Once a virtual gateway is down due to loss of internet connectivity, the second gateway is immediately available but all old tcp connections (as seen in /ip firewall connection) are still up and your device session is stuck in trying the old gateway.
A manual flush of connections causes immediately to bring back connectivity on the new active gateway (or wait for old connections to die).
How can I get this to happen automatically when failover takes place ?
I have these after “est-rel accept” rule in my “established-related” chain, which is one of the first one invoked.
Rather than notify client, shouldn’t be more effective to cut out dead connections ?
Not necessaries: if client assumes connection is still good, it will send packets using that’s state. BUT router will use other ISP with different external ip, which the target server won’t have knowledge off and will reject.
I can see this happen on my browser when I switch from vpn to non-vpn scenario. Causes confusion LOL.
So Sebastia, this seems to be a safe and useful rule to have in place in general (like part of a default). Is there any danger or potential security risk to this rule??
Specifically. if you are using srcnat for outgoing traffic, only use srcnat=masquerade. When you use masquerade, the router will automatically clear the connections for you during a recursive routing failover. Do not use srcnat=scr-nat. Hope this helps, Kind regards
The extra line with rejects local packets only is to inform local client of different network configuration. The src-address criterium is based on packet data, and that can be spoofed. A safer option would be to filter on incoming interface (or in-interface-list), but if RP-filter is enabled (https://wiki.mikrotik.com/wiki/Manual:IP/Settings) that’s already verified.