Could this be a solution "to feed the wolf and keep the goat complete"?On one hand, I fully agree with you that netwatch should be permitted to do anything you wish; on the other hand, I do understand that as it could be misused to bypass users' policy restrictions, Mikrotik had to do something about it. But my approach would be to assign policies to netwatch items the same way they are associated with scheduler jobs and scripts, and to allow the user to assign to the netwatch item he creates only policies with which his own account is configured (which I believe is the case with scheduler jobs and scripts).
It's not working on 6.42.3I have Netwatch watch 8.8.8.8 and when its up, trigger the below script.. Called UP..
The permissions are read write test on all the below. They worked before 6.42. They work if manually triggered.
Up
_____________________________________________________________________
:log warning "Connection up";
/system script run IPSMTP;
:tool e-mail send to="xxxx@xxx" from="xxxxxx" subject="xxx router is online" body="xxx router is online";
/system script run DYNForce;
_____________________________________________________________________
The above then triggers other scripts..
This one makes sure the mail server is looked up correctly
IPSMTP
______________________________________________________________
:local ipsmtp
:set ipsmtp [:resolve xxxxx]
if ($ipsmtp != [/tool e-mail get address]) do={ /tool e-mail set address=$ipsmtp}
_______________________________________________________________
This then forces DynDNS to the current IP
DYNForce
________________________________________________________________
# Set needed variables
:local username "xxxxxxx"
:local password "xxxxxxx"
:local hostname "xxxxxx"
:global dyndnsForce
:global previousIP
# print some debug info
:log info ("UpdateDynDNS: username = $username")
:log info ("UpdateDynDNS: password = $password")
:log info ("UpdateDynDNS: hostname = $hostname")
:log info ("UpdateDynDNS: previousIP = $previousIP")
# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]
# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"
# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!
:set dyndnsForce true
# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html
:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
:set dyndnsForce false
:set previousIP $currentIP
:log info "$currentIP or $previousIP"
/tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
dst-path="/dyndns.txt"
:delay 1
:local result [/file get dyndns.txt contents]
:log critical ("UpdateDynDNS: Dyndns update needed")
:log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
:put ("Dyndns Update Result: ".$result)
} else={
:log info ("UpdateDynDNS: No dyndns update needed")
}
The underlying issue is that you are trying to make Netwatch execute a script, that requires permissions it does not have.
Is this not a reasonable requirement? A read only user can't create FULL permission accounts. Is that not reasonable?
So, there is no solution?
How are we supposed to use Dyn DNS?
Unfortunately it does not work on 6.42.3 (RB435G)...So, there is no solution?
How are we supposed to use Dyn DNS?
Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
I dont have any single line scripts. Im not sure a single line should be used in a script as I think Netwatch could execute a single line on its own ?Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.
/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"
Send in such example to support@mikrotik.com and we will see what can be improved.
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?Unfortunately it does not work on 6.42.3 (RB435G)...So, there is no solution?
How are we supposed to use Dyn DNS?
Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Not even if just executed from /system scripts...
First of all, thank you for your time.Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?Unfortunately it does not work on 6.42.3 (RB435G)...So, there is no solution?
How are we supposed to use Dyn DNS?
Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Not even if just executed from /system scripts...
I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.
I think tho that its something simple tho for you, maybe just script permissions ?
Netwatch problem persistCan anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.
/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"
Send in such example to support@mikrotik.com and we will see what can be improved.
I have fully tested the DynDNS script executing it from winbox on RouterOS 6.43RC21 on a CCR1009-8G-1S-1S+ and it works. It updates DynDNS.. I scrambled my MAC which causes a cable modem to provide a new IP I then ran the script and reloaded DynDNS and watched it update in near real time. I did this 3 times to be sure. So on this version of OS on this hardware I can confirm it does work.First of all, thank you for your time.Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?Unfortunately it does not work on 6.42.3 (RB435G)...So, there is no solution?
How are we supposed to use Dyn DNS?
Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Not even if just executed from /system scripts...
I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.
I think tho that its something simple tho for you, maybe just script permissions ?
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.
Nevertheless, I do care to revert to no-ip.org ddns services soon.
# Set needed variables
:local username "your username"
:local password "your password"
:local hostname "your host name"
:global dyndnsForce
:global previousIP
# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]
# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"
# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!
#:set dyndnsForce true
# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html
:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
:set dyndnsForce false
:set previousIP $currentIP
:log info "$currentIP or $previousIP"
/tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
dst-path="/dyndns.txt"
:delay 1
:local result [/file get dyndns.txt contents]
:log critical ("UpdateDynDNS: Dyndns update needed")
:log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
:put ("Dyndns Update Result: ".$result)
}
Thank you again. Currently away from router, so I will try it later and report back.I have fully tested the DynDNS script executing it from winbox on RouterOS 6.43RC21 on a CCR1009-8G-1S-1S+ and it works. It updates DynDNS.. I scrambled my MAC which causes a cable modem to provide a new IP I then ran the script and reloaded DynDNS and watched it update in near real time. I did this 3 times to be sure. So on this version of OS on this hardware I can confirm it does work.First of all, thank you for your time.Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?Unfortunately it does not work on 6.42.3 (RB435G)...
Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Not even if just executed from /system scripts...
I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.
I think tho that its something simple tho for you, maybe just script permissions ?
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.
Nevertheless, I do care to revert to no-ip.org ddns services soon.
I had all the permissions checked.
This script is slightly different as it does less logging.
Go delete any related files before running it. Run it twice to make sure.
DynDNS.gifCode: Select all# Set needed variables :local username "your username" :local password "your password" :local hostname "your host name" :global dyndnsForce :global previousIP # get the current IP address from the internet (in case of double-nat) /tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html" :delay 1 :local result [/file get dyndns.checkip.html contents] # parse the current IP result :local resultLen [:len $result] :local startLoc [:find $result ": " -1] :set startLoc ($startLoc + 2) :local endLoc [:find $result "</body>" -1] :local currentIP [:pick $result $startLoc $endLoc] :log info "UpdateDynDNS: currentIP = $currentIP" # Remove the # on next line to force an update every single time - useful for debugging, # but you could end up getting blacklisted by DynDNS! #:set dyndnsForce true # Determine if dyndns update is needed # more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html :if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={ :set dyndnsForce false :set previousIP $currentIP :log info "$currentIP or $previousIP" /tool fetch user=$username password=$password mode=http address="members.dyndns.org" \ src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \ dst-path="/dyndns.txt" :delay 1 :local result [/file get dyndns.txt contents] :log critical ("UpdateDynDNS: Dyndns update needed") :log critical ("UpdateDynDNS: Dyndns Update Result: ".$result) :put ("Dyndns Update Result: ".$result) }
OooOo.. OK Let me try that. Its very late here and im in bed, but, I will check this now anyway because that is exciting news.If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.
FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
:tool e-mail send to="xxxxx" from="xxxxx" subject="MT test of netwatch scripts" body="This is a test";
thx for your replyIf your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.
FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
Oopsie... ( very embarrassed ).....Guys, please read our posts more carefully:
viewtopic.php?f=2&t=134538#p665449
"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."
Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot
Unselect - ftp,policy,password,sensitive,sniff
-> Script will work just fine
this is the scriptPost your script too, then
:log error message="inicio del script"
:local uptime [/system resource get uptime];
:local uno 00:01:00
:if ($uptime > $uno) do={
/tool e-mail send to="diegoms77@hotmail.com" subject="Do $[/system clock get time] $[/system identity get name] Caida Red Electrica" body="$[/system health get voltage]V, El $[/system clock get date] a las $[/system clock get time] entro en MODO BATERIAS el equipo de $[/system identity get name]
Temperatura RB: $[/system health get temperature] C
Temperatura CPU: $[/system health get cpu-temperature] C
Uptime: $[/system resource get uptime]";
:log error message="$[/system health get voltage]V, Mensaje Caida Red Electrica en $[/system identity get name] enviado";
}
thxschechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
Tested on 6.43 RC21 and 6.42.1 works okthxschechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
yes is a system script entry
unchecked this on script policy settings:
Ftp, policy, password, sensitive, sniff, romon, dude
Now script runs fine when called by netwatch event
thank you for your help
I confirm it works.Guys, please read our posts more carefully:
viewtopic.php?f=2&t=134538#p665449
"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."
Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot
Unselect - ftp,policy,password,sensitive,sniff
-> Script will work just fine
use only for reading or use also for writing?There is a problem though with scripts that use global variables.
Too bad.Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
Bothuse only for reading or use also for writing?There is a problem though with scripts that use global variables.
# Init script, launched once at system start
# specify local site
:global nwlocal "central";
# specify checked host;
:global nwhost "undef";
# define "site" -> "actual_state" (0 - down, 1 - up)
:global nwlist {
site1=0;
site2=0;
site3=0;
site4=0;
site5=0;
}
# define netwatch sites "site" -> "ip"
:global peerip {
site1="192.168.1.254";
site2="192.168.2.254";
site3="192.168.3.254";
site4="192.168.4.254";
site5="192.168.5.254";
}
# On Tunnel up/down run (pass the host to check in nwhost global variable):
#:global nwhost "site1";
#/system script run CheckNetwatchAlert:
# specify e-mail as alert destination
:local email "alert@domain.net";
:global nwhost;
:global nwlist;
:global nwlocal;
:global peerip;
:if ([/ping ($peerip->$nwhost) interval=3s count=10] =0) do={
/tool e-mail send to=$email subject="[Alert] IPsec tunnel $nwhost <-> $nwlocal down" body="Tunnel from $nwhost to $nwlocal down!";
:set ($nwlist->$nwhost) 0;
} else={
:if (($nwlist->$nwhost) =0) do={
/tool e-mail send to=$email subject="[Alert] IPsec tunnel $nwhost <-> $nwlocal up" body="Tunnel from $nwhost to $nwlocal up!";
:set ($nwlist->$nwhost) 1;
}
}
"at the moment" this mean that mikrotik will fix this problem? Or better with mikrotikUnfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
So something like this should work to fix your netwatch scripts.What's new in 6.43 (2018-Sep-06 12:44):
*) console - added "dont-require-permissions" parameter for scripts;
*) console - added error log message when netwatch tries to execute script with insufficient permissions;
*) console - added error log message when scheduler tries to execute script with insufficient permissions;
/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
Just read my post above yours, I gave a solution and the source.I'm a bit confused about some of the messages that got posted here... So is Netwatch not using any of the permission specified in the script itself, it use it own permissions list, and it only read the don't require permission flag to ignore all the permissions all together ?
I just checked dont-require-permissions=yes but that does not work here. I see the script run counter increases, when netwatch launches my script, but the global variable is still not changed.This issue seem to have been addressed in RouterOS version 6.43, so it is much easier to fix these issues now.
viewtopic.php?f=21&t=138995What's new in 6.43 (2018-Sep-06 12:44):Code: Select all/system script set [find name="Netwatch up script"] dont-require-permissions=yes
0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:55 run-count=19 source=:global ISPisUp 1;
0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:45 run-count=9 source=:global ISPisUp 0;
Accessing global parameters require "policy" permission, which your script does not appear to have.I just checked dont-require-permissions=yes but that does not work here. I see the script run counter increases, when netwatch launches my script, but the global variable is still not changed.
I have version 6.44.5 (long-term) running here.
Here are the code:
Code: Select all0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:55 run-count=19 source=:global ISPisUp 1; 0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:45 run-count=9 source=:global ISPisUp 0;
That wont work for me because netwatch scripts don't have names assigned?? Now that you know my level of script acumen (very little)/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
Yes that is what I meant.Hi DeantwoThat wont work for me because netwatch scripts don't have names assigned?? Now that you know my level of script acumen (very little)/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
Do you mean if you create a script that is called by netwatch, then the called script needs the additional CLI magic rule you posted above?
Change that toI tried this and it didnt work!
down-script="{/system script run TelelgramFetch}"
down-script="TelelgramFetch"
I'd think the issue here is the same like we've discussed yesterday - there are spaces before and after $sub1. As /tool fetch doesn't substitute space symbols in the URL sent to the server automatically, the Telegram server returns an error.Seems to work fine for simple netwatch scripts but doesnt work well for System Fetch scripts.
Haven't you stated in another thread that multiple family members yell at you if "internet breaks" for a few seconds?Problem2 -*stuck*- if the router goes down or power to route r& Modem I have no way of knowing this, no emails, no telegrams!!
If you are still looking for it, I can host your script...Sounds $$
I should post in the MT Charity Forum.
Anybody would like to donate a few lines of script on their Virtual MT machine for the purposes of running a Script to let me know when my Internet is hard down LOL.