Here is what I have:
add action=jump chain=forward comment="DC/Non Pay Users" disabled=no jump-target=DC_USERS src-address=10.201.0.0/16
All of my disconnected/non pay users get an ip address out of the 10.201.0.0/16 range. The above rule forces all of their traffic into the DC_USERS chain.
add action=accept chain=DC_USERS comment="" disabled=no dst-address=66.211.40.15 dst-port=80 protocol=tcp
add action=accept chain=DC_USERS comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=DC_USERS comment="" disabled=no
We allow traffic to 66.211.40.15 which is my webserver where the 'contact billing' page exists.
We also allow DNS traffic.
Lastly we drop all other traffic.
add action=dst-nat chain=dstnat comment="DC/NonPay Users" disabled=no dst-port=80 protocol=tcp src-address=10.201.0.0/16 to-addresses=66.211.40.15 to-ports=80
add action=dst-nat chain=dstnat comment="DC/NonPay Users" disabled=no src-address=10.201.0.0/16 dst-port=53 protocol=udp to-addresses=74.91.66.2 to-ports=53
In the nat page we dstnat port 80 traffic from 10.201.0.0/16 to our webserver ip.
We also redirect DNS to our DNS server at 74.91.66.2.
For the webser the trick is you have to use IP base site (name aliasing wont work). You also need to setup the 404 page to be the index page of the site as well.