Community discussions

MikroTik App
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Netwatch deprecated ?

Fri May 18, 2018 12:35 am

So.... Whats the status of Netwatch ?

The release notes on 6.42 show Mikrotik removed almost all the useful functionality. As I was using it to do a variety of things like sense internet connections, monitor network paths, monitor network devices, monitor devices on the network and even light LEDs based on a network device status. I also used it to sense when a router had internet access and then run DDNS. I used it to send txt msgs about the status of a wide variety of things.. So the loss of Netwatch has been a significant blow for me.

Mikrotik has not explained this removal of a really useful RouterOS feature. As far as i can remember this is the first time Mikrotik has removed any feature.

I dont understand WHY it was deprecated.

For some applications im now considering buying Ubiquiti devices as they run a open OS and so I can install any tools I want. Ive never needed a tool not already provided by RouterOS until now. I have some purchases coming up and I need to know what the fate of Netwatch will be. If Mikrotik is not going to restore it, I will need to swap out all customer routers for Ubiquiti to gain the ability to do "netwatch" like functions. For me this would end a very long relationship with Mikrotik that goes back to when they first started making PC Boards and i had to put them in enclosures.

As far as I know this is the only info on this total. From the 6.42 changelog:

*) netwatch - limit to read, write, test and reboot policies for Netwatch script execution;
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Fri May 18, 2018 1:21 pm

So far I was always thinking that the newly introduced limitation of netwatch script privileges is so frustrating for you because you would have to rewrite the configurations to accommodate the new approach.

But this post contradicts such understanding pretty much.

I have used netwatch myself for some months and all the time it was really disappointing for me that it could not tolerate some share of lost responses. So if the monitored address was accessible e.g. through a wireless link with sporadically occurring inteference, a single lost ping response was triggering the down-script action as if the monitored device was indeed down, whilst in fact it only indicated an otherwise tolerable amount of packet loss.

So from using down-script and up-script in netwatch, I've moved to use of scheduled scripts which watch address-lists populated by responses to netwatch-generated pings (where the lifetime of the item on the address-list is a multiple of the distance between ping requests sent). The privileges (policies) of these scripts and scheduler jobs are configured individually, and it is up to you whether you use a single script to evaluate the state of all monitored addresses or whether you use one script per each address.

On one hand, I fully agree with you that netwatch should be permitted to do anything you wish; on the other hand, I do understand that as it could be misused to bypass users' policy restrictions, Mikrotik had to do something about it. But my approach would be to assign policies to netwatch items the same way they are associated with scheduler jobs and scripts, and to allow the user to assign to the netwatch item he creates only policies with which his own account is configured (which I believe is the case with scheduler jobs and scripts).

If this approach would satisfy you, why not send a constructive ticket to support@mikrotik.com suggesting this?
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 10:49 am

I have Netwatch watch 8.8.8.8 and when its up, trigger the below script.. Called UP..

The permissions are read write test on all the below. They worked before 6.42. They work if manually triggered.

Up
_____________________________________________________________________
:log warning "Connection up";
/system script run IPSMTP;
:tool e-mail send to="xxxx@xxx" from="xxxxxx" subject="xxx router is online" body="xxx router is online";
/system script run DYNForce;
_____________________________________________________________________

The above then triggers other scripts..

This one makes sure the mail server is looked up correctly
IPSMTP
______________________________________________________________
:local ipsmtp
:set ipsmtp [:resolve xxxxx]
if ($ipsmtp != [/tool e-mail get address]) do={ /tool e-mail set address=$ipsmtp}
_______________________________________________________________

This then forces DynDNS to the current IP
DYNForce
________________________________________________________________
# Set needed variables
:local username "xxxxxxx"
:local password "xxxxxxx"
:local hostname "xxxxxx"

:global dyndnsForce
:global previousIP

# print some debug info
:log info ("UpdateDynDNS: username = $username")
:log info ("UpdateDynDNS: password = $password")
:log info ("UpdateDynDNS: hostname = $hostname")
:log info ("UpdateDynDNS: previousIP = $previousIP")

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
:set dyndnsForce false
:set previousIP $currentIP
:log info "$currentIP or $previousIP"
/tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
dst-path="/dyndns.txt"
:delay 1
:local result [/file get dyndns.txt contents]
:log critical ("UpdateDynDNS: Dyndns update needed")
:log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
:put ("Dyndns Update Result: ".$result)
} else={
:log info ("UpdateDynDNS: No dyndns update needed")
}
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 11:02 am

Ive tested this on 43RC19 and it does not work.

I have other scripts that do not work from Netwatch. In fact NO script I have works from Netwatch after 6.42.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26290
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Wed May 30, 2018 11:33 am

The underlying issue is that you are trying to make Netwatch execute a script, that requires permissions it does not have.
Is this not a reasonable requirement? A read only user can't create FULL permission accounts. Is that not reasonable?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 11:51 am

@Normis, quoting myself three posts above:
On one hand, I fully agree with you that netwatch should be permitted to do anything you wish; on the other hand, I do understand that as it could be misused to bypass users' policy restrictions, Mikrotik had to do something about it. But my approach would be to assign policies to netwatch items the same way they are associated with scheduler jobs and scripts, and to allow the user to assign to the netwatch item he creates only policies with which his own account is configured (which I believe is the case with scheduler jobs and scripts).
Could this be a solution "to feed the wolf and keep the goat complete"?
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 1:36 pm

So, there is no solution?
How are we supposed to use Dyn DNS?
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 2:26 pm

I have Netwatch watch 8.8.8.8 and when its up, trigger the below script.. Called UP..

The permissions are read write test on all the below. They worked before 6.42. They work if manually triggered.

Up
_____________________________________________________________________
:log warning "Connection up";
/system script run IPSMTP;
:tool e-mail send to="xxxx@xxx" from="xxxxxx" subject="xxx router is online" body="xxx router is online";
/system script run DYNForce;
_____________________________________________________________________

The above then triggers other scripts..

This one makes sure the mail server is looked up correctly
IPSMTP
______________________________________________________________
:local ipsmtp
:set ipsmtp [:resolve xxxxx]
if ($ipsmtp != [/tool e-mail get address]) do={ /tool e-mail set address=$ipsmtp}
_______________________________________________________________

This then forces DynDNS to the current IP
DYNForce
________________________________________________________________
# Set needed variables
:local username "xxxxxxx"
:local password "xxxxxxx"
:local hostname "xxxxxx"

:global dyndnsForce
:global previousIP

# print some debug info
:log info ("UpdateDynDNS: username = $username")
:log info ("UpdateDynDNS: password = $password")
:log info ("UpdateDynDNS: hostname = $hostname")
:log info ("UpdateDynDNS: previousIP = $previousIP")

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
:set dyndnsForce false
:set previousIP $currentIP
:log info "$currentIP or $previousIP"
/tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
dst-path="/dyndns.txt"
:delay 1
:local result [/file get dyndns.txt contents]
:log critical ("UpdateDynDNS: Dyndns update needed")
:log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
:put ("Dyndns Update Result: ".$result)
} else={
:log info ("UpdateDynDNS: No dyndns update needed")
}
It's not working on 6.42.3
I am searching hard to find a script that works but with no luck so far...
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 7:24 pm

The underlying issue is that you are trying to make Netwatch execute a script, that requires permissions it does not have.
Is this not a reasonable requirement? A read only user can't create FULL permission accounts. Is that not reasonable?

How would I trigger a alert based on Netwatch if I cant email ? The idea is that Netwatch can watch and alert ? How can i trigger a set of events when a connection is up or down ?

Netwatch used to have these permissions. It no longer does.

What good is Netwatch if it cant trigger scripts ?

Why cant Netwatch have the permissions it needs to trigger scripts ? For 8+ years it did.

I can trigger scripts securely in UBNT and Cisco can do this. Only Mikrotik cant. So this does seem unreasonable to not have this functionality.
Last edited by Xymox on Wed May 30, 2018 9:26 pm, edited 1 time in total.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 9:01 pm

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 10:27 pm

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Wed May 30, 2018 10:56 pm

Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.

/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"

Send in such example to support@mikrotik.com and we will see what can be improved.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 11:33 pm

Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.

/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"

Send in such example to support@mikrotik.com and we will see what can be improved.
I dont have any single line scripts. Im not sure a single line should be used in a script as I think Netwatch could execute a single line on its own ?

I will send a email to support tonight ( pac time ) including the above scripts that dont work.

The issue for everybody seems to be multiline scripts.

My example above does not work. Normis explained why.

So can I merge the entire set of scripts above into one and put that into Netwatch and have it execute ? If so, that would work out fine for me :)
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 11:40 pm

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 6:14 am

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
First of all, thank you for your time.
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.

Nevertheless, I do care to revert to no-ip.org ddns services soon.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 7:01 am

Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.

/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"

Send in such example to support@mikrotik.com and we will see what can be improved.
Netwatch problem persist

tested on rb750UP with routeros 6.43RC21

No log error, only log the netwatch up or down, script dont run, no error messages

User owner of the script permissions full
Captura.JPG
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 7:46 am

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
First of all, thank you for your time.
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.

Nevertheless, I do care to revert to no-ip.org ddns services soon.
I have fully tested the DynDNS script executing it from winbox on RouterOS 6.43RC21 on a CCR1009-8G-1S-1S+ and it works. It updates DynDNS.. I scrambled my MAC which causes a cable modem to provide a new IP I then ran the script and reloaded DynDNS and watched it update in near real time. I did this 3 times to be sure. So on this version of OS on this hardware I can confirm it does work.

I had all the permissions checked.

This script is slightly different as it does less logging.

Go delete any related files before running it. Run it twice to make sure.
# Set needed variables
:local username "your username"
:local password "your password"
:local hostname "your host name"

:global dyndnsForce
:global previousIP 

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

#:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
   :set dyndnsForce false
   :set previousIP $currentIP
   :log info "$currentIP or $previousIP"
   /tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
      src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
      dst-path="/dyndns.txt"
   :delay 1
   :local result [/file get dyndns.txt contents]
   :log critical ("UpdateDynDNS: Dyndns update needed")
   :log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
   :put ("Dyndns Update Result: ".$result)
}
DynDNS.gif
You do not have the required permissions to view the files attached to this post.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Thu May 31, 2018 7:51 am

If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.

FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 8:31 am




Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
First of all, thank you for your time.
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.

Nevertheless, I do care to revert to no-ip.org ddns services soon.
I have fully tested the DynDNS script executing it from winbox on RouterOS 6.43RC21 on a CCR1009-8G-1S-1S+ and it works. It updates DynDNS.. I scrambled my MAC which causes a cable modem to provide a new IP I then ran the script and reloaded DynDNS and watched it update in near real time. I did this 3 times to be sure. So on this version of OS on this hardware I can confirm it does work.

I had all the permissions checked.

This script is slightly different as it does less logging.

Go delete any related files before running it. Run it twice to make sure.
# Set needed variables
:local username "your username"
:local password "your password"
:local hostname "your host name"

:global dyndnsForce
:global previousIP 

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

#:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
   :set dyndnsForce false
   :set previousIP $currentIP
   :log info "$currentIP or $previousIP"
   /tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
      src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
      dst-path="/dyndns.txt"
   :delay 1
   :local result [/file get dyndns.txt contents]
   :log critical ("UpdateDynDNS: Dyndns update needed")
   :log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
   :put ("Dyndns Update Result: ".$result)
}
DynDNS.gif
Thank you again. Currently away from router, so I will try it later and report back.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 8:34 am

If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.

FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
OooOo.. :) OK Let me try that. Its very late here and im in bed, but, I will check this now anyway because that is exciting news.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 8:52 am

This does not work calling this from Netwatch. It works perfectly from "Run Script" in winbox. I think these are OK permissions ?

This is a single line script command that does not work from Netwatch.. As you requested.. No errors in log. This should be easy to reproduce. Should I send this to support ?

I put xxxxx for email addresses.
:tool e-mail send to="xxxxx" from="xxxxx" subject="MT test of netwatch scripts" body="This is a test";

Email.gif
You do not have the required permissions to view the files attached to this post.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 8:58 am

Off to bed for me.. Im out of town in a hotel and working on this remotely on my home router. So im doing my best to help.

If MT wants remote access to this router, just let me know. I want to help get this working. I REALLY need Netwatch running scripts again please :)
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?  [SOLVED]

Thu May 31, 2018 9:03 am

Guys, please read our posts more carefully:

viewtopic.php?f=2&t=134538#p665449

"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."

Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot

Unselect - ftp,policy,password,sensitive,sniff

-> Script will work just fine
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:08 am

If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.

FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
thx for your reply

i have tested unchecking romon policy on script

I have placed in the first line of script this line

:log info "script started"

manually executing the script script runs fine and start with that log message

netwatch event running the script does not generate any log

looks like the script is not running at all when executed by netwatch
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26290
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Thu May 31, 2018 9:09 am

Post your script too, then
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:14 am

Guys, please read our posts more carefully:

viewtopic.php?f=2&t=134538#p665449

"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."

Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot

Unselect - ftp,policy,password,sensitive,sniff

-> Script will work just fine
Oopsie... ( very embarrassed ).....

You are 100% correct. The above script worked perfectly from Netwatch...

I will stay up late and play with all my scripts now.

Thats awesome... Thank you :)

Im VERY SORRY for not understanding this better.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:19 am

Post your script too, then
this is the script

:log error message="inicio del script"
:local uptime [/system resource get uptime];
:local uno 00:01:00
:if ($uptime > $uno) do={
/tool e-mail send to="diegoms77@hotmail.com" subject="Do $[/system clock get time] $[/system identity get name] Caida Red Electrica" body="$[/system health get voltage]V, El $[/system clock get date] a las $[/system clock get time]  entro en MODO BATERIAS el equipo de $[/system identity get name]
Temperatura   RB: $[/system health get temperature] C
Temperatura CPU: $[/system health get cpu-temperature] C
Uptime: $[/system resource get uptime]";
:log error message="$[/system health get voltage]V, Mensaje Caida Red Electrica en $[/system identity get name] enviado";
}
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 416
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:23 am

YES !!!!! That fixed all my issues. All my scripts now run... I feel really stupid...

Im sorry for the hassle..

read/write/reboot/test - uncheck all other boxes...

Wowee.. Im really happy.. That was my last issue, once MT fixes the disc space issue, I will roll out the next stable to all my clients. In fact, im so happy with RC21 I might roll that out to production.

That you MT... Im back to being super happy with Mikrotik.

I want to buy some T-Shirts :)
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Thu May 31, 2018 9:24 am

chechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:35 am

chechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
thxs

yes is a system script entry

unchecked this on script policy settings:

Ftp, policy, password, sensitive, sniff, romon, dude

Now script runs fine when called by netwatch event

thank you for your help
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:42 am

chechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
thxs

yes is a system script entry

unchecked this on script policy settings:

Ftp, policy, password, sensitive, sniff, romon, dude

Now script runs fine when called by netwatch event

thank you for your help
Tested on 6.43 RC21 and 6.42.1 works ok
846efa80-bef9-4131-8d61-c123f11bb5a0.jpg
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 10:47 am

Guys, please read our posts more carefully:

viewtopic.php?f=2&t=134538#p665449

"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."

Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot

Unselect - ftp,policy,password,sensitive,sniff

-> Script will work just fine
I confirm it works.
There is a problem though with scripts that use global variables.
Those need "policy" rights.
Could you please confirm?
If that is the case, how can we workaround?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 11:54 am

There is a problem though with scripts that use global variables.
use only for reading or use also for writing?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 12:13 pm

Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:29 pm

Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
Too bad.
Thank you for the heads up though.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:31 pm

There is a problem though with scripts that use global variables.
use only for reading or use also for writing?
Both
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:34 pm

Why the netwatch cannot have full authorisation ability, when a script has to be reduced in its rights so it is not able to perform what is necessary?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:48 pm

The problem was that a user with limited authorization could configure a netwatch script that executed a command beyond his authorization
and then make it fire, thus executing commands that he would not be able to execute directly.
Maybe a solution would be to make the OS do a "mask" of the allowed security policy of the executed script with the effective
authorization of the user who created it. So, a script executed by that netwatch instance still does not have permission beyond what
the user had, but potentially more than it has now (when it is created by a user in the "full" group, i.e. "the admininstrator").
I think also related was that the netwatch scripts are executed as the "system" user rather than as the user that created them.
That could (and probably should) be fixed as well.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 1:04 pm

Then just such user should be limited by his rights just to create or modify only those objects that are not having bigger rights.

The netwatch should not be cripled and it should not inherit the user rights because other user might be willing to change it afterward.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 2:36 pm

This way of operation has been widely accepted in other environments where privilege problems occur in scheduled
scripts, for example. In Windows, Linux, Unix, whatever a user can create a scheduled script but when it runs it will
run as the user that created it. Other users will not be able to modify it, unless they are the administrator. After
that, depending on the change and the OS, it might be or not be owned by the administrator.
 
Kraken2k
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Netwatch deprecated ?

Mon Jun 04, 2018 12:55 pm

Now, when Netwatch can't access global variables, is there any way to pass a value to launched script?

I have few dozens of devices checked by Netwatch and one script for checking if the host is down or up for good or not - the main reason is that in case of any change I change it just once, not fifty times.
# Init script, launched once at system start

# specify local site
:global nwlocal "central";

# specify checked host;
:global nwhost "undef";

# define "site" -> "actual_state" (0 - down, 1 - up)
:global nwlist {
site1=0;
site2=0;
site3=0;
site4=0;
site5=0;
}

# define netwatch sites "site" -> "ip"
:global peerip {
site1="192.168.1.254";
site2="192.168.2.254";
site3="192.168.3.254";
site4="192.168.4.254";
site5="192.168.5.254";
}
Script "CheckNetwatchAlert" used in Netwatch up/down:
# On Tunnel up/down run (pass the host to check in nwhost global variable):
#:global nwhost "site1";
#/system script run CheckNetwatchAlert:

# specify e-mail as alert destination
:local email "alert@domain.net";

:global nwhost;
:global nwlist;
:global nwlocal;
:global peerip;

:if ([/ping ($peerip->$nwhost) interval=3s count=10] =0) do={
  /tool e-mail send to=$email subject="[Alert] IPsec tunnel $nwhost <-> $nwlocal down" body="Tunnel from $nwhost to $nwlocal down!";
  :set ($nwlist->$nwhost) 0;
} else={
  :if (($nwlist->$nwhost) =0) do={
    /tool e-mail send to=$email subject="[Alert] IPsec tunnel $nwhost <-> $nwlocal up" body="Tunnel from $nwhost to $nwlocal up!";
    :set ($nwlist->$nwhost) 1;
    } 
}
Now the question is - how to rewrite these scripts without access to global variables? I mean yes, I can have unique 'send email' script for every host checked by netwatch, but it become a hell one you need to change anything in the script itself.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Mon Jun 04, 2018 1:22 pm

Try the following:
  1. on the command line (terminal, ssh) write global myGlobal 45
  2. in the netwatch script use [/system script environment get myGlobal value] instead of $myGlobal.
I know your netwatch script is more complex, this is just to check whether it works this way at all.
 
aya
just joined
Posts: 10
Joined: Fri Jun 21, 2013 12:19 pm

Re: Netwatch deprecated ?

Thu Jun 28, 2018 8:59 pm

Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
"at the moment" this mean that mikrotik will fix this problem? Or better with mikrotik
no longer messing with?
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: Netwatch deprecated ?

Sun Jul 29, 2018 5:54 am

this is very concerning. netwatch is something admins depend on to keep their routers up/online and accessible. now i have a huge unknown floating around as we use netwatch to call scripts (since netwatch is too basic with a single ping to cause an action, so great mt scripts are the perfect solution). I was actually writing a new script for a new netwatch setup, when i found this thread as i was searching for something else netwatch reatled. (else i would not have known, even though i read every line of each change-log b4 apply/dont apply , an update)

So with this change, the way for admins to know its broken, is when your location goes offline and you have to drive out to location (as a netwatch called script has failed now).

this is not something that should be changed with just a single line in the change log. mt, give examples of what works b4 and does not work now. below is just one example of my netwatch setups that im not clear on if its broken or not. (this script btw, was a workaround since mt WONT fix power cycle on hex POEs , see other threads, and support@mt acknowledged the issue, and that it may not get fixed)-

netwatch calls this script if down:
(which calls another script if needed , all to do poe powercycle when needed to a modem powered via poe):

:local ipPing ("70.xxxx")
:local pingip
#
# pingip below RUNS and sets the variable
# to number of successful pings ie 3 means 3 of 45 success
# can also use ($pingip > 1) or ($pingip >= 1) both TESTED
# ($pingip >= 1) means if only 1 or 0 pings do the IF, not the ELSE
#
:log info ("ping CHECK script IS RUNNING NOW")
# first delay 90 b4 ping test incase this is running at POWER UP
:delay 90
:set pingip [/ping $ipPing count=45]
:if ($pingip <= 3) do={
:log warning (">95% lost ping LOSS to COX GW IP 7xxxx via ether5-to-cox so DO POE powerCYCLE")
/interface ethernet poe set ether5-to-COX poe-out=off
:delay 12
/interface ethernet poe set ether5-to-COX poe-out=auto-on
:delay 10
:log warning ("ether5-to-cox POE HAS BEEN TURNED BACK ON")
:delay 90
/system script run emailPOEresult
} else={
:log warning ("PoeCyclePINGcheck ELSE ran so no ping loss detected by script")
}



-----


:global logMessages;
:set logMessages ""
:foreach i in=[/log find message~"poe"] do={
:set logMessages ($logMessages . [/log get $i time ] . " ");
:set logMessages ($logMessages . [/log get $i message ]);
:set logMessages ($logMessages . "\n")
}
#
# below to add time stamp
#
:set logMessages ($logMessages . "email sent at " . [sy clock get date] . " " . [sy clock get time])
#:log info $logMessages
/tool e-mail send to=xxxxx body=$logMessages server=[:resolve smtp.gmail.com] user=xxxxxxx start-tls=yes port=587;
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Netwatch deprecated ?

Sun Jul 29, 2018 1:17 pm

People please understand: the reason why this was changed is that it was a big security issue!
You can keep complaining that it is not doing anymore what you want it to do, but it is more important
that the router is secure and that it is not so easy to get admin access as it was before this change.

Hopefully some time a better security mechanism will be implemented that allows features like the old
netwatch functionality without causing security problems, but such a change will likely also have impact
on existing installations. It is a matter of fact that things that were very nice to have in the past, in the
current world of people hacking everything that is hackable really isn't possible anymore. Blame the hackers.

For now, when you want to do some monitoring doing pings and actions, do not start from netwatch but
write a script that does both the ping and the resulting actions, and schedule that. Problem solved.
 
NikolayM
just joined
Posts: 5
Joined: Wed Oct 03, 2018 10:30 am

Re: Netwatch deprecated ?

Wed Nov 07, 2018 2:16 pm

Here is an example of my solution
viewtopic.php?f=2&t=141225&p=696692#p696692
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Netwatch deprecated ?

Mon Mar 11, 2019 1:52 pm

This issue seem to have been addressed in RouterOS version 6.43, so it is much easier to fix these issues now.
viewtopic.php?f=21&t=138995
What's new in 6.43 (2018-Sep-06 12:44):

*) console - added "dont-require-permissions" parameter for scripts;
*) console - added error log message when netwatch tries to execute script with insufficient permissions;
*) console - added error log message when scheduler tries to execute script with insufficient permissions;
So something like this should work to fix your netwatch scripts.
/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
More information can be found on the new Scripting_Tips_and_Tricks manual page.
here: https://wiki.mikrotik.com/wiki/Manual:S ... ermissions

Sadly it is not included in the v6.42.12 long-term. So upgrading from v6.40.9 long-term to v6.42.x will still break all netwatch script.
 
Moc
just joined
Posts: 18
Joined: Sun Jan 06, 2013 8:47 am

Re: Netwatch deprecated ?

Mon Oct 19, 2020 12:50 pm

I just noticed to day in my log error about my script that auto change a VRRP priority to give error with the wrong permission.

It a netwatch that run the system script owned by admin which have all permissions except dude and romon.
The up script does this : /interface vrrp set priority=255 [find priority=1]
And it failed...

I'm a bit confused about some of the messages that got posted here... So is Netwatch not using any of the permission specified in the script itself, it use it own permissions list, and it only read the don't require permission flag to ignore all the permissions all together ?
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Netwatch deprecated ?

Tue Oct 20, 2020 3:28 pm

I'm a bit confused about some of the messages that got posted here... So is Netwatch not using any of the permission specified in the script itself, it use it own permissions list, and it only read the don't require permission flag to ignore all the permissions all together ?
Just read my post above yours, I gave a solution and the source.
Here: viewtopic.php?f=2&t=134538&p=823494#p720232

Basically, a netwatch doesn't have an owner, so it was able to execute any script no matter the required permissions. This was found to be a security risk, so netwatch was changed to have only hardcoded specific permissions.
A workaround solution was then added to scripts that allow them to be run without checking the executor's permissions. See the code example I gave in the post linked above.
 
fork
just joined
Posts: 3
Joined: Fri Nov 06, 2020 5:41 pm

Re: Netwatch deprecated ?

Fri Nov 06, 2020 9:08 pm

This issue seem to have been addressed in RouterOS version 6.43, so it is much easier to fix these issues now.
viewtopic.php?f=21&t=138995
What's new in 6.43 (2018-Sep-06 12:44):
/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
I just checked dont-require-permissions=yes but that does not work here. I see the script run counter increases, when netwatch launches my script, but the global variable is still not changed.

I have version 6.44.5 (long-term) running here.

Here are the code:
0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:55 run-count=19 source=:global ISPisUp 1; 
0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:45 run-count=9 source=:global ISPisUp 0; 
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Netwatch deprecated ?

Mon Nov 16, 2020 7:56 pm

I just checked dont-require-permissions=yes but that does not work here. I see the script run counter increases, when netwatch launches my script, but the global variable is still not changed.

I have version 6.44.5 (long-term) running here.

Here are the code:
0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:55 run-count=19 source=:global ISPisUp 1; 
0 name="ispup" owner="admin" policy=reboot,read,write,test dont-require-permissions=yes last-started=jan/02/1970 03:29:45 run-count=9 source=:global ISPisUp 0; 
Accessing global parameters require "policy" permission, which your script does not appear to have.
Does the global counter increase when you run it yourself? I doubt it does.

The "dont-require-permissions=yes" option doesn't give the script more permissions than it or its owner already has, it just allows it to be run by users/scripts that don't have those permissions.
 
fork
just joined
Posts: 3
Joined: Fri Nov 06, 2020 5:41 pm

Re: Netwatch deprecated ?

Mon Nov 23, 2020 3:42 pm

@Deantwo: Thanks for your answer.

I think I was a bit confused, what's necessary and what is not. It works now. I had to repeat some steps over and over until it finally worked and the variables are changed. I'm not sure if that was my doing it wrong or if some specific action has to be taken, after changing the policy or dont-require-permissions attribute.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Mon Mar 22, 2021 5:22 pm

Hi Deantwo
/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
That wont work for me because netwatch scripts don't have names assigned?? Now that you know my level of script acumen (very little)
Do you mean if you create a script that is called by netwatch, then the called script needs the additional CLI magic rule you posted above?

My situation is that I use netwatch to report interfaces up or down. Works great for basic emails.
Then I got adventurous and found a SYSTEM script that sends me a telegram for board&cpu temperature issues with my router. See below.
Highlighted in that script is a part I wanted to take/use and apply in netwatch to add to the existing simple email script that works, ergo send a notice to my cell phone.
I am assuming that I will have to create a separate system script for the bold part below this and call it from netwatch??
Thus far I have only tried it it Netwatch directly and although I see the fetch command in my log the following :Log entry is not executed and no telegram message is sent and thus
I figure it needs to be put into system script and called perhaps??

This script works great!
global "tempstatus"
:global "templaststatus"
:global "cputempstatus"
:global "cputemplaststatus"
:global "systemtemp" [/system health get temperature]
:global "cputemp" [/system health get cpu-temperature]
:if (systemtemp > "45") do={:set "tempstatus" "system temp is too high"}
:if (systemtemp > "60") do={:set "tempstatus" "system temp is critical"}
:if (systemtemp < "45") do={:set "tempstatus" "system temp is within spec"}
:if (cputemp > "65") do={:set "cputempstatus" "cpu temp is too high"}
:if (cputemp > "75") do={:set "cputempstatus" "cpu temp is critical"}
:if (cputemp < "64") do={:set "cputempstatus" "cpu temp is within spec"}
{

/ tool fetch "https://api.telegram.org/bot<mytelegram ... ge?chat_id
=<mybotid>&text=Router $[/system identity get name] has detected the HP Printer Offline"
:log info "Telegram notification sent about HP Printer offline
"
}
:if ($"cputempstatus" != $"cputemplaststatus") do {
/ tool fetch "https://api.telegram.org/bot<mytelegram ... ext=Router $[/system identity get name] has a temperature notification. $[/system clock get date] $[/system clock get time] -> $cputempstatus - $cputemp* Celsius)"
:log info "Telegram notification sent about system $cputempstatus status"
:set "cputemplaststatus" $"cputempstatus"
}
/file remove number=[find where name~"Celsius"]
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Netwatch deprecated ?

Mon Mar 22, 2021 7:07 pm

Hi Deantwo
/system script
set [find name="Netwatch up script"] dont-require-permissions=yes
That wont work for me because netwatch scripts don't have names assigned?? Now that you know my level of script acumen (very little)
Do you mean if you create a script that is called by netwatch, then the called script needs the additional CLI magic rule you posted above?
Yes that is what I meant.

Simply make your netwatch call the script you make by typing the name of the script in the netwatch's up-event field.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Mon Mar 22, 2021 9:23 pm

having issues getting script to work at the moment in system script, when ready to try from netwatch will come back if doesnt work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Mon Mar 22, 2021 11:07 pm

Okay, I have my TelegramFetch system script working great now.
SO here is my netwatch script. HoW do I Add to it?
And do I have to enable the checkbox (DONT REQUIRE PERMISSIONS in the TelegramFetch system script, or uncheck some of the other boxes etc....

:local sub1 ([/system clock get time])
/tool e-mail send from="myemail@address.com" body="At $sub1 HP Printer is Offline" subject="HP Printer is offline" to="myemail@address.com"
:log info "CHECK HP printer stat!!"


I tried this and it didnt work!
down-script="{/system script run TelelgramFetch}"

This one worked.........
/system script run [/system script find name=TelegramFetch]

!! with permissions note required enabled on system script.

Now have to find a better way to get time or time date
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: Netwatch deprecated ?

Tue Mar 23, 2021 10:29 am

I tried this and it didnt work!
down-script="{/system script run TelelgramFetch}"
Change that to
down-script="TelelgramFetch"
and it should work. Assuming your script has the required permissions.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Tue Mar 23, 2021 11:26 am

I would think it's the typo in the name of the script - TelelgramFetch.

Otherwise, all three variants should work,

down-script="{/system script run TelegramFetch}"

down-script="/system script run [/system script find name=TelegramFetch]"

down-script=TelegramFetch
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Tue Mar 23, 2021 3:14 pm

Thanks, Will give that a try later!!
Any ideas on something better for time date on the System scripts than
:local sub1 ([/system clock get time])
/tool fetch..............="At $sub1 HP_Printer_is_Offline"
:log info "CHECK HP printer stat!!"

Seems to work fine for simple netwatch scripts but doesnt work well for System Fetch scripts.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Tue Mar 23, 2021 3:38 pm

Seems to work fine for simple netwatch scripts but doesnt work well for System Fetch scripts.
I'd think the issue here is the same like we've discussed yesterday - there are spaces before and after $sub1. As /tool fetch doesn't substitute space symbols in the URL sent to the server automatically, the Telegram server returns an error.

BTW, I was googling whether colons don't need to be escaped as well, and found that a space symbol can be substituted also by a + one, not only by %20.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Tue Mar 23, 2021 4:30 pm

Yup that was it!! , okay so replace all my underlines with the + symbol to effect spaces in a URL - works! batting 1000 this morning :-).!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Tue Mar 23, 2021 4:34 pm

QUESTION. CAN I put the same fetch script in a DHCP CLIENT SCRIPT??
Confirmed Yes, this works too.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Tue Mar 23, 2021 4:53 pm

Okay I have no practical way to check if my WAN connection goes down as then I wont have internet but I do have two ISPs.
SO what I would like to do is Run a CHeck on my WANs in two parts............... UNLESS There is a better way.

NETWATCH
(1) USE DNS 9.9.9.9 to check ISP 1
(2) USE DNS 1.1.1.1 to check ISP 2

(1) DOWN calls a system script that will check ISP1 and let me know if its down assuming I get the notification I will know ISP2 is working.
(2) DOWN calls a system script that will check ISP2 and let me know if its down assuming I get the notification I will know ISP1 is working.

Problem1 - solvable I think - ISP WANIPs are dynamic and achieved via recursive routing (not fixed WANIPs) so what is the best way to identify them.
Problem2 -*stuck*- if the router goes down or power to route r& Modem I have no way of knowing this, no emails, no telegrams!!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Tue Mar 23, 2021 5:30 pm

Problem2 -*stuck*- if the router goes down or power to route r& Modem I have no way of knowing this, no emails, no telegrams!!
Haven't you stated in another thread that multiple family members yell at you if "internet breaks" for a few seconds?

On a serious note - to cover these situations, multiple systems connected via different ISPs can monitor each other via VPN tunnels and report anomalies, in a symmetric arrangement. I have indicator towers somewhere which monitor the network, but they also monitor each other, so that inability of just one of them to see the network wouldn't trigger the panic plan.

And of course you need two mobile phones each using a different operator and a different messaging app or e-mail account than the other one, to receive the notifications. And one of the phones must be an Android one and the other one an Apple one, because the notifications about message arrivals always reach the phones via the vendors' servers, no matter what messaging app or e-mail account you use. If the phone maintained a packet connection all the time, the battery would discharge much faster, so technical notification messages come the same way like SMSes do and wake up the applications, which then connect and download the actual message.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Tue Mar 23, 2021 5:34 pm

So basically, I am out of luck, unless magically I have another mickrotik router somewhere, checking my free dyndns name or mikrot cloud name, it sending me an email or telegram with no reponse..

Call me crazy but this ounds like an addition to the MT cloud service??
Why cannot I add a script to my MT CLOUD doing this very function!! ??????????
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Tue Mar 23, 2021 6:02 pm

You could imagine many other uses to the MT cloud service, but there is some CAPEX & OPEX associated to running a server in a datacenter, whilst each RouterBoard device is only sold once. So the price of every device would have to include, say, 10 years of running your own CHR in Mikrotik's data center... whereas most users would never even think about making use of that CHR. So a lose-lose situation.

CHR can run in multiple public data centers, so if you need that, go ahead.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Netwatch deprecated ?

Tue Mar 23, 2021 6:14 pm

Sounds $$
I should post in the MT Charity Forum. ;-)
Anybody would like to donate a few lines of script on their Virtual MT machine for the purposes of running a Script to let me know when my Internet is hard down LOL.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Netwatch deprecated ?

Fri Apr 09, 2021 1:46 pm

uptimerobot dot com? :)
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Netwatch deprecated ?

Wed Aug 04, 2021 11:16 pm

Sounds $$
I should post in the MT Charity Forum. ;-)
Anybody would like to donate a few lines of script on their Virtual MT machine for the purposes of running a Script to let me know when my Internet is hard down LOL.
If you are still looking for it, I can host your script...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Netwatch deprecated ?

Thu Aug 05, 2021 12:32 am

Why not use the portable server that everyone usually has behind them...
An app on your smartphone that checks if the DDNS is reachable or not...
In the end, if you don't have Internet on your smartphone, you can't even receive the notification email/whatsapp/telegram/etc..
Instead if it is your own MikroTik App that warns you if your DDNS/Cloud is no longer reachable ...

I had a good idea, right? :twisted:

Only now we should convince the MikroTik staff to add the "CloudCheck" and "Port Knocking"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Netwatch deprecated ?

Thu Aug 05, 2021 10:49 am

Ping for Normis and MikroTik staff ;)

Who is online

Users browsing this forum: aoravent, Lumpy and 97 guests