In the meanwhile I've found the following solutions:
1. writing to /proc/net/expire_early
Active TCP and UDP connections get dropped from the kernel NAT table by a timeout mechanism (the standard timeouts can be modified via the web gui, section Advanced / Conntrack/Netfilter).
The timeout for all connections in the kernel NAT table can be reduced to a user defined value by writing it to /proc/net/expire_early.
So the command echo 15 >/proc/net/expire_early sets the timeout to 15 seconds for all connections in the table (the button Drop Idle on the Conntrack/Netfilter screen of the gui performs exactly this command)
This mechanism seems to be a good solution for most cases, but unfortunately it's not possible so set a timeout-value less than 10 seconds - so if a packet belonging to any already known connection gets transmitted to the router within 10 seonds, the connection doesn't get dropped.
2. the solution I prefer
I've found out all known connections get dropped immediately out of the kernel NAT table if a ethernet device gets shut down. So anytime I change a route (= changing the WAN-device to a backup one if my internet connection fails), I shut down the WAN device and re-enable it.
In that case the only problem is, that routing table loose their default route entries (if the default route points to the ethernet device shut down) - but the routing tables can be built again