Usual failover without scripting:
https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

Once a virtual gateway is down due to loss of internet connectivity, the second gateway is immediately available but all old tcp connections (as seen in /ip firewall connection) are still up and your device session is stuck in trying the old gateway.

A manual flush of connections causes immediately to bring back connectivity on the new active gateway (or wait for old connections to die).

How can I get this to happen automatically when failover takes place ?

The client needs to be notified that the connection is dead so it doesn't have to wait for timeout. I've something like this:

Actually, it seems to have not a great effect....
In which position should I place it among forward chain rules ?

Rather than notify client, shouldn't be more effective to cut out dead connections ?

I have these after "est-rel accept" rule in my "established-related" chain, which is one of the first one invoked.

Rather than notify client, shouldn't be more effective to cut out dead connections ?

Not necessaries: if client assumes connection is still good, it will send packets using that's state. BUT router will use other ISP with different external ip, which the target server won't have knowledge off and will reject.

I can see this happen on my browser when I switch from vpn to non-vpn scenario. Causes confusion LOL.
So Sebastia, this seems to be a safe and useful rule to have in place in general (like part of a default). Is there any danger or potential security risk to this rule??

Take a look at this topic, perhaps it will help:

viewtopic.php?f=2&t=139750&hilit=connection

Specifically. if you are using srcnat for outgoing traffic, only use srcnat=masquerade. When you use masquerade, the router will automatically clear the connections for you during a recursive routing failover. Do not use srcnat=scr-nat. Hope this helps, Kind regards

Hey @anav

The rule

/ip firewall filter add action=drop chain=forward comment="Drop: invalid" connection-state=invalid

is part of the default configuration already.

The extra line with rejects local packets only is to inform local client of different network configuration. The src-address criterium is based on packet data, and that can be spoofed. A safer option would be to filter on incoming interface (or in-interface-list), but if RP-filter is enabled (https://wiki.mikrotik.com/wiki/Manual:IP/Settings) that's already verified.

So if RP-fitler=strict is set, it should be fine.

I think I have RP filter loose, because my router has no morals LOL. Seriously its set to loose for some reason but heck i cant remember LOL.