Netwatch up/down scripts: Error "user's policy does not allow to edit this script"

Hativ · June 26, 2025, 10:26am

Hi,

I want Netwatch to disable/enable a scheduler for up and down events. However, this doesn’t work. The execution fails with the following error:

script, error executing script from netwatch failed, please check it manually
script, error,debug (netwatch:type: simple, host: 10.30.0.50) failure: user’s policy does not allow to edit this script

My netwatch configuration:

add disabled=no down-script="/system scheduler set toggle-wg-peer disabled=no" host=10.30.0.50 src-address=192.168.40.1 test-script="" type=simple up-script="/system scheduler set toggle-wg-peer disabled=yes"

Does anyone have any idea why this is happening?

holvoetn · June 26, 2025, 11:04am

The answer is in the error message.

Check policies of the script.
Or in this case, device mode since scheduler could be disabled there.

BUT … why do you use scheduler to toggle wg peer ? it can be done directly.

down-script
/interface wireguard peers disable 0
/tool e-mail send to="" subject="Mikrotik WG DOWN" body="WG tunnel DOWN"
:delay 300
/interface wireguard peers enable 0

Up-script
/tool e-mail send to="" subject="Mikrotik WG UP again" body="WG tunnel UP"

Hativ · June 26, 2025, 12:20pm

But the error is coming from Netwatch, and Netwatch is only supposed to enable/disable the scheduler. That has nothing to do with the script, right?

The scheduler itself works, and it can also execute the script.

I’m using a scheduler to disable/enable the peer at intervals (every few minutes) until it’s working again.

Scheduler is enabled in device-mode:

/system/device-mode/print 
                 mode: advanced     
     allowed-versions: 7.13+,6.49.8+
              flagged: no           
     flagging-enabled: yes          
            scheduler: yes          
                socks: yes          
                fetch: yes          
                 pptp: yes          
                 l2tp: yes          
       bandwidth-test: yes          
          traffic-gen: no           
              sniffer: yes          
                ipsec: yes          
                romon: yes          
                proxy: yes          
              hotspot: yes          
                  smb: yes          
                email: yes          
             zerotier: yes          
            container: no           
  install-any-version: no           
           partitions: no           
          routerboard: no           
        attempt-count: 0

holvoetn · June 26, 2025, 12:37pm

Just checking info here..

From Netwatch Help page:

Netwatch is limited to read,write,test,reboot script policies. If the owner of the script does not have enough permissions to execute a certain command in the script, then the script will not be executed. If the script has greater policies than read,write,test,reboot - then the script will not be executed as well, make sure your scripts do not exceed the mentioned policies.

So it seems, from this info, your user has either not enough, either too much rights.

Can you put those up/down scripts in real scripts and make sure the correct policy is granted on those scripts ?
What happens then ?