The built in web proxy can be used to redirect customers identified by some means to a payment reminder page on a web server. All other traffic from the customers can be dropped.
The customers must somehow be identified from paying customers that should have full Internet access. One option for PPPoE customers that log in via RADIUS is to use the Mikrotik-Address-List attribute (usual vendor, id 19, type string) that dynamically puts the customer in the named address list on login and removed them on logout. If you're assigning static IPs to the router local customer accounts, you can manually add the IPs to an address list.
Assuming that you have an address-list named "payment_reminder" that contains all clients that need to be shown redirects, redirect those client's HTTP connections to the web proxy:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 src-address-list=payment_reminder
At this point the packet will go to the router (proxy) instead of being routed through it, so the input chain will see the packet. Traffic going through the forward chain from the customer can be dropped to deny them Internet access, but DNS traffic must be permitted for the customer to be able to resolve the initial URL they are requested that is going to be redirected, as well as the URL of the server that hosts the payment reminder. It is not necessary to allow HTTP traffic as all port 80 traffic from the customer will be redirected to the proxy just like the initial redirect, and the payment reminder page will load through the proxy:
/ip firewall filter add chain=forward src-address-list=payment_reminder protocol=udp dst-port=53 action=accept add chain=forward dst-address-list=payment_reminder protocol=udp src-port=53 action=accept add chain=forward src-address-list=payment_reminder action=drop
Just for completion's sake, the web proxy configuration would look like this:
/ip proxy set enabled=yes /ip proxy access add action=allow disabled=no dst-address=[IP of server that hosts reminder] add action=deny disabled=no redirect-to="http://my.server.com/payment-reminder.html"
If you're already using the web proxy for normal proxying (for example on port 8080), add a port for the proxy to listen on for the payment reminder redirect, add a filter for that port in the proxy access rules and of course adjust the NAT rule::
/ip proxy set port=8080,8081 /ip proxy access add action=allow local-port=8081 disabled=no dst-address=[IP of server that hosts reminder] add action=deny local-port=8081 disabled=no redirect-to="http://my.server.com/payment-reminder.html" /ip firewall nat add chain=dstnat connection-mark=payment_reminder protocol=tcp action=redirect to-ports=8081
If you want to just periodically show payment reminders (say, every 4 hours) but otherwise let the customer pass traffic as usual, use the below instead:
/ip firewall mangle add chain=prerouting connection-state=new src-address-list=payment_reminder protocol=tcp dst-port=80 \ action=mark-connection new-connection-mark=potential_payment_reminder passthrough=yes add chain=prerouting connection-mark=potential_payment_reminder src-address-list=!has_seen_reminder \ action=mark-connection new-connection-mark=payment_reminder /ip firewall nat add chain=dstnat connection-mark=payment_reminder protocol=tcp action=redirect to-ports=8080 /ip firewall filter add chain=input connection-mark=payment_reminder action=add-src-to-address-list \ address-list=has_seen_reminder address-list-timeout=04:00:00 passthrough=yes
Adjust the timeout parameter in the last rule as desired for the interval at which to show customers the reminder. The same caveats as above apply if you're already using the web proxy for normal proxy work.
Thanks for Chupaka for corrections.