There are cases when I need to remove connections from the connection table that are active in the connection table, but no longer functionally active because routing has changed.
This function has worked well, with only a few hiccups, back into the 2.9 versions of the code.
In response to my 3rd time (3.15, 3.16, 3.17) asking Mikrotik support about it in early December, they told me:
Hello,
Currently connection removing is broken on big-endian platforms such as RB400
series and RB333.RB600 and RB1000.
This fix will be available in next RouterOS release.
Regards,
Maris
From mine point of view this fix is so minor that it doesn’t really matters. If my conntrack is getting too full i just reduce timeout values for problematic entries.
And I still don’t understand why it is necessary to delete one single connection.
While you still have space for new entries it doesn’t matter how much entries are there.
And in case connection tracking is full - everything can be solved by timeout reduction, but it is very rare situation
BTW - by deleting connection entries in conntrack you will not stop packet flow.
Only thing that will happen instead of connection-state=established connection tracking will recognize furder TCP packets as connection-state=invalid
For all other IP protocols next packet will recreate deleted entree back.
SO again this feature is pointless. MT should get rid of that command/button at all.
What I need is for certain long-term connections to end-immediately, so that they can be re-routed.
I have two internet connections, different ISPs, and when one fails or becomes unresponsive, I need the connection-oriented traffic that is passing over the now-dead one to be routed over the backup network.
Regardless of whether you think I need it or not, it is a functionality that is built into the OS that does not work… The commands are there, the winbox buttons are there, and it is clearly broken, and needs to be fixed.
I will try it again with 3.19 this weekend when I am back in town, and hopefully it’s been fixed…
Yes, exactly the same scenario - I use netwatch and script that disables and enables (in simple terms - restarts) connection tracking as soon as gateway goes down (or up).
ok, and i have (probably similar) scripts that watch the interface, the next-hop gateway, and the dhcp-rewnewal state to make the decision when to fail over or nto.
But for me, I cannot restart all of connection tracking, because not all connections traversomg the router are going thru the now “down” interface — I have connections that go across the router internally from one VLAN or network to another, and I have connections that go thru the router to the other outside interface (the one that I would be failing over to). If I stop/start connection tracking, then that connection-tracking data would be lost, and any established connections thru the non-failed interface would now fail. They are “held in place” by the “allow established connection” rules, but if all data in the connection tracking table was lost due to cycling the connection-tracker, then all those packets would then be ‘new connections’ and would not necessarily have the pre-requesites to be rebuilt.
The simplest example would be a TCP connection that is marked as ‘established’ – those consist of only the ACk bit being set, obviously. If I clear the connection and a packet comes in with only the ACK bit being set, and its not already “established” then its considered a malformed packet, because it is a connection that is “new” that doesn’t have SYN (and not also ACK) set.
Simply, the ‘/ip firewall connection remove’ needs to be working…
I agree, the remove needs to be fixed. There are times when a connection has to be removed because its going out the wrong gateway with the wrong ip… I’ve witnessed this enough times myself when swapping gateways.
You need to email support at mikrotik for this one, no one here can fix it : ) It is nice to have this thread so we know when it is fixed however.
It seems to me that MikroTik can solve all problems for us by improving on load balancing and failover support in RouterOS. From what I’ve seen last 5+ years, I am starting to think that MikroTik Latvia need to hire more people because there is too much work to be done.
It is ECMP route - it is per address-pair load balancing (not connection based load balancing). So if you connect from address1 to address2 and it goes via GW1 all other communications from address1 to address2 will use the same gateway.
nth can be used to acheive per packet load balancing, not per connection.
MikroTik, please, DELETE those wiki examples - they are uselessss
your example won’t work for the cases when there are two different ISPs with two different address spaces, and adaptations of the wiki samples will work.
With two different ISPs, you can’t route packets with source addresses of one ISPs interface over the other ISPs network (and vice-versa), so you would need to be more specific in the routing for outbound packets. You would also need to account for packets that come in on one interface (ISP) and then be routed back out that same interface for the return packets; the example you provided doesn’t provide for that case either.
While each of the various Mikrotik examples may not cover all specific cases, they do give users ideas of what might be adapted to their network to solve their individual problem(s).
