Script to Clean Firewall->Connections after public IP Changes

lucasfaverzani · December 8, 2019, 5:23pm

Hello,

I’ve found a “problem” when default route changes, the SIP connections keep active with old IP adress and SIP couldn’t registry with the new route.

I’m searching for a solution but I can’t find, so I’ve tried to do this script, but its not workting…

Can someone help-me?

{

/tool fetch url="http://myip.dnsomatic.com/" mode=http dst-path=mypublicip.txt
local newIP [file get mypublicip.txt contents ]
put $newIP

}
:local cIP;

:if ($newIP != $cIP) do={
    :put "ip address $cIP changed to $newIP";
    :set cIP $newIP;
/ip firewall connection remove [find];
}

gnro · December 9, 2019, 9:14am

In the script from http://www.farlock.org/mikrotik/mikrotik-load-balancer-and-failover-and-traffic-prioritization/ you’ll find some rules to clear connections. Maybe you can use it.

simonefil · April 19, 2021, 8:52am

Hello.
I also have this problem and would like to create a script to clear udp connections. Unfortunately, however, the guide you linked does not work. Do you have a new working link?
Thank you

rextended · April 19, 2021, 11:11am

(sorry for my english)

“/ip firewall connection remove [find]”

This command do not work as many person think…

If some connection are closed (removed) between the start and the end of the command, it do error and stop working, leaving open some connections.

Il work like, “I collect all connection_id, and after that, one per one, close it”.

But if for some reason, in the meantime, connection_id are already closed (like are expired), the procedure stop.

I’m writing one function to do that without error (i hope), some minutes and I post that here.

rextended · April 19, 2021, 11:22am

for close ALL connection open ath the moment you launch te command:
(this ignore any connection made, or closed, exactly after the first [find] command inside the script)

/ip fire conn
:foreach idc in=[find where timeout>60] do={
 remove [find where .id=$idc]
}

the “timeout>60” and the second “find” preventing errors from connection already closed in meantime script execution

for remove ONLY NATted connection with prevoious invalid IP:
(DO NOT REMOVE QUOTE AND PASS THE PARAMETER AS STRING, NOT IP!!!)

:global previousIP "18.11.23.33"

/ip fire conn
:foreach idc in=[find where timeout>60 and reply-dst-address~$previousIP] do={
 remove [find where .id=$idc]
}

on pppoe-client connection can be used this as on-up script on actual pppoe-client profile

:global newIP [:tostr $"local-address"]

/ip fire conn
:foreach idc in=[find where timeout>60 and (!(reply-dst-address~$newIP))] do={
 remove [find where .id=$idc]
}