Community discussions

MikroTik App
 
millenium7
Long time Member
Long time Member
Topic Author
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

flushing firewall connections on a specific interface?

Mon May 23, 2022 4:18 am

Having some difficulty with scripting this properly
I'm about to implement a failover script that uses netwatch and tests for reachability of a public IP address. If a route is unreachable it'll purge the firewall connection table
The problem is this is not selective, it will purge the entire connection table. Ergo if say a backup 4G route is running this script and is a bit unreliable it's going to keep killing VoIP sessions and all other traffic on the primary as well

I can't find an easy reliable method to match firewall connections for a specific interface, since it doesn't record the interface - only IP addresses
I can't statically write the IP address into the script because they can change over time. And this is a dynamic script I need to deploy to hundreds of routers

Any help?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: flushing firewall connections on a specific interface?

Mon May 23, 2022 8:06 am

Have you tried:
/ip firewall connection remove [find where dst-address~"your_public_ip_on_interface_xxx"]
Here you can specify what outside IP you like the connection be cleared for.
 
millenium7
Long time Member
Long time Member
Topic Author
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: flushing firewall connections on a specific interface?

Mon May 23, 2022 8:18 am

yes but there are no parameters that correspond to a specific interface, nor with a route
Only IP addresses are listed, meaning additional steps are required to extrapolate the required information

I managed to figure it out, bit of a pain in the ass as I need to extract the information from the 'gateway-status' field in /ip route. Static/dynamic IP routes appear different than PPPoE so it adds an extra step
Then match that against an interface
:local RouteMark "Route_1"
:local t [:tostr [/ip route get [find where routing-mark=$RouteMark dst-address=0.0.0.0/0 active] gateway-status]]
# Extract interface name
:local tf [:pick $t 0 [find $t " "]]
# If snippet is an IP address, grab the last part instead
:if [:toip $tf] do={:global tf [:pick $t ([find $t " via "]+6) [:len $t]]}
:local y [/ip address get [find where interface=$tf] address] ; :set y [:pick $y 0 [:find $y "/"]]
/ip firewall connection remove [find where reply-dst-address~"$y.*"]

Who is online

Users browsing this forum: No registered users and 13 guests