MikroTik

I use this in both the up and down actions of a netwatch entry that pings my next hop gateway:

Code: Select all

/ip firewall connection remove [find];
:log info ("Cleared-Connecitons");

Hello to all the community!

I was wondering if there's a sort of possibility to automatize the removal of specific nat sessions in firewall connection when an event is triggered.
More specific, I have 2 Wan on a Mikrotik with a failover made with routes and distance: when the pppoe goes down on all traffic go on the LTE backup on a different ether interface. What happens is that all sip connections and traffic won't work unless manually I go on the firewall connections and remove all the 5060 sip connections forcing all the phone to register again.
Is there a way by a script or maybe by a control (maybe netwatch, if is possible in this way my apologies if I posted here) to automatize and do a remove firewall connection every time the default route ( the default wan) changes?
Thanks in advance for your future answers

kindly regards

DO NOT WORK as expected

read this:
viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853800

DO NOT WORK as expected

read this:
viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853800

haha I knew as I wrote that there was something I’d forgotten about this.

Thanks, I’d read your post before; I’d even updated my script with it but for some reason it was missing on the router I copied it from.

Grazie mille!

Hello to all the community!

I was wondering if there's a sort of possibility to automatize the removal of specific nat sessions in firewall connection when an event is triggered.
More specific, I have 2 Wan on a Mikrotik with a failover made with routes and distance: when the pppoe goes down on all traffic go on the LTE backup on a different ether interface. What happens is that all sip connections and traffic won't work unless manually I go on the firewall connections and remove all the 5060 sip connections forcing all the phone to register again.
Is there a way by a script or maybe by a control (maybe netwatch, if is possible in this way my apologies if I posted here) to automatize and do a remove firewall connection every time the default route ( the default wan) changes?
Thanks in advance for your future answers

kindly regards

use the second script here, just put on global variables the previous pppoe public IP

viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853803

Chiudi tutte le connessioni NATtate con un indirizzo IP diverso da quello attivo!

Code: Select all

:global actualIP 6.7.8.9

/ip fire conn
:foreach idc in=[find where timeout>60 and (!(reply-dst-address~$actualIP))] do={
 remove [find where .id=$idc]
}

I's complicated if more than one connection are used, search for dual wan failover for the implementation.
If DHCP are used on LTE side, the script can be put on dhcp-client script, if LTE have fixed IP on LAN,
netwach one public IP forced by routing to be reachable only on LTE

hi adminadmin,

Maybe you can play around with recursive routes to check for connectivity. Basically you set that X IP is reachable through gateway1, and Y IP is reachable through gateway2. Then you create your 0.0.0.0/0 using X and Y as gateways, will be your "testers" and with distance you establish wich one will be primary. In your case it would be something like this:

Code: Select all

/ip rou
add check-gateway=ping distance=1 gateway=4.2.2.2 scope=10 target-scope=25
add check-gateway=ping distance=2 gateway=4.2.2.3 scope=10 target-scope=25
add distance=1 dst-address=4.2.2.2/32 gateway=your-pppoe-int scope=25
add distance=1 dst-address=4.2.2.3/32 gateway=your-lte-gw-ip scope=25

In the event that 4.2.2.2 stops responding, by check-gateway it will be declared as unreachable and 4.2.2.3 will take over, rolling back to 4.2.2.2 if it becomes reachable again.

As to delete tracking connections, maybe you can try disabling/enabling interfaces 🤔🤔 . Never been there, but I'm almost sure that all tracked connections belonging to an interface gets cleared when you disable it.

Regards,

I am driving and writing at the same time

I am driving and writing at the same time

...NO COMMENT...

...NO COMMENT...

Like you have never done that... ^^'

Oh... how long, last time you were writing and driving at the same time... Did you just get out of the hospital?

/ip route
add distance=10 gateway=10.254.251.254
add distance=22 gateway=192.168.129.254

/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.

create a netwatch for that IP and put on both on-down and on-up this:

Code: Select all

/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959

I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.

create a netwatch for that IP and put on both on-down and on-up this:

Code: Select all

/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959

I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.

create a netwatch for that IP and put on both on-down and on-up this:

Code: Select all

/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959

Ciao Rextended,
Unfortunatly (probably for my mistakes or fault) this is not working for me. By the way I've found a workaround to make it successfull.
With your high knowledge on Mikrotik scripts, I wanna ask you if is possible to create a script (that I'll implement with /system scheduler) that check if the default gateway have changed, and if yes launch a command /ip firewall connection remove blablabla that I already know is working cause I've tested it, but at this very moment I run it manually.
If I am not been clear let me know
Thank you in advance

RouterOS 6.46.8 code

:global previousgw
:if ([:typeof $previousgw] != "id") do={ :set $previousgw *0 }
:global defaultgw ([/ip route get [find where dst-address=0.0.0.0/0 and active=yes and !routing-mark]]->".id")
:if ($previousgw != $defaultgw) do={
    :log warning "Previous GW ID $previousgw different to current GW ID $defaultgw"
    :set $previousgw $defaultgw
} else={
    :log info "The Gateway ID $defaultgw still the same"
}

RouterOS 6.46.8 code

:global previousgw
:if ([:typeof $previousgw] != "id") do={ :set $previousgw *0 }
:global defaultgw ([/ip route get [find where dst-address=0.0.0.0/0 and active=yes and !routing-mark]]->".id")
:if ($previousgw != $defaultgw) do={
    /ip fire conn
    :foreach idc in=[find where (timeout > 60)] do={
        remove [find where .id=$idc]
    }
    :set $previousgw $defaultgw
}