Redirect Blocked Customer

kareem · February 18, 2017, 10:15pm

I had use all instruction you explain in Documentation to Block and redirect user ,but when I do the following rule
/ip firewall nat add action=dst-nat chain=dstnat protocol=tcp src-address-list=Reject_1 to-addresses=10.0.1.158 to-ports=8101
/ip firewall nat add action=redirect chain=dstnat protocol=!tcp src-address-list=Reject_1

when customer open Browser and type anything , they will redirect immediately exception Facebook How I can fix this issue .

alexcherry · February 22, 2017, 5:00pm

So, facebook still works? And google for example ?

kareem · February 25, 2017, 10:39am

Hi Alex

Google and youtube it’s working and Facebook No yet.

alexcherry · February 27, 2017, 6:46pm

There is another set of rules that can be used for blocking customers :
IP 10.0.1.16 is the router’s WAN IP address.

/ip proxy
set enabled=yes

/ip proxy access
add action=allow disabled=no dst-host=10.0.1.6 dst-port=80
add action=deny disabled=no dst-port=80 redirect-to=10.0.1.16/portal/
add action=deny

/ip firewall filter
add action=drop chain=forward comment=“Block All” disabled=yes log-prefix="" src-address-list=Reject_1
add action=accept chain=block comment=“Users need DNS to work” dst-port=53 protocol=udp
add action=accept chain=block comment=“Make port 80 to work” dst-port=80 protocol=tcp
add action=drop chain=block comment="Block everything else for blocked users"
add action=jump chain=forward comment=“Redirect blocked users to the block chain” jump-target=disconnected src-address-list=Reject_1

alexcherry · February 27, 2017, 7:02pm

One important thing to all these blocking stuff. It blocks all traffic and redirects HTTP traffic to the page 10.0.1.16/portal/ !!! BUT !!! It will block and NOT redirect the HTTPS traffic

So if customer will type google.com, facebook.com, twitter.com and even splynx.com, he will see that page cannot be open.

alexcherry · February 27, 2017, 7:04pm

@Rhansseel amigo, mira a estas reglas, tienen que funcionar y no dar problemas con cache de paginas bloqueados

Rhansseel · March 6, 2017, 5:45am

ok gracias

nikodos · April 18, 2017, 9:36pm

estas reglas son para bloquear cuando se trabaja con radius ?

alexcherry · April 19, 2017, 9:34am

Hola, importante es “src-address-list=Reject_1”. Eso dice que las reglas se aplican para IPs de address list Reject_1.

Cuando usas API para bloquear clientes, Splynx llama Address-list en otra manera : “SpLBL_blocked”

Entonces, tienes que aplicar las reglas para este Address list, por ejemplo :

/ip firewall nat add action=dst-nat chain=dstnat protocol=tcp src-address-list=SpLBL_blocked to-addresses=10.0.1.158 to-ports=8101
/ip firewall nat add action=redirect chain=dstnat protocol=!tcp src-address-list=SpLBL_blocked