32 gateway=\
208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=192.168.57.1/32 gateway=8.8.4.4 \
scope=10
add check-gateway=ping distance=1 dst-address=192.168.57.1/32 gateway=\
208.67.222.222 scope=10
add distance=1 dst-address=192.168.87.0/24 gateway=192.168.87.1
add distance=1 dst-address=192.168.88.0/24 gateway=TORRE
add distance=1 dst-address=200.160.2.3/32 gateway=192.168.0.1 scope=10
add distance=20 dst-address=200.160.2.3/32 type=blackhole
add distance=1 dst-address=208.67.220.220/32 gateway=192.168.0.1 scope=10
add distance=20 dst-address=208.67.220.220/32 type=blackhole
add distance=1 dst-address=208.67.222.222/32 gateway=192.168.1.1 scope=10
add distance=20 dst-address=208.67.222.222/32 type=blackhole
/ip service
set telnet disabled=yes
set www port=8080
set www-ssl disabled=no
/ppp aaa
set interim-update=3m use-radius=yes
/ppp secret
add name=harpia.teste password=123 profile=5mega
/radius
add address=172.31.255.2 secret=123456 service=ppp timeout=7s
/radius incoming
set accept=yes
/snmp
set contact=josuef1889@gmail.com enabled=yes location=Brasil
/system clock
set time-zone-autodetect=no
/system identity
set name=Concentrador
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled
/system upgrade upgrade-package-source
add
/tool netwatch
add comment="Route net1" down-script=ether1-off host=8.8.8.8 interval=30s \
up-script=ether1-on
add comment="Route NET2" down-script=ether2-off host=8.8.8.8 interval=30s \
up-script=ether2-on
/tool romon port
add
/user aaa
set use-radius=yes

Para adicionar comentários, você deve ser membro de MK-AUTH.

Join MK-AUTH

Marcações: bloqueio, redirecionamento.
Enviar-me um email quando as pessoas responderem –
Seguir

Respostas

  • Pedro Filho 16 de Junho de 2016 as 2:09pm

    Exibir pagina de corte usando Radius LIST ou SSH:

    /ip firewall filter
    add action=drop chain=forward comment=CORTE dst-port=!53 protocol=udp src-address-list=pgcorte
    add action=drop chain=forward comment=CORTE dst-port=!80,85,443,445 protocol=tcp src-address-list=pgcorte

    /ip firewall nat
    add action=dst-nat chain=dstnat comment=CORTE_HTTPS dst-address=!172.31.255.2 dst-port=443 protocol=tcp src-address-list=pgcorte to-addresses=172.31.255.2 to-ports=445
    add action=dst-nat chain=dstnat comment=CORTE_HTTP dst-address=!172.31.255.2 dst-port=80 protocol=tcp src-address-list=pgcorte to-addresses=172.31.255.2 to-ports=85

    Exibir pagina de corte usando Radius Pool:

    /ip pool
    add name=pgcorte ranges=10.3.0.2-10.3.3.254

    /ip address
    add address=10.3.0.1/22 broadcast=10.3.3.255 network=10.3.0.0 comment=CORTE interface=porte

    /ip firewall filter
    add action=drop chain=forward comment=CORTE dst-port=!53 protocol=udp src-address=10.3.0.2-10.3.3.254
    add action=drop chain=forward comment=CORTE dst-port=!80,85,443,445 protocol=tcp src-address=10.3.0.2-10.3.3.254

    /ip firewall nat
    add action=dst-nat chain=dstnat comment=CORTE_HTTPS dst-address=!172.31.255.2 dst-port=443 protocol=tcp src-address=10.3.0.2-10.3.3.254 to-addresses=172.31.255.2 to-ports=445
    add action=dst-nat chain=dstnat comment=CORTE_HTTP dst-address=!172.31.255.2 dst-port=80 protocol=tcp src-address=10.3.0.2-10.3.3.254 to-addresses=172.31.255.2 to-ports=85

    PROBLEMAS E SOLUÇÕES:

    se vc usa a pagina de corte por radius, uma forma de vc saber se seu cliente realmente esta bloqueado no radius e clica no link informações que tem abaixo do nome do cliente e na janela que abre na parte de radius veja se tem os parametros Mikrotik-Address-List / Framed-Pool como na imagem abaixo, se tem então o erro com certeza é no MikroTik por isso depois do login, veja se o ip do cliente bloqueado entra no address-list/pool do MikroTik:

    bloq_radius.gif

    se vc usa a pagina de corte por ssh, uma forma de vc saber se seu cliente realmente esta bloqueado é ver se na address-list o ip do cliente aparece, se não aparece veja se não é falha na comunicação ssh. Para testar a comunicação ssh agora o sistema envia uma regra desabilitada para o filter do MikroTik, se gravar a regra é pq esta ok...

    errossh.jpg

    nas duas formas de bloqueio é preciso colocar a regra de redirecionamento para pagina de corte acima de todas as outras no nat do MikroTik e nas configurações de profile de hotspot do MikroTik é preciso deixar a opção transparet proxy desativada.

    hotspot.jpg

    TOPICOS QUE PODEM AJUDAR:

    Clientes bloquados nao acessam hotspot - MK-AUTH

    A regra de Corte mudou na 4.90, mas quem muda o ip do cliente com i...

    Bloqueio automatico - pppoe - MK-AUTH

    Bloqueando Clientes Via Radius Mangle PPPoe Ips válidos sem Nat - M...

    Problemas com a pagina de bloqueio! - MK-AUTH

    Liberar site pra cliente bloqueados - MK-AUTH

    Regra de corte via mangle 03 interfaces hotspot - MK-AUTH

    REGRA PGCORTE COM THUNDERCACHE 7 - MK-AUTH

This reply was deleted.