Community discussions

MikroTik App
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Remove Nat Sessions on a specific event

Thu May 20, 2021 5:03 pm

Hello to all the community!

I was wondering if there's a sort of possibility to automatize the removal of specific nat sessions in firewall connection when an event is triggered.
More specific, I have 2 Wan on a Mikrotik with a failover made with routes and distance: when the pppoe goes down on all traffic go on the LTE backup on a different ether interface. What happens is that all sip connections and traffic won't work unless manually I go on the firewall connections and remove all the 5060 sip connections forcing all the phone to register again.
Is there a way by a script or maybe by a control (maybe netwatch, if is possible in this way my apologies if I posted here) to automatize and do a remove firewall connection every time the default route ( the default wan) changes?
Thanks in advance for your future answers

kindly regards
 
excession
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Mon May 11, 2015 8:16 pm

Re: Remove Nat Sessions on a specific event

Sat May 22, 2021 7:14 pm

I use this in both the up and down actions of a netwatch entry that pings my next hop gateway:
/ip firewall connection remove [find];
:log info ("Cleared-Connecitons");
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Sat May 22, 2021 8:16 pm

I use this in both the up and down actions of a netwatch entry that pings my next hop gateway:
/ip firewall connection remove [find];
:log info ("Cleared-Connecitons");

DO NOT WORK as expected

read this:
viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853800
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Sat May 22, 2021 8:19 pm

Hello to all the community!

I was wondering if there's a sort of possibility to automatize the removal of specific nat sessions in firewall connection when an event is triggered.
More specific, I have 2 Wan on a Mikrotik with a failover made with routes and distance: when the pppoe goes down on all traffic go on the LTE backup on a different ether interface. What happens is that all sip connections and traffic won't work unless manually I go on the firewall connections and remove all the 5060 sip connections forcing all the phone to register again.
Is there a way by a script or maybe by a control (maybe netwatch, if is possible in this way my apologies if I posted here) to automatize and do a remove firewall connection every time the default route ( the default wan) changes?
Thanks in advance for your future answers

kindly regards

use the second script here, just put on global variables the previous pppoe public IP

viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853803
 
excession
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Mon May 11, 2015 8:16 pm

Re: Remove Nat Sessions on a specific event

Sat May 22, 2021 9:07 pm


DO NOT WORK as expected

read this:
viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853800
haha I knew as I wrote that there was something I’d forgotten about this.

Thanks, I’d read your post before; I’d even updated my script with it but for some reason it was missing on the router I copied it from.

Grazie mille!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Sat May 22, 2021 10:01 pm


DO NOT WORK as expected

read this:
viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853800
haha I knew as I wrote that there was something I’d forgotten about this.

Thanks, I’d read your post before; I’d even updated my script with it but for some reason it was missing on the router I copied it from.

Grazie mille!
Grazie a te!
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Tue May 25, 2021 6:42 pm

Hello to all the community!

I was wondering if there's a sort of possibility to automatize the removal of specific nat sessions in firewall connection when an event is triggered.
More specific, I have 2 Wan on a Mikrotik with a failover made with routes and distance: when the pppoe goes down on all traffic go on the LTE backup on a different ether interface. What happens is that all sip connections and traffic won't work unless manually I go on the firewall connections and remove all the 5060 sip connections forcing all the phone to register again.
Is there a way by a script or maybe by a control (maybe netwatch, if is possible in this way my apologies if I posted here) to automatize and do a remove firewall connection every time the default route ( the default wan) changes?
Thanks in advance for your future answers

kindly regards

use the second script here, just put on global variables the previous pppoe public IP

viewtopic.php?f=9&t=154606&p=853803&hil ... ve#p853803
Ciao Rextended, e grazie per la risposta :)
I'll try soon your script on my Mikrotik test soon, but I still have a doubt about the second part about the dst address: on your function , it seems to me that you are deleting all nat'ted session matching the $previousIP rule. If this is the case, when I substitute the ip with my isp IP public (static) all connections will not be matched 'cause the dst address is not the one of my wanIP.
Maybe your gateway is a modem or natted with an IP not given by your ISP service? Does your Mikrotik make the pppoe i.e. or you achieve your ip maybe by dhcp from your isp ?
Grazie in anticipo for your future answer :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Tue May 25, 2021 7:19 pm

Chiudi tutte le connessioni NATtate con un indirizzo IP diverso da quello attivo!
:global actualIP 6.7.8.9

/ip fire conn
:foreach idc in=[find where timeout>60 and (!(reply-dst-address~$actualIP))] do={
 remove [find where .id=$idc]
}
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Mon May 31, 2021 1:09 pm

Chiudi tutte le connessioni NATtate con un indirizzo IP diverso da quello attivo!
:global actualIP 6.7.8.9

/ip fire conn
:foreach idc in=[find where timeout>60 and (!(reply-dst-address~$actualIP))] do={
 remove [find where .id=$idc]
}
Grazie per la risposta :)
Can you advise me a correct way to implement this and automatize? I have 2 wans, one with pppoe and ip static from ISP and the other one is a static route to an LTE router without ip public(sim lte). Do you think I have to use the netwatch tool? If yes, I was thinking to insert in the "on down" section the script you posted, but I don't know how to trigger (and which one to choose)the host and how to automatize when the primary wan comes back again.
Grazie ancora, ciao
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Mon May 31, 2021 2:03 pm

I's complicated if more than one connection are used, search for dual wan failover for the implementation.
If DHCP are used on LTE side, the script can be put on dhcp-client script, if LTE have fixed IP on LAN,
netwach one public IP forced by routing to be reachable only on LTE
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Tue Jun 01, 2021 12:27 pm

I's complicated if more than one connection are used, search for dual wan failover for the implementation.
If DHCP are used on LTE side, the script can be put on dhcp-client script, if LTE have fixed IP on LAN,
netwach one public IP forced by routing to be reachable only on LTE
The dual Wan failover is already implemented, I suppose I have to do a netwatch rule on down to trigger the script, then I have to figure something else for the rollback I suppose..
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Tue Jun 01, 2021 8:15 pm

by the way, it doesn't work even if I launch it normaly as a simple script tbh
 
mbaute
newbie
Posts: 30
Joined: Fri May 22, 2015 3:54 pm

Re: Remove Nat Sessions on a specific event

Tue Jun 01, 2021 11:05 pm

hi adminadmin,

Maybe you can play around with recursive routes to check for connectivity. Basically you set that X IP is reachable through gateway1, and Y IP is reachable through gateway2. Then you create your 0.0.0.0/0 using X and Y as gateways, will be your "testers" and with distance you establish wich one will be primary. In your case it would be something like this:

/ip rou
add check-gateway=ping distance=1 gateway=4.2.2.2 scope=10 target-scope=25
add check-gateway=ping distance=2 gateway=4.2.2.3 scope=10 target-scope=25
add distance=1 dst-address=4.2.2.2/32 gateway=your-pppoe-int scope=25
add distance=1 dst-address=4.2.2.3/32 gateway=your-lte-gw-ip scope=25

In the event that 4.2.2.2 stops responding, by check-gateway it will be declared as unreachable and 4.2.2.3 will take over, rolling back to 4.2.2.2 if it becomes reachable again.

As to delete tracking connections, maybe you can try disabling/enabling interfaces 🤔🤔 . Never been there, but I'm almost sure that all tracked connections belonging to an interface gets cleared when you disable it.

Regards,
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Wed Jun 16, 2021 10:45 am

hi adminadmin,

Maybe you can play around with recursive routes to check for connectivity. Basically you set that X IP is reachable through gateway1, and Y IP is reachable through gateway2. Then you create your 0.0.0.0/0 using X and Y as gateways, will be your "testers" and with distance you establish wich one will be primary. In your case it would be something like this:

/ip rou
add check-gateway=ping distance=1 gateway=4.2.2.2 scope=10 target-scope=25
add check-gateway=ping distance=2 gateway=4.2.2.3 scope=10 target-scope=25
add distance=1 dst-address=4.2.2.2/32 gateway=your-pppoe-int scope=25
add distance=1 dst-address=4.2.2.3/32 gateway=your-lte-gw-ip scope=25

In the event that 4.2.2.2 stops responding, by check-gateway it will be declared as unreachable and 4.2.2.3 will take over, rolling back to 4.2.2.2 if it becomes reachable again.

As to delete tracking connections, maybe you can try disabling/enabling interfaces 🤔🤔 . Never been there, but I'm almost sure that all tracked connections belonging to an interface gets cleared when you disable it.

Regards,
Hi mbaute,
Thank you for your answer. Failover is not a problem here, connectivity turns well when the main WAN goes down. My problem is that when connections go back and forth, old nat session remains and I need to close the old ones ( overall for sip purposes) everytime wan changes.
(Hope I've explained the problem, I am driving and writing at the same time ^^')
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Wed Jun 16, 2021 10:54 am

I am driving and writing at the same time
...NO COMMENT...
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Tue Sep 21, 2021 6:20 pm

I am driving and writing at the same time
...NO COMMENT...
Like you have never done that... ^^' :D
Anyway, I've found hot to kill all the session that I need in particular, but still have some trouble to do that just once every time my default change ( failover with different distance)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Tue Sep 21, 2021 7:15 pm



...NO COMMENT...
Like you have never done that... ^^' :D
Oh... how long, last time you were writing and driving at the same time... Did you just get out of the hospital? :lol: :lol: :lol:
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Mon Oct 11, 2021 11:15 am


Oh... how long, last time you were writing and driving at the same time... Did you just get out of the hospital? :lol: :lol: :lol:
Sure, fresh out and still driving texting :P
Returning in topic. I figured out what it can work to solve the problem, but I can't implement with my low knowledge on mikrotik scripts. I need a script that works in a netwatch up/down, that have to kill all session with destination xxx.xxx.xxx.xxx everytime the main connection go down.
my routes atm
/ip route
add distance=10 gateway=10.254.251.254
add distance=22 gateway=192.168.129.254
when 10.254.251.254 is unreachable, the scripts has to /ip firewall connection remove [/ ip firewall connection find dst-address~"xxx.xxx.xxx.xxx:5060"], and do just once.
when 10.254.251.254 comes back reachable, the scripts have to do it once again just one time

Thanks in advance for all the future answers.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Mon Oct 11, 2021 2:22 pm

create a netwatch for that IP and put on both on-down and on-up this:
/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959
I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.
 
stevenyobrauly
just joined
Posts: 3
Joined: Fri Dec 13, 2019 10:52 pm

Re: Remove Nat Sessions on a specific event

Thu Oct 21, 2021 10:54 am

Hi Rextended, how would it be if the connections I need to remove are being natted by a pool, for example a / 30 or / 29?

as I indicate it in your script?


create a netwatch for that IP and put on both on-down and on-up this:
/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959
I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Wed Jan 19, 2022 10:58 am

create a netwatch for that IP and put on both on-down and on-up this:
/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959
I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.
Ciao Rextended,
Unfortunatly (probably for my mistakes or fault) this is not working for me. By the way I've found a workaround to make it successfull.
With your high knowledge on Mikrotik scripts, I wanna ask you if is possible to create a script (that I'll implement with /system scheduler) that check if the default gateway have changed, and if yes launch a command /ip firewall connection remove blablabla that I already know is working cause I've tested it, but at this very moment I run it manually.
If I am not been clear let me know
Thank you in advance
 
User avatar
AdminAdmin123
just joined
Topic Author
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Remove Nat Sessions on a specific event

Mon Feb 14, 2022 4:14 pm

create a netwatch for that IP and put on both on-down and on-up this:
/ip fire conn
:foreach idc in=[find where (timeout > 60) and (reply-dst-address ~ "10.254.251.254")] do={
 remove [find where .id=$idc]
}

please do not alter the timeout

viewtopic.php?f=13&t=176956#p870959

Ciao Rextended,
Unfortunatly (probably for my mistakes or fault) this is not working for me. By the way I've found a workaround to make it successfull.
With your high knowledge on Mikrotik scripts, I wanna ask you if is possible to create a script (that I'll implement with /system scheduler) that check if the default gateway have changed, and if yes launch a command /ip firewall connection remove blablabla that I already know is working cause I've tested it, but at this very moment I run it manually.
If I am not been clear let me know
Thank you in advance
Sorry for the bump, does anyone know or have any suggestion how to implement that?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Remove Nat Sessions on a specific event

Tue Feb 15, 2022 10:19 am

How to obtain actual Gateway ID, compare it on previous stored ID value on memory, and if is different, remove all old NAT sessions

For debug

RouterOS 6.46.8 code

:global previousgw
:if ([:typeof $previousgw] != "id") do={ :set $previousgw *0 }
:global defaultgw ([/ip route get [find where dst-address=0.0.0.0/0 and active=yes and !routing-mark]]->".id")
:if ($previousgw != $defaultgw) do={
    :log warning "Previous GW ID $previousgw different to current GW ID $defaultgw"
    :set $previousgw $defaultgw
} else={
    :log info "The Gateway ID $defaultgw still the same"
}


Working example without debug frills

RouterOS 6.46.8 code

:global previousgw
:if ([:typeof $previousgw] != "id") do={ :set $previousgw *0 }
:global defaultgw ([/ip route get [find where dst-address=0.0.0.0/0 and active=yes and !routing-mark]]->".id")
:if ($previousgw != $defaultgw) do={
    /ip fire conn
    :foreach idc in=[find where (timeout > 60)] do={
        remove [find where .id=$idc]
    }
    :set $previousgw $defaultgw
}

Who is online

Users browsing this forum: dpa, GoogleOther [Bot], rextended and 19 guests