I am trying to write a script that will read IP addresses on an address list and then go to the /ip firewall connections and clear out those IP Addresses active connections.
The reason for this is, we have a couple of firewall rules that monitor the number of active sessions of an end user, if they violate this limit they are then blocked and all HTTP traffic is redirected to a web page letting them know that they are blocked for a specific time. This works fine, but there are times that I am noticing that they either continue to pass traffic because of the established connections, or when the time expires they are blocked again because of their open TCP connections still being “open” in the router.
I was hoping someone could give me some pointers on the best way to do this.
The first problem that I am having, is that it seams I am unable to delete connections based off of the IP of the end user. This is the string I am trying to use for that.
This works fine if i search for a connection mark or other things, but apparently not the IP address.
The second issue I am having is putting the address list into an array and reading out the IP addresses from that array to be used in clearing out the connections.
Any help in getting this script going would be greatly appreciated. Thanks.
thank you for reporting it, we will look into problem.
try to use quotation and connection marks to match right connections.
Thanks for looking into it. I also just upgraded to 4.10 on my test box from 4.5 and it still has the same problem. I can’t use connection marks since we are using PCC for the hotspot, I would have to clear out everyone’s connections from the table just to clear out one users connections, that’s not really a good solution. These connections that I am trying to clear out are also already established, so I don’t believe that I can change their mark in order to clear them out. I’ve also tried with and without quotes and as many variations that I could think of.
No errors when the command is run. It accepts it, just nothing happens.
Running the command returns a number of 0. I’m looking at Winbox and there are a few open sessions for my test machine, so I’m assuming it should return some number.
Since you’re matching exactly and not a regex, you could also try using “=” when finding the connections instead of “~”. That should be cheaper on resources. Of course that might not matter depending on how many entries you’re parsing, what hardware you’re running and how busy that hardware is.
We are running 493 and 450 boards. A lot of them are only serviced by a couple of bonded T-1s. Most of them see between 50-125 unique users a day. The only times when I see the CPU spike is sometimes with the API, when Torch gets stuck, or when the box receives a ton of garbage traffic from somewhere. The first two are easy enough to get the CPU back down, the last one is a pain .
This will save resources. The conntrack table is moving fast, so looping thru them might be slow enough where sometimes a connection doesn’t exist anymore, or an index number is reused and you now removed the wrong one.
.
.