Community discussions

MikroTik App
 
OKNET
Member
Member
Topic Author
Posts: 350
Joined: Mon Jun 22, 2015 9:22 am

Multiple WAN failover connections reset

Thu Jun 17, 2021 9:53 am

I always used recursive (virtual) gateway check against multiple internet hosts per route to determine its fail.
This works fine except connections currently using that route hang when route is inactive.
Another method is to use netwatch script to both disable route and flush connections, but it works only against a single internet host to be "pinged".
It would be easy to use netwatch to ping-check the "virtual" gateway pointing to a pair of recursive hosts , unfortunatlely virtual gateway doesn't answer to ping despite it is "up".

Is there a way to automatically flush connections currently using a route when it becomes inactive (i.e. a script to check route status) ?

Second question:
I'm using connection mark from mangle/PCC for load balancing so I could flush connections marked for the failing route, i.e.
/ip firewall connection remove [find connection-mark="wan3_conn"]
Https connections are not processed by PCC thus not marked, thus not choosable for removal, thus no way to know which connection is actually using the failing route....
Is a simple /ip firewall connection remove[find] useful to flush all connections anyway ?
 
OKNET
Member
Member
Topic Author
Posts: 350
Joined: Mon Jun 22, 2015 9:22 am

Re: Multiple WAN failover connections reset

Thu Jun 17, 2021 11:07 am

Well about second question, I've realized also "Reply dst. address" (wich returns router ip address:port) can be used as parameter to skim connections using a particular route (marked or not)
What syntax must I use to remove those connections indistinctly specifying the only IP address without port?
 
User avatar
icttech
newbie
Posts: 29
Joined: Mon Dec 04, 2017 3:05 am
Location: Canada

Re: Multiple WAN failover connections reset

Sun Oct 17, 2021 11:15 pm

Hi, have you found a solution?

I'm facing a similar experience using same recursive DNS, Mangle, etc and Netwatch with basic script on downed WAN1 but all connections do not fully reset. If CLI remove connections are used, connections clear properly and instantly.

Netwatch
1 - Host: 8.8.8.8
    Interval: 3
	Timeout: 400
    UP Script
      /ip route enable [find dst-address=0.0.0.0/0 gateway=8.8.8.8]
    Down Script
      /ip route disable [find dst-address=0.0.0.0/0 gateway=8.8.8.8]
      /ip firewall connection remove [find]
    Comment: Main ISP 
2 - Host: 1.1.1.1
    Interval: 3
	Timeout: 400
    UP Script
      /ip route enable [find dst-address=0.0.0.0/0 gateway=1.1.1.1]
    Down Script
      /ip route disable [find dst-address=0.0.0.0/0 gateway=1.1.1.1]
      /ip firewall connection remove [find]
    Comment: LTE6 Backup

I've tried adding remove several times in the down script but still same results. Failover does work but connected TCP/UDP active connections involving video/audio do not reset immediately and video/audio streaming hangs for about 10 to 30 seconds in our tests.
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Multiple WAN failover connections reset

Wed Nov 17, 2021 9:19 pm

I'm seeing a similar issue. I have a hAP ac lite as my main gateway, and then run a bunch of wireguard tunnels on a CHR on the same LAN which use the hAP as the gateway...
All wan/pppoe connections are marked respectively...
When I experience a wan failover event, I change default gateway, and then remove all firewall connections matching the "failed" wan.. It mostly works fine...

However, one of the wireguard tunnels, which has roughly 1.5Mb of concurrent traffic flowing through it at all times, does not want to switch over, unless I manually block/reject with a filter rule ? Why is this? For some reason this tunnel won't switch back to the primary gateway when it returns and I wipe the failover connections:
[admin@hAP] > put [/ip/firewall/connection/find where connection-mark=pppoe2_lans]
*5d5e3
[admin@hAP] > /ip/firewall/connection/remove [find where connection-mark=pppoe2_lans]
[admin@hAP] > put [/ip/firewall/connection/find where connection-mark=pppoe2_lans]
*5d5e3
[admin@hAP] > /ip/firewall/connection/remove [find where connection-mark=pppoe2_lans
[admin@hAP] > put [/ip/firewall/connection/find where connection-mark=pppoe2_lans]
*5d5e3
[admin@hAP] >
One strange thing I did notice is the following:
[admin@hAP] > put [/ip/firewall/connection/get [find where connection-mark="pppoe2_lans"]]
invalid internal item number
[admin@hAP] > put [/ip/firewall/connection/get [find where connection-mark="pppoe2_lans"]]
invalid internal item number
no such item (4)
[admin@hAP] > put [/ip/firewall/connection/get [find where connection-mark="pppoe2_lans"]]
.id=*5d5e3;assured=true;confirmed=true;connection-mark=pppoe2_lans;dst-address=xxx.36.7.80:11210;dstnat=true;dying=false;expected=false;fasttrack=false;hw-offl
oad=false;orig-bytes=78208360;orig-fasttrack-bytes=0;orig-fasttrack-packets=0;orig-packets=199860;orig-rate=1487424;protocol=udp;repl-bytes=964380;repl-fasttra
ck-bytes=0;repl-fasttrack-packets=0;repl-packets=6125;repl-rate=20832;reply-dst-address=xxx.183.102.251:11220;reply-src-address=192.168.100.1:11210;seen-reply=
true;src-address=xxx.183.102.251:11220;srcnat=false;timeout=00:03:00

This sort of intermittency and unreliability can be really frustrating .. It would be great if every connection is removed as commanded ..

Running Ros v7.1rc6, not sure if this happens with other versions

Edit: Ok so it turns out the persistent pppoe2_lans connection was caused by an incoming connection from the remote host being marked. However I'm still having problems closing some other connections and the script terminates

Who is online

Users browsing this forum: Bing [Bot], DeltaCreek, Google [Bot] and 62 guests