Industry Forums > Wireless Service Providers > subscriber shutoffs and web payments

subscriber shutoffs and web payments

I think that is very wise of you. I run a very tight policy for non-payments. Invoices are due by the 1st of each month. I give a 7 day grace period. On the 7th (or the following business day, if the 7th falls on a Friday, weekend, or holiday) I suspend every account that is overdue, with the exception of a couple business accounts that I know have goofy payment cycles and always pay, but about 10 days late. Other than those few accounts, the only other option to keep service on is to call before the 7th and make arrangements with us. If the customer fails to pay by the agreed upon date, they get shut off. If they make and break too many agreements, we refuse to give them extra time in the future until they have done a good job paying on time for awhile.

Anyway, I use Mikrotik, PPPoE, and userman for my network, so it can work just the way you want it to. This is what I do: The "pool" and "IP address" in their userman profile is typically blank. The only time they get an IP address in their profile is if I have assigned them a specific static IP. When the pool is empty, the PPPoE server is setup to pick a random IP out of a pool of private 172.20.x.x addresses, and the 172.20.0.0/16 block has a NAT rule in the firewall.

I have a second pool of 10.0.0.x addresses which I specifically use for suspending accounts. The IP pool name is "sus", so when I type "sus" into the "pool" field in userman and disconnect them from the active connections, they will connect back with one of the IP addresses from the suspend pool.

My firewall has another NAT rule that continues to perform NAT for port 53 for the 10.0.0.0/24 range, so the suspended customers can still resolve DNS. My web server has a "your account has been suspended" page that runs on a specific IP address (we'll just say it is 123.123.123.123 for example), so I have another firewall dstnat rule with an action of "redirect" to port 8080, for all port 80 traffic other than with a dst address of 123.123.123.123.

So what is the point of port 8080? Well, I have the "web proxy" running on port 8080 with an access rule that says for all traffic other than that destined for 123.123.123.123, deny it, and redirect it to 123.123.123.123. It basically redirects all traffic that isn't trying to access the suspended page TO the suspended page.

So they've been given an IP address in the "naughty" list, port 80 traffic has been redirected to the web proxy, and the web proxy has redirected all of that traffic to the suspended page other than that which was already headed there. But now the problem is that there isn't any firewall rules that actually allow the traffic to get to that page. That's where the next set of firewall rules come into play.

srcnat firewall rule: all traffic with a dst address of 123.123.123.123, masquerade. This allows them to view the suspend overdue page, but not actually pay their bill. So I have another identical rule for each IP address that I want to allow them to access, I just change the dst address to match. I use Freshbooks for my billing system, and my suspended page has an explanation of why they might have been suspended with a link to the Freshbooks login page, so I added 2 more rules that allow them to access the IP addresses of Freshbooks.

They now have access to the suspended page, and Freshbooks, and unless they are trying to access one of those two sites, their traffic will be forced to back to the suspended page. The only downside is that if they login and pay their bill, they remain suspended until I actually see the payment in Freshbooks, or until they call and let us know that their account is current. It is a manual process to take the "sus" out of their userman profile, and bump them out of the PPPoE server so they can get a "good" ip address again. But the system works very well, and people don't have to wonder why their internet isn't working, as long as they open a web browser and try to go to a web page.

The only issue I can see you running into is figuring out how to NAT all of the possible PayPal IP addresses. Paypal is one of the payment options for my customers too, so right now they can only use the credit card or debit card options from within Freshbooks. If anyone knows a good way, I'm sure my customers would appreciate the option of paying via PayPal when their account is suspended.

Hope that helps!

Rhass posted this two years ago for Mikrotik PayPal walled-garden bypass:

[admin@MikroTik] /ip hotspot walled-garden>

add dst-host=":^www\\.paypal\\.com\$" dst-port=443 action=allow

add dst-host=":^content\\.paypalobjects\\.com\$" dst-port=443 action=allow

add dst-host=*paypal* server=hotspot1 action=allow

add dst-host=*.akadns.net server=hotspot1 action=allow

add dst-host=*.akamaiedge.net server=hotspot1 action=allow

add dst-host=*.edgekey.net server=hotspot1 action=allow

add dst-host=paypal.*.net server=hotspot1 action=allow

reply to jcremin
Great Write up. I do the same thing. Only I don't use Usermanager. So far still using pppoe and secrets on each tower router/pppoe server. I use quickbooks for billing and so far there appears to be no way to integrate it together.

If they are late, I just manually move them over to the non payment profile, kick the pppoe session and they come back up with a private IP that redirects to the late page. I'd love a way for them to be able to pay with paypal or whatever and be turned back on again automatically. I know a lot of people feel embarrassed having to call in and give a cc over the phone. There's always a different story every time.

reply to jakkwb
Not to hijack. But for Drive71..

I used that route for many years with QB. I finally just bit the bullet and went to Azotel. There are ways you can automate your QB database, and people who can do it for you. I just didn't want to pay for it I suppose since it would still be a bit of a cludge probably.

You could also run and export a report that a smarter person then I could have parsed to change MT values for you. Run it twice a day or something during business hours.

As far as billing in general. Do something automated sooner then later. I just got to a point I was loosing money by not turning off some of the dead beats. And there really isn't a good way to recover it after the fact. Some people get mad, but really.. Who else is going to let you float for months at a time??
--
»www.wirelessdatanet.net

reply to jakkwb
Any of these methods will certainly work better then what I'm doing right now....but, budget is very tight....

I am considering just using the Mikrotik for the time being, since its there already.

Can I just put the users IP in an access-list and then have them redirected to my payment page? From what I've read, it sounds like it can be done fairly easily. I know its editing of a list each month, but there are no calls to make, etc....And, I get my money!

I have looked at DNS-redirector a few times also. Anybody used it?

reply to jakkwb
If youre not using PPPoE, then you can use (in Cisco terminology) a route-map (policy routing) to effectively say:

if a packet is comming from a suspended user (i.e. matched against an ACL) then by policy set the next hop of their packet to a server running your suspended page

On that server you just need to run the appropriate bits of software to intercept all incomming web browsing attempts (destination port 80) and proxy it into a web server which only serves up one page regardless.

Various vendors refer to this kind of thing in different ways. Cisco is policy routing, Juniper I believe is source routing, others might use firewall rules.

reply to jakkwb

reply to jakkwb
OK, the bottom method is working great for me so far....basically just have to enter each customer into the address-list and make them active for non-paying.

I have a question about the redirect. Is there a way to redirect them to a web site name instead of an IP using this method:

/ip firewall nat
add action=dst-nat chain=dstnat comment="redirect for unpaid customers" disabled=no protocol=tcp src-address-list=Unpaid to-addresses=192.168.xx.xxx

/ip firewall address-list
add address=96.3x.xxx.xxx comment="customer name" disabled=no list=Unpaid

If not, I need to know how to set up Apache to use a different IP for the payment page. Right now, the redirect is bringing up my web site page.

Making progress.....

reply to jakkwb
Does any of the bigger WISP billing systems do these types of things? Automatic account suspension an un suspension after payment is made? Like Platypus Billing System or VISP, etc.

We only take payment by credit card, which is entered into the system upon sign up. That card is auto billed each month, less non payments to worry about. (Just have to keep the card information up to date on file)

reply to jakkwb
maybe this is the wrong place to ask this and i should be asking in a web page forum, but what do you guys do to keep the customers pc from caching the cutoff page? I have add no cache lines to my cutoff page but every once in a while i have a customer that even after I turn them back on they see the cutoff page until clearing their pc´s cache.

I have a demo of a program that integrates Mikrotik and it sends bills out to customers has a place to enter payments and when a payment is entered goes into mk and reactivates customer. You can add customers with it also and it adds the secret in the mk. works with more than one pppoe server. »www.mikrosys.com.ar/ . only problem is that it is in spanish. It looks pretty cool but will have to buy it and try it out.

cheers
mike
--
HONDURAS WISP NANO2 Clusters With 5.8 MT-Ubnt Backhauls to 11 towns

I had the same problem with the MT redirect rule I had in place. About the only thing I could do is tell the customer how to remove the cache from their computer and set it to check the page every time.

For the most part, the reoccuring offenders for non-pay never had that issue again LOL.

To the other poster above. Azotel handles all of this automatically, and can use a URL for the redirect. It's pretty slick actually, but yes, it costs a bunch. For me I just don't have to worry about the issue any more. They pay or we get our equipment and move on. I've done this long enough to want to stop worrying about billing, and worry about my business and network needs so we can grow. I did QB and manual disconnects for about 6 years. It was time to automate that for us for sure. Automation also takes your personal feelings away for friends and such on your network. (who else gives you months of free service in this world?) Run your WISP as a business always IMO. But it's possible I got burned by just way to many people over the years, and I was tired of that. Now at least we can only be out one months service fees. Instead of 3 or 4 when a customer comes up missing. It also frees up our CPE to use some where else saving a few more dollars in the near term. Instead of waiting months to find out the customer isn't going to pay, or has moved Etc.
--
»www.wirelessdatanet.net

reply to jakkwb
Jakkwb maybe once you get more customers go look at powercode its much cheaper then what azotel is.

reply to jakkwb
No no Azotel is way way higher then what powercode is because Azotel you have to pay for the training which is 1500 dollars and then you have to buy the kit is a other 1500 dollars now your in 3k in the hole.

»www.doubleradius.com/Products/Azotel

Powercode starts at 100 customers which it comes out to 140 dollars a month bc you paying 1.40 per customer.

»powercode.com/pricing.php

reply to jakkwb
Azotel is $1.33 per customer, sold in blocks of 100. Yes, there is training, and installation/importation of customer databases Etc. If you catch it at the right time, they waive the training or something, but of course I missed that LOL. We also purchased an Image stream router and had to pay extra for the software in installation on our router. But it cost less then the Azotel router that was fast enough for our needs.

Both systems have their pro's and con's. We settled on Azotel, where others may prefer Powercode. I don't think it's as easy as a cost number if you are serious about a "system" to run your business and network.
--
»www.wirelessdatanet.net

reply to jakkwb
Also there is training, installation, AND hardware. It's a big chunk of change. I am also unsure if their rate per customer is based on who you purchase it from. I am pretty sure we are at $1.33, but double radius has it listed as 1.60 per by the looks of their site.

We used Scott at solutions4ebiz.com I think is the web site.
--
»www.wirelessdatanet.net