Hi everyone, I need to block non-paying customers how can I prevent them from registering? I currently block them by disabling ethernet.
I prefer to access them off to a VLAN that doesnt go to anything. I made a template in cnmaestro so that my NOC workers can apply it and we can track when the change was made with cnmaestro.
2 Likes
Thanks @eric ozrelic, I had already tried this method but every time I enter a mac address and apply the change, all the customers go off hook and then reconnect. This is not good for me
I don't want to leave this client on the AP especially those with poor signal and quality.
@Tommaso wrote:I don't want to leave this client on the AP especially those with poor signal and quality.
Then the only way you're going to do this is to block their MAC from registering at the AP. Just block him late at night when a quick session drop won't disrupt people.
1 Like
@jsinkovich wrote:I prefer to access them off to a VLAN that doesnt go to anything. I made a template in cnmaestro so that my NOC workers can apply it and we can track when the change was made with cnmaestro.
This is interesting - I'd be interested in understanding what you did here. On our older (non-Cambium) gear, we use the Firewall to Redirect/Forward all access to a webserver that displays a "Please call the Billing Department" webpage. Our thought process is that we want to make sure that everyone in the household understand the internet isn't simply broken (and doens't suck) but rather it's because of a billing issue.
With ePMP gear, we don't understand how to accomplish the same thing - but we would like to duplicate this functionality - namely that a disconnected SM get's redirected to a particular website or IP address.
@ninedd wrote:
@jsinkovich wrote:I prefer to access them off to a VLAN that doesnt go to anything. I made a template in cnmaestro so that my NOC workers can apply it and we can track when the change was made with cnmaestro.
This is interesting - I'd be interested in understanding what you did here. On our older (non-Cambium) gear, we use the Firewall to Redirect/Forward all access to a webserver that displays a "Please call the Billing Department" webpage. Our thought process is that we want to make sure that everyone in the household understand the internet isn't simply broken (and doens't suck) but rather it's because of a billing issue.
With ePMP gear, we don't understand how to accomplish the same thing - but we would like to duplicate this functionality - namely that a disconnected SM get's redirected to a particular website or IP address.
You can do this with Mikrotik, or SandVine, or any other intellegent traffic shaping or routing device. If they don't pay or go on vacation, we just setup a rule for their IP that directs any traffic to a web server that shows them an online payment page, or you're on vaction page let us know if you're back! This setup is completly radio agnostic... we use it with our Baicells, Ubiquiti, and Cambium radios.
1 Like
@Eric Ozrelic wrote:
You can do this with Mikrotik, or SandVine, or any other intellegent traffic shaping or routing device. If they don't pay or go on vacation, we just setup a rule for their IP that directs any traffic to a web server that shows them an online payment page...
OK, that's what we do now with a 'redirect/forwarding' rule in our StarOS routers - he seemed to be saying he was doing it directly in the AP and I was curios how he was accomplishing that exactly.
@ninedd wrote:OK, that's what we do now with a 'redirect/forwarding' rule in ourStarOSS routers - he seemed to be saying he was doing it directly in the AP and I was curios how he was accomplishing that exactly.
He is doing it at the SM. He is just adding a non-existing VLAN in "Data VLAN ID" so the customer gets no internet. We do the exact same thing since turning off data to the ethernet port in the GUI is a crap shoot (at least for us it is).
Disable internet / traffic only I would think
(1) Disable ethernet port (this seems foolproof but someone else said it's a "crap shoot" so does this not work sometimes?)
(2) Firewall rule on the customer radio blocking all data to/from ethernet port
(3) Firewall rule blocking all data to/from wireless interface (would need to be after a rule allowing access via management IP or something so you could remote in and turn it off to turn them back on)
Really firewall options seem overly complex vs just turning off the ethernet port unless of course, as suggested, turning off that port isn't reliable for some reason.
(4) Firewall rule on the AP blocking traffic from the MAC address of the radio ? Haven't tried this one but looks possible. Does adding/changing firewall rules on the AP drop everyone / require a reboot ?
(4) We use PPPoE and Radius with our accounting software , it's all automated.
Keep a problem radio from registering to the AP. Only two options I know of.
(1) Use the Mac Auth. We use to do this with ubiquiti and it worked really well for blocking problem radios or re-allowing them when fixed. However as you pointed out, on ePMP for some reason it kicks all current connections any time you make a change.
(2) Log into their radio and change the SSID on the preferred AP's list so their radio can no longer connect. I have done this with a few radios, I just a 1 to the end of the SSID on the list this way if I ever really really want to bring the radio back online without a truck roll I can go in very late / early hours and change the SSID on the AP (add a 1 to it) long enough for their radio to connect so I can log into it and remove the 1 . Everyone still gets booted like doing mac auth but only in the very rare instance were you want to bring the radio back on remotely, you kick them off all day long without interrupting service.
1 Like
@brubble1 wrote:Disable internet / traffic only I would think
(1) Disable ethernet port (this seems foolproof but someone else said it's a "crap shoot" so does this not work sometimes?)
Yes. If we disable 10 customers using "ethernet port disable" in the GUI, around 4 of those customers would still pass internet/data like the port was set to enable. This was happening all the way up to 3.5.6. This is why we started to put VLANs that did not exist into the SM's to kill data flow on the ethernet side. Of course this does not keep the radio from registering to the AP, but it definitely kills internet traffic.
I hope Cambium will change the mac address application as soon as possible so that customers don't lose connection after saving. At the moment I will use either Ethernet blocking of the radio or disabling mac address at night.
@Tommaso wrote:
I hope Cambium will change the mac address application as soon as possible so that customers don't lose connection after saving. At the moment I will use either Ethernet blocking of the radio or disabling mac address at night.
I can confirm it is work in progress and it will get into 4.6 release.
Thanks,
Dmitry
2 Likes