As we know connection management is a little limited (it shows at most 2048 connections).
There are times when you want to flush/clear all connections and it is hard to do it, even with scripts.
It would be great if there was a button/command to flush all connections at once.
For example, after a backup line change NAT can become invalid and being able to flush connections from a script would help.
I’d add one more prey: please add a single robust command that will flush all connections.
This will be useful for debug, for using in script etc.
Yes I can go to connections tab and disable connection tracking then re-enable it again, but sometime it is not enough. And when you deal with WAN balancing you’re definitely need something very robust to solve it!
What issues are you having with scripting this?
Where can I find a script that works?
All my attempts end in random errors about non-existing connections.
Also, and how many iterations do I have to try?
Remember I can only remove 2048 connections at once, and between iterations new connections can be created and destroyed.
Any scripted approach would be, not only in practice but also by definition, clumsy.
I’ve not come across the 2048 limit but I deal with a low number of connections usually.
Quickest way
/ ip firewall connection tracking set enabled=no
/ ip firewall connection tracking set enabled=yes
I have tried that and IIRC it didn’t work as expected.
Can you imagine what will happen when you disable the connection tracking when you rely on marking for routing? You can easily loose connection to the device without possibility to establish it again. But maybe it is not your case.
This may have been answered in another board, however, I find the following script seems to flush all the existing connections. The WinBox seems to immediately reconnect without dropping on screen but your mileage may vary!
Script: /ip firewall connection remove [/ip firewall connection find];
It seems this works as a wild card, finds all connections and removes them in one line. Periodically you may get a statement that something is no longer present but I believe this is because the connection was dropped in between the find and remove command execution time slot.
If anyone is aware that this does not drop all existing connections please advise.
For too many items in conntrack table might be necessary to repeat the command several times. Maybe this is not actual with recent versions, I have not tried it for very long time…