Iam8up Blog

UPDATE: Christopher Tyler of Total Wireless Communications pointed out DNS can’t be done. Whoopsy daisy!

You will find three rules that have WEBSERVERIP. This must be the IP (not the DNS name) of the webserver. This means the default vhost or the only directory of your Apache server must be the redirect page.

The firewall filter rules are to allow traffic from the customer’s /32 and the web server on 80/tcp and 443/tcp and vice versa. Then it blocks everything else.

/ip firewall filter
add action=accept chain=forward comment="allow nonpayment http to bmu" \
disabled=no dst-address=WEBSERVERIP port=80 protocol=tcp \
src-address-list=nonpayment
add action=accept chain=forward comment="allow nonpayment https to bmu" \
disabled=no dst-address=WEBSERVERIP port=443 protocol=tcp \
src-address-list=nonpayment
#thankschris
add action=accept chain=forward comment="allow dns" disabled=no protocol=udp\
port=53
add action=accept chain=forward comment="allow dns" disabled=no protocol=tcp\
port=53
#end thankschris
add action=drop chain=forward comment="drop nonpayment tcp traffic" disabled=\
no protocol=tcp src-address-list=nonpayment
add action=drop chain=forward comment="drop nonpayment udp traffic" disabled=\
no protocol=udp src-address-list=nonpayment

This does the redirecting work. This takes the address list of nonpayment and points them to the web server.

/ip firewall nat
add action=dst-nat chain=dstnat comment="redirect nonpayment http" disabled=\
no port=80 protocol=tcp src-address-list=nonpayment to-addresses=\
WEBSERVERIP to-ports=80

Then just add the late people to address list “nonpayment”.