Mikrotik scripts

clear_conntrack.script

:foreach i in=[/ip firewall connection find src-address="192.168.50.25"] do={/ip firewall connection remove $i}

 /ip firewall connection remove [/ip firewall connection find src-address~"192.168.50.25:"]

failover.script

# ------------------- header -------------------
# Script by Tomas Kirnak, version 1.0.7
# If you use this script, or edit and
# re-use it, please keep the header intact.
#
# For more information and details about
# this script please visit the wiki page at
# http://wiki.mikrotik.com/wiki/Failover_Scripting
# ------------------- header -------------------



# ------------- start editing here -------------
# Edit the variables below to suit your needs

# Please fill the WAN interface names
:local InterfaceISP1 ether2
:local InterfaceISP2 ether1

:local srcISP1 185.181.230.153
:local srcISP2 188.244.28.162

# Please fill the gateway IPs (or interface names in case of PPP)
:local GatewayISP1 185.181.230.1
:local GatewayISP2 188.244.28.1

# Please fill the ping check host - currently: resolver1.opendns.com
:local PingTarget 4.2.2.1

# Please fill how many ping failures are allowed before fail-over happends
:local FailTreshold 3

# Define the distance increase of a route when it fails
:local DistanceIncrease 30

# Editing the script after this point may break it
# -------------- stop editing here --------------



# Declare the global variables
:global PingFailCountISP1
:global PingFailCountISP2

# This inicializes the PingFailCount variables, in case this is the 1st time the script has ran
:if ([:typeof $PingFailCountISP1] = "nothing") do={:set PingFailCountISP1 0}
:if ([:typeof $PingFailCountISP2] = "nothing") do={:set PingFailCountISP2 0}

# This variable will be used to keep results of individual ping attempts
:local PingResult



# Check ISP1
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP1 src-address=$srcISP1]
:put $PingResult

:if ($PingResult = 0) do={
	:if ($PingFailCountISP1 < ($FailTreshold+2)) do={
		:set PingFailCountISP1 ($PingFailCountISP1 + 1)
		
		:if ($PingFailCountISP1 = $FailTreshold) do={
			:log warning "ISP1 has a problem en route to $PingTarget - increasing distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
			:log warning "Route distance increase finished."
		}
	}
}
:if ($PingResult = 1) do={
	:if ($PingFailCountISP1 > 0) do={
		:set PingFailCountISP1 ($PingFailCountISP1 - 1)
		
		:if ($PingFailCountISP1 = ($FailTreshold -1)) do={
			:log warning "ISP1 can reach $PingTarget again - bringing back original distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
			:log warning "Route distance decrease finished."
		}
	}
}



# Check ISP2
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2 src-address=$srcISP2]
:put $PingResult

:if ($PingResult = 0) do={
	:if ($PingFailCountISP2 < ($FailTreshold+2)) do={
		:set PingFailCountISP2 ($PingFailCountISP2 + 1)
		
		:if ($PingFailCountISP2 = $FailTreshold) do={
			:log warning "ISP2 has a problem en route to $PingTarget - increasing distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
			:log warning "Route distance increase finished."
		}
	}
}
:if ($PingResult = 1) do={
	:if ($PingFailCountISP2 > 0) do={
		:set PingFailCountISP2 ($PingFailCountISP2 - 1)
		
		:if ($PingFailCountISP2 = ($FailTreshold -1)) do={
			:log warning "ISP2 can reach $PingTarget again - bringing back original distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
			:log warning "Route distance decrease finished."
		}
	}
}

Filter BPDU packets on bridge

/interface bridge filter
add action=drop chain=output comment="DROP RSTP BPDU" dst-mac-address=\
    01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether1
add action=drop chain=output comment="DROP RSTP BPDU" dst-mac-address=\
    01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=ether10
# no interface
add action=drop chain=output comment="DROP RSTP BPDU" dst-mac-address=\
    01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface=*45

gistfile1.txt

#default mikrotik firewall

/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
 filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
 filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
 filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
 filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
 filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
 filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
 filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
 filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
 filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
 filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}