DHCP-Client script not working

diamuxin · Sat Sep 02, 2023 2:10 pm

Hi, I am trying this script to report each lease of my DHCP server (RB4011) but there is some problem in the "ether4" part as I don't get the AP information.

:if ($leaseBound = 1) do={
	:do {
        /ip dhcp-server lease 
        :local Comment [get value-name=comment number=[find address=$leaseActIP]]
        
        /interface/bridge/host
        :local interFace [get [find mac-address=$leaseActMAC] on-interface]
        :if ($interFace~"ether2") do={:set interFace "NAS"}
        :if ($interFace~"^5G")        do={:set interFace "5G Home"}
        :if ($interFace~"^2G")        do={:set interFace "2G Home"}
        :if ($interFace~"^ether4")    do={
            :local iFaceAP ([/system ssh-exec 192.168.88.2 ":put [/interface/wifiwave2/registration-table get [find mac-address=$leaseActMAC] interface]" as-value]->"output")
            :set interFace ("AP Salon"." ".$iFaceAP)
        }
    
        :log warning "DHCP Info: $"lease-hostname" $leaseActMAC $leaseActIP $interFace"
	} on-error={:log error "Notification failure"}
}

If I try just this line in CLI, it does work.

:put ([/system ssh-exec 192.168.88.2 ":put [/interface/wifiwave2/registration-table get [find mac-address=54:13:79:0E:2F:22] interface]" as-value]->"output")

Do you see any failure?

Thanks.

rextended · Sat Sep 02, 2023 6:28 pm

avoid <TAB> on script...

Apparently nothing wrong...
Probably dhcp script have less right than "normal script"...

revised untested code

:if ($leaseBound = 1) do={
    :local interFace ""
    /interface bridge host
    :set interFace [get [find where mac-address=$leaseActMAC] on-interface]
    :if ($interFace~"ether2") do={:set interFace "NAS"}
    :if ($interFace~"^5G")    do={:set interFace "5G Home"}
    :if ($interFace~"^2G")    do={:set interFace "2G Home"}
    :if ($interFace~"ether4") do={
        :local iFaceAP ([/system ssh-exec 192.168.88.2 ":put [/interface/wifiwave2/registration-table get [find where mac-address=$leaseActMAC] interface]" as-value]->"output")
        :set interFace "AP Salon $iFaceAP"
    }
    :log info "DHCP Info: $"lease-hostname" $leaseActMAC $leaseActIP $interFace"
}

diamuxin · Sun Sep 03, 2023 11:55 am

Apparently nothing wrong...
Probably dhcp script have less right than "normal script"...

Maybe you are right Rex, that it is a problem of execution permissions when it involves executing a command on another mikrotik (via SSH with RSA keys).

Thanks.

diamuxin · Wed Sep 06, 2023 7:54 pm

Hi,

I have found a solution to the problem of using the ssh-exec command from the lease script tab of the dhcp-server since it seems that from this part it does not use the RSA keys assigned to the administrator user (possible bug?).

1. Create a Scheduler task with the following content:
(runs with all permissions assigned to admin every 2 seconds, but is configured to be disabled).

/system scheduler
add disabled=yes interval=2s name=dhcplease on-event="/system script run dhcplease" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-09-06 start-time=17:00:00 \
    owner=admin

2. Define a script to be executed from the Scheduler task with the rights of the admin user.

:global leaseCom 
:global leaseIP
:global leaseMAC
:global leaseName
:local  interFace ""
:local  iFaceAP   ""

/system scheduler set disabled=yes dhcplease

/interface bridge host
:set interFace [get [find where mac-address=$leaseMAC] on-interface]
:if ($interFace~"ether2") do={:set interFace "NAS"}
:if ($interFace~"^5G")    do={:set interFace "5G Home"}
:if ($interFace~"^2G")    do={:set interFace "2G Home"}
:if ($interFace~"ether4") do={
    :local iFaceAP ([/system ssh-exec 192.168.88.2 ":put [/interface/wifiwave2/registration-table get [find where mac-address=$leaseMAC] interface]" as-value]->"output")
    :set interFace "AP Salon $iFaceAP"
}
:log info "DHCP Info: $leaseName $leaseMAC $leaseIP $interFace"

3. Contents of the Lease script (DHCP-Server)
Converts internal variables to global variables for use in external script

:if ($leaseBound = 1) do={
    /ip dhcp-server lease
    :global leaseCom  [get value-name=comment number=[find where address=$leaseActIP]]
    :global leaseName $"lease-hostname"
    :global leaseIP   $leaseActIP
    :global leaseMAC  $leaseActMAC
    /system scheduler set disabled=no dhcplease
}

I haven't seen any other way to do it but it works

Mikrotik support should take into account that you can use the RSA keys of "admin" from Lease script.

rextended · Thu Sep 07, 2023 2:27 pm

Under DHCP Server scripts is used the user *sys, not the user admin
Is the same user and rigths that ppp profile scripts have:

CLI code

[RexTended@MATRIX] /system script job> pri detail 
 0 owner="*sys" policy=*0,local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,
       *13,*14,*15,*16,*17,*18,*19,*1A,*1B,*1C,*1D,*1E,*1F 
   started=sep/07/2023 13:26:07 type=command

Is the same user that NetWatch use, but netwatch have limited rights:

CLI code

[RexTended@MATRIX] /system script job> pri detail 
 0 owner="*sys" policy=reboot,read,write,test  started=sep/07/2023 13:34:29 type=command

Oh............

Just for that:
viewtopic.php?t=199378

diamuxin · Thu Sep 07, 2023 6:27 pm

Thanks Rex, for your escalation of this issue.

BR.

diamuxin · Thu Sep 07, 2023 11:57 pm

Rex, In the tests you have performed and from what you have opened the other thread in the General forum, how did you create the user *sys ? it would be like the linux "root" user, right ?

You tell me that the DHCP-Server script uses this *sys user, so if you have the highest rights, why don't you connect to another Mikrotik (on the same LAN) and run a remote command with /system-exec, you shouldn't have any problems.

As you say, ideally they should implement the option to choose the user type to run the dhcp-server script. Any user with the group=full should be able to run any script anywhere on RouterOS.

PS. I would like to know also with the opinion of Mikrotik staff.

(sorry for my bad English, I use translator)

rextended · Fri Sep 08, 2023 12:40 am

how did you create the user *sys ? it would be like the linux "root" user, right ?

Is a predefined user in RouterOS, I do not create the user.

so if you have the highest rights, why don't you connect to another Mikrotik (on the same LAN) and run a remote command with /system-exec, you shouldn't have any problems.

The system ssh keys generated at the RouterOS install are different, and I do not test to export from one and apply the same on the other.

As you say, ideally they should implement the option to choose the user type to run the dhcp-server script. Any user with the group=full should be able to run any script anywhere on RouterOS.

Exactly.

PS. I would like to know also with the opinion of Mikrotik staff.

I hope someone official reply

(sorry for my bad English, I use translator)

Really...