Community discussions

 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Netwatch deprecated ?

Fri May 18, 2018 12:35 am

So.... Whats the status of Netwatch ?

The release notes on 6.42 show Mikrotik removed almost all the useful functionality. As I was using it to do a variety of things like sense internet connections, monitor network paths, monitor network devices, monitor devices on the network and even light LEDs based on a network device status. I also used it to sense when a router had internet access and then run DDNS. I used it to send txt msgs about the status of a wide variety of things.. So the loss of Netwatch has been a significant blow for me.

Mikrotik has not explained this removal of a really useful RouterOS feature. As far as i can remember this is the first time Mikrotik has removed any feature.

I dont understand WHY it was deprecated.

For some applications im now considering buying Ubiquiti devices as they run a open OS and so I can install any tools I want. Ive never needed a tool not already provided by RouterOS until now. I have some purchases coming up and I need to know what the fate of Netwatch will be. If Mikrotik is not going to restore it, I will need to swap out all customer routers for Ubiquiti to gain the ability to do "netwatch" like functions. For me this would end a very long relationship with Mikrotik that goes back to when they first started making PC Boards and i had to put them in enclosures.

As far as I know this is the only info on this total. From the 6.42 changelog:

*) netwatch - limit to read, write, test and reboot policies for Netwatch script execution;
 
sindy
Forum Guru
Forum Guru
Posts: 2225
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Fri May 18, 2018 1:21 pm

So far I was always thinking that the newly introduced limitation of netwatch script privileges is so frustrating for you because you would have to rewrite the configurations to accommodate the new approach.

But this post contradicts such understanding pretty much.

I have used netwatch myself for some months and all the time it was really disappointing for me that it could not tolerate some share of lost responses. So if the monitored address was accessible e.g. through a wireless link with sporadically occurring inteference, a single lost ping response was triggering the down-script action as if the monitored device was indeed down, whilst in fact it only indicated an otherwise tolerable amount of packet loss.

So from using down-script and up-script in netwatch, I've moved to use of scheduled scripts which watch address-lists populated by responses to netwatch-generated pings (where the lifetime of the item on the address-list is a multiple of the distance between ping requests sent). The privileges (policies) of these scripts and scheduler jobs are configured individually, and it is up to you whether you use a single script to evaluate the state of all monitored addresses or whether you use one script per each address.

On one hand, I fully agree with you that netwatch should be permitted to do anything you wish; on the other hand, I do understand that as it could be misused to bypass users' policy restrictions, Mikrotik had to do something about it. But my approach would be to assign policies to netwatch items the same way they are associated with scheduler jobs and scripts, and to allow the user to assign to the netwatch item he creates only policies with which his own account is configured (which I believe is the case with scheduler jobs and scripts).

If this approach would satisfy you, why not send a constructive ticket to support@mikrotik.com suggesting this?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 10:49 am

I have Netwatch watch 8.8.8.8 and when its up, trigger the below script.. Called UP..

The permissions are read write test on all the below. They worked before 6.42. They work if manually triggered.

Up
_____________________________________________________________________
:log warning "Connection up";
/system script run IPSMTP;
:tool e-mail send to="xxxx@xxx" from="xxxxxx" subject="xxx router is online" body="xxx router is online";
/system script run DYNForce;
_____________________________________________________________________

The above then triggers other scripts..

This one makes sure the mail server is looked up correctly
IPSMTP
______________________________________________________________
:local ipsmtp
:set ipsmtp [:resolve xxxxx]
if ($ipsmtp != [/tool e-mail get address]) do={ /tool e-mail set address=$ipsmtp}
_______________________________________________________________

This then forces DynDNS to the current IP
DYNForce
________________________________________________________________
# Set needed variables
:local username "xxxxxxx"
:local password "xxxxxxx"
:local hostname "xxxxxx"

:global dyndnsForce
:global previousIP

# print some debug info
:log info ("UpdateDynDNS: username = $username")
:log info ("UpdateDynDNS: password = $password")
:log info ("UpdateDynDNS: hostname = $hostname")
:log info ("UpdateDynDNS: previousIP = $previousIP")

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
:set dyndnsForce false
:set previousIP $currentIP
:log info "$currentIP or $previousIP"
/tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
dst-path="/dyndns.txt"
:delay 1
:local result [/file get dyndns.txt contents]
:log critical ("UpdateDynDNS: Dyndns update needed")
:log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
:put ("Dyndns Update Result: ".$result)
} else={
:log info ("UpdateDynDNS: No dyndns update needed")
}
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 11:02 am

Ive tested this on 43RC19 and it does not work.

I have other scripts that do not work from Netwatch. In fact NO script I have works from Netwatch after 6.42.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Wed May 30, 2018 11:33 am

The underlying issue is that you are trying to make Netwatch execute a script, that requires permissions it does not have.
Is this not a reasonable requirement? A read only user can't create FULL permission accounts. Is that not reasonable?
No answer to your question? How to write posts
 
sindy
Forum Guru
Forum Guru
Posts: 2225
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 11:51 am

@Normis, quoting myself three posts above:
On one hand, I fully agree with you that netwatch should be permitted to do anything you wish; on the other hand, I do understand that as it could be misused to bypass users' policy restrictions, Mikrotik had to do something about it. But my approach would be to assign policies to netwatch items the same way they are associated with scheduler jobs and scripts, and to allow the user to assign to the netwatch item he creates only policies with which his own account is configured (which I believe is the case with scheduler jobs and scripts).
Could this be a solution "to feed the wolf and keep the goat complete"?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 1:36 pm

So, there is no solution?
How are we supposed to use Dyn DNS?
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 2:26 pm

I have Netwatch watch 8.8.8.8 and when its up, trigger the below script.. Called UP..

The permissions are read write test on all the below. They worked before 6.42. They work if manually triggered.

Up
_____________________________________________________________________
:log warning "Connection up";
/system script run IPSMTP;
:tool e-mail send to="xxxx@xxx" from="xxxxxx" subject="xxx router is online" body="xxx router is online";
/system script run DYNForce;
_____________________________________________________________________

The above then triggers other scripts..

This one makes sure the mail server is looked up correctly
IPSMTP
______________________________________________________________
:local ipsmtp
:set ipsmtp [:resolve xxxxx]
if ($ipsmtp != [/tool e-mail get address]) do={ /tool e-mail set address=$ipsmtp}
_______________________________________________________________

This then forces DynDNS to the current IP
DYNForce
________________________________________________________________
# Set needed variables
:local username "xxxxxxx"
:local password "xxxxxxx"
:local hostname "xxxxxx"

:global dyndnsForce
:global previousIP

# print some debug info
:log info ("UpdateDynDNS: username = $username")
:log info ("UpdateDynDNS: password = $password")
:log info ("UpdateDynDNS: hostname = $hostname")
:log info ("UpdateDynDNS: previousIP = $previousIP")

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
:set dyndnsForce false
:set previousIP $currentIP
:log info "$currentIP or $previousIP"
/tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
dst-path="/dyndns.txt"
:delay 1
:local result [/file get dyndns.txt contents]
:log critical ("UpdateDynDNS: Dyndns update needed")
:log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
:put ("Dyndns Update Result: ".$result)
} else={
:log info ("UpdateDynDNS: No dyndns update needed")
}
It's not working on 6.42.3
I am searching hard to find a script that works but with no luck so far...
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 7:24 pm

The underlying issue is that you are trying to make Netwatch execute a script, that requires permissions it does not have.
Is this not a reasonable requirement? A read only user can't create FULL permission accounts. Is that not reasonable?

How would I trigger a alert based on Netwatch if I cant email ? The idea is that Netwatch can watch and alert ? How can i trigger a set of events when a connection is up or down ?

Netwatch used to have these permissions. It no longer does.

What good is Netwatch if it cant trigger scripts ?

Why cant Netwatch have the permissions it needs to trigger scripts ? For 8+ years it did.

I can trigger scripts securely in UBNT and Cisco can do this. Only Mikrotik cant. So this does seem unreasonable to not have this functionality.
Last edited by Xymox on Wed May 30, 2018 9:26 pm, edited 1 time in total.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 9:01 pm

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Wed May 30, 2018 10:27 pm

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
 
strods
MikroTik Support
MikroTik Support
Posts: 1334
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Wed May 30, 2018 10:56 pm

Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.

/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"

Send in such example to support@mikrotik.com and we will see what can be improved.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 11:33 pm

Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.

/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"

Send in such example to support@mikrotik.com and we will see what can be improved.
I dont have any single line scripts. Im not sure a single line should be used in a script as I think Netwatch could execute a single line on its own ?

I will send a email to support tonight ( pac time ) including the above scripts that dont work.

The issue for everybody seems to be multiline scripts.

My example above does not work. Normis explained why.

So can I merge the entire set of scripts above into one and put that into Netwatch and have it execute ? If so, that would work out fine for me :)
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Wed May 30, 2018 11:40 pm

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 6:14 am

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
First of all, thank you for your time.
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.

Nevertheless, I do care to revert to no-ip.org ddns services soon.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1584
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 7:01 am

Can anyone provide an example of Netwatch with single line script that is not working but you think that Netwatch should be able to execute it. Please provide single command example. At the moment, we have not seen any actual case (besides misconfiguration due to policies) where this would be a problem.

/tool netwatch add host=x.x.x.x up-script="/system script run test"
/system script add name=test policy=read,write,test,reboot source="/xxxxx"

Send in such example to support@mikrotik.com and we will see what can be improved.
Netwatch problem persist

tested on rb750UP with routeros 6.43RC21

No log error, only log the netwatch up or down, script dont run, no error messages

User owner of the script permissions full
Captura.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 7:46 am

So, there is no solution?
How are we supposed to use Dyn DNS?

Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
First of all, thank you for your time.
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.

Nevertheless, I do care to revert to no-ip.org ddns services soon.
I have fully tested the DynDNS script executing it from winbox on RouterOS 6.43RC21 on a CCR1009-8G-1S-1S+ and it works. It updates DynDNS.. I scrambled my MAC which causes a cable modem to provide a new IP I then ran the script and reloaded DynDNS and watched it update in near real time. I did this 3 times to be sure. So on this version of OS on this hardware I can confirm it does work.

I had all the permissions checked.

This script is slightly different as it does less logging.

Go delete any related files before running it. Run it twice to make sure.
# Set needed variables
:local username "your username"
:local password "your password"
:local hostname "your host name"

:global dyndnsForce
:global previousIP 

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

#:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
   :set dyndnsForce false
   :set previousIP $currentIP
   :log info "$currentIP or $previousIP"
   /tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
      src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
      dst-path="/dyndns.txt"
   :delay 1
   :local result [/file get dyndns.txt contents]
   :log critical ("UpdateDynDNS: Dyndns update needed")
   :log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
   :put ("Dyndns Update Result: ".$result)
}
DynDNS.gif
You do not have the required permissions to view the files attached to this post.
 
strods
MikroTik Support
MikroTik Support
Posts: 1334
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Thu May 31, 2018 7:51 am

If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.

FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 8:31 am




Currently I use scheduler and just run it every 15 mins. Its not a ideal solution. The script above for DynDNS works, just not from Netwatch. You will want to comment out ":set dyndnsForce true" if you run this from scheduler.
Unfortunately it does not work on 6.42.3 (RB435G)...
Not even if just executed from /system scripts...
Hmmm... I can check more later once I am offsite. I am using RC19 currently and this works from Winbox. Make sure to set permissions. Read/write/test.. Make sure you have the DynDNS account info correct. In Winbox does it show it ran it ? IE count is increased ?

I am avoiding 6.42.x because i had bad experiences with it. Im using 6.41.4 on my production gear because its my last KNOWN stable. *HOWEVER* IT HAS KNOWN SECURITY ISSUES.. Also I recommend a NAND format and then a netinstall to be SURE your system is clean IF you can do that.

I think tho that its something simple tho for you, maybe just script permissions ?
First of all, thank you for your time.
The system is clean, netinstall performed approximately a month ago and afterwards all settings were reconfigured manually.
The script runs, but it hangs. I can see the logs saying that the IP has renewed but in fact it hasn't. The credentials are fine because I use them for manual login at no-ip.com Web site successfully.
I had to stop using dyndns and reverted to /ip cloud implementation in order to workaround the lack of services.

Nevertheless, I do care to revert to no-ip.org ddns services soon.
I have fully tested the DynDNS script executing it from winbox on RouterOS 6.43RC21 on a CCR1009-8G-1S-1S+ and it works. It updates DynDNS.. I scrambled my MAC which causes a cable modem to provide a new IP I then ran the script and reloaded DynDNS and watched it update in near real time. I did this 3 times to be sure. So on this version of OS on this hardware I can confirm it does work.

I had all the permissions checked.

This script is slightly different as it does less logging.

Go delete any related files before running it. Run it twice to make sure.
# Set needed variables
:local username "your username"
:local password "your password"
:local hostname "your host name"

:global dyndnsForce
:global previousIP 

# get the current IP address from the internet (in case of double-nat)
/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:delay 1
:local result [/file get dyndns.checkip.html contents]

# parse the current IP result
:local resultLen [:len $result]
:local startLoc [:find $result ": " -1]
:set startLoc ($startLoc + 2)
:local endLoc [:find $result "</body>" -1]
:local currentIP [:pick $result $startLoc $endLoc]
:log info "UpdateDynDNS: currentIP = $currentIP"

# Remove the # on next line to force an update every single time - useful for debugging,
# but you could end up getting blacklisted by DynDNS!

#:set dyndnsForce true

# Determine if dyndns update is needed
# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html

:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={
   :set dyndnsForce false
   :set previousIP $currentIP
   :log info "$currentIP or $previousIP"
   /tool fetch user=$username password=$password mode=http address="members.dyndns.org" \
      src-path="nic/update?system=dyndns&hostname=$hostname&myip=$currentIP&wildcard=no" \
      dst-path="/dyndns.txt"
   :delay 1
   :local result [/file get dyndns.txt contents]
   :log critical ("UpdateDynDNS: Dyndns update needed")
   :log critical ("UpdateDynDNS: Dyndns Update Result: ".$result)
   :put ("Dyndns Update Result: ".$result)
}
DynDNS.gif
Thank you again. Currently away from router, so I will try it later and report back.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 8:34 am

If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.

FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
OooOo.. :) OK Let me try that. Its very late here and im in bed, but, I will check this now anyway because that is exciting news.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 8:52 am

This does not work calling this from Netwatch. It works perfectly from "Run Script" in winbox. I think these are OK permissions ?

This is a single line script command that does not work from Netwatch.. As you requested.. No errors in log. This should be easy to reproduce. Should I send this to support ?

I put xxxxx for email addresses.
:tool e-mail send to="xxxxx" from="xxxxx" subject="MT test of netwatch scripts" body="This is a test";

Email.gif
You do not have the required permissions to view the files attached to this post.
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 8:58 am

Off to bed for me.. Im out of town in a hotel and working on this remotely on my home router. So im doing my best to help.

If MT wants remote access to this router, just let me know. I want to help get this working. I REALLY need Netwatch running scripts again please :)
 
strods
MikroTik Support
MikroTik Support
Posts: 1334
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?  [SOLVED]

Thu May 31, 2018 9:03 am

Guys, please read our posts more carefully:

viewtopic.php?f=2&t=134538#p665449

"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."

Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot

Unselect - ftp,policy,password,sensitive,sniff

-> Script will work just fine
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1584
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:08 am

If your script does not work, then it is because to one or multiple lines that can not be executed. You can debug your script and find out which line was the first that did not allow for the script to run properly. This is the command that we are looking for.

FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again.
thx for your reply

i have tested unchecking romon policy on script

I have placed in the first line of script this line

:log info "script started"

manually executing the script script runs fine and start with that log message

netwatch event running the script does not generate any log

looks like the script is not running at all when executed by netwatch
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Thu May 31, 2018 9:09 am

Post your script too, then
No answer to your question? How to write posts
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:14 am

Guys, please read our posts more carefully:

viewtopic.php?f=2&t=134538#p665449

"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."

Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot

Unselect - ftp,policy,password,sensitive,sniff

-> Script will work just fine
Oopsie... ( very embarrassed ).....

You are 100% correct. The above script worked perfectly from Netwatch...

I will stay up late and play with all my scripts now.

Thats awesome... Thank you :)

Im VERY SORRY for not understanding this better.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1584
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:19 am

Post your script too, then
this is the script

:log error message="inicio del script"
:local uptime [/system resource get uptime];
:local uno 00:01:00
:if ($uptime > $uno) do={
/tool e-mail send to="diegoms77@hotmail.com" subject="Do $[/system clock get time] $[/system identity get name] Caida Red Electrica" body="$[/system health get voltage]V, El $[/system clock get date] a las $[/system clock get time]  entro en MODO BATERIAS el equipo de $[/system identity get name]
Temperatura   RB: $[/system health get temperature] C
Temperatura CPU: $[/system health get cpu-temperature] C
Uptime: $[/system resource get uptime]";
:log error message="$[/system health get voltage]V, Mensaje Caida Red Electrica en $[/system identity get name] enviado";
}
 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:23 am

YES !!!!! That fixed all my issues. All my scripts now run... I feel really stupid...

Im sorry for the hassle..

read/write/reboot/test - uncheck all other boxes...

Wowee.. Im really happy.. That was my last issue, once MT fixes the disc space issue, I will roll out the next stable to all my clients. In fact, im so happy with RC21 I might roll that out to production.

That you MT... Im back to being super happy with Mikrotik.

I want to buy some T-Shirts :)
 
strods
MikroTik Support
MikroTik Support
Posts: 1334
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Netwatch deprecated ?

Thu May 31, 2018 9:24 am

chechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1584
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:35 am

chechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
thxs

yes is a system script entry

unchecked this on script policy settings:

Ftp, policy, password, sensitive, sniff, romon, dude

Now script runs fine when called by netwatch event

thank you for your help
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1584
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 9:42 am

chechito - Is this a content of "System/Scripts" entry? If yes, then what are the policies assigned to this script? Please provide an example like this: viewtopic.php?f=2&t=134538&p=665470#p665457
thxs

yes is a system script entry

unchecked this on script policy settings:

Ftp, policy, password, sensitive, sniff, romon, dude

Now script runs fine when called by netwatch event

thank you for your help
Tested on 6.43 RC21 and 6.42.1 works ok
846efa80-bef9-4131-8d61-c123f11bb5a0.jpg
You do not have the required permissions to view the files attached to this post.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 10:47 am

Guys, please read our posts more carefully:

viewtopic.php?f=2&t=134538#p665449

"FYI - we did already recieve complaints with examples from this same topic. And as suspected problem was script requires, for example, romon policy, but Netwatch does not have persmission to use romon. Key is to disable romon policy within script (that is not actually used) and everything is working again."

Your script requires - ftp,read,policy,password,sensitive,reboot,write,test,sniff
Netwatch can do - write,read,test,reboot

Unselect - ftp,policy,password,sensitive,sniff

-> Script will work just fine
I confirm it works.
There is a problem though with scripts that use global variables.
Those need "policy" rights.
Could you please confirm?
If that is the case, how can we workaround?
 
sindy
Forum Guru
Forum Guru
Posts: 2225
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 11:54 am

There is a problem though with scripts that use global variables.
use only for reading or use also for writing?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5659
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Netwatch deprecated ?

Thu May 31, 2018 12:13 pm

Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:29 pm

Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
Too bad.
Thank you for the heads up though.
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:31 pm

There is a problem though with scripts that use global variables.
use only for reading or use also for writing?
Both
 
jarda
Forum Guru
Forum Guru
Posts: 7472
Joined: Mon Oct 22, 2012 4:46 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:34 pm

Why the netwatch cannot have full authorisation ability, when a script has to be reduced in its rights so it is not able to perform what is necessary?
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 12:48 pm

The problem was that a user with limited authorization could configure a netwatch script that executed a command beyond his authorization
and then make it fire, thus executing commands that he would not be able to execute directly.
Maybe a solution would be to make the OS do a "mask" of the allowed security policy of the executed script with the effective
authorization of the user who created it. So, a script executed by that netwatch instance still does not have permission beyond what
the user had, but potentially more than it has now (when it is created by a user in the "full" group, i.e. "the admininstrator").
I think also related was that the netwatch scripts are executed as the "system" user rather than as the user that created them.
That could (and probably should) be fixed as well.
 
jarda
Forum Guru
Forum Guru
Posts: 7472
Joined: Mon Oct 22, 2012 4:46 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 1:04 pm

Then just such user should be limited by his rights just to create or modify only those objects that are not having bigger rights.

The netwatch should not be cripled and it should not inherit the user rights because other user might be willing to change it afterward.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Netwatch deprecated ?

Thu May 31, 2018 2:36 pm

This way of operation has been widely accepted in other environments where privilege problems occur in scheduled
scripts, for example. In Windows, Linux, Unix, whatever a user can create a scheduled script but when it runs it will
run as the user that created it. Other users will not be able to modify it, unless they are the administrator. After
that, depending on the change and the OS, it might be or not be owned by the administrator.
 
Kraken2k
newbie
Posts: 42
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Netwatch deprecated ?

Mon Jun 04, 2018 12:55 pm

Now, when Netwatch can't access global variables, is there any way to pass a value to launched script?

I have few dozens of devices checked by Netwatch and one script for checking if the host is down or up for good or not - the main reason is that in case of any change I change it just once, not fifty times.
# Init script, launched once at system start

# specify local site
:global nwlocal "central";

# specify checked host;
:global nwhost "undef";

# define "site" -> "actual_state" (0 - down, 1 - up)
:global nwlist {
site1=0;
site2=0;
site3=0;
site4=0;
site5=0;
}

# define netwatch sites "site" -> "ip"
:global peerip {
site1="192.168.1.254";
site2="192.168.2.254";
site3="192.168.3.254";
site4="192.168.4.254";
site5="192.168.5.254";
}
Script "CheckNetwatchAlert" used in Netwatch up/down:
# On Tunnel up/down run (pass the host to check in nwhost global variable):
#:global nwhost "site1";
#/system script run CheckNetwatchAlert:

# specify e-mail as alert destination
:local email "alert@domain.net";

:global nwhost;
:global nwlist;
:global nwlocal;
:global peerip;

:if ([/ping ($peerip->$nwhost) interval=3s count=10] =0) do={
  /tool e-mail send to=$email subject="[Alert] IPsec tunnel $nwhost <-> $nwlocal down" body="Tunnel from $nwhost to $nwlocal down!";
  :set ($nwlist->$nwhost) 0;
} else={
  :if (($nwlist->$nwhost) =0) do={
    /tool e-mail send to=$email subject="[Alert] IPsec tunnel $nwhost <-> $nwlocal up" body="Tunnel from $nwhost to $nwlocal up!";
    :set ($nwlist->$nwhost) 1;
    } 
}
Now the question is - how to rewrite these scripts without access to global variables? I mean yes, I can have unique 'send email' script for every host checked by netwatch, but it become a hell one you need to change anything in the script itself.
 
sindy
Forum Guru
Forum Guru
Posts: 2225
Joined: Mon Dec 04, 2017 9:19 pm

Re: Netwatch deprecated ?

Mon Jun 04, 2018 1:22 pm

Try the following:
  1. on the command line (terminal, ssh) write global myGlobal 45
  2. in the netwatch script use [/system script environment get myGlobal value] instead of $myGlobal.
I know your netwatch script is more complex, this is just to check whether it works this way at all.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fibernet4u
newbie
Posts: 32
Joined: Sat Dec 03, 2016 12:44 pm

Re: Netwatch deprecated ?

Mon Jun 04, 2018 3:15 pm

Dear Xymox/All,

I would like to bring your notice below online cloud which still works charm with netwatch functionality. If you use netwatch to notify yourself for any Lan or Wan host than IPGovernor will help you achieving it with more granular way netwatch functionality to avoid false alert....Suggest to take a look.

viewtopic.php?f=8&t=135227

http://api.ipgovernor.com/api

Also to bring your notice... i have just upgraded to latest 6.42.3v & cloud is properly syncing with its netwatch script.

Regards
 
aya
just joined
Posts: 7
Joined: Fri Jun 21, 2013 12:19 pm

Re: Netwatch deprecated ?

Thu Jun 28, 2018 8:59 pm

Unfortunately at the moment you will not be able to access global variables from netwatch executed scripts.
"at the moment" this mean that mikrotik will fix this problem? Or better with mikrotik
no longer messing with?
 
ea5geb
just joined
Posts: 1
Joined: Fri Jul 13, 2018 9:39 am

Re: Netwatch deprecated ?

Fri Jul 13, 2018 9:57 am

Confirm working ok.

Unselect - ftp,policy,password,sensitive,sniff and working ok.

Thanks.
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 919
Joined: Fri May 26, 2006 1:25 am

Re: Netwatch deprecated ?

Sun Jul 29, 2018 5:54 am

this is very concerning. netwatch is something admins depend on to keep their routers up/online and accessible. now i have a huge unknown floating around as we use netwatch to call scripts (since netwatch is too basic with a single ping to cause an action, so great mt scripts are the perfect solution). I was actually writing a new script for a new netwatch setup, when i found this thread as i was searching for something else netwatch reatled. (else i would not have known, even though i read every line of each change-log b4 apply/dont apply , an update)

So with this change, the way for admins to know its broken, is when your location goes offline and you have to drive out to location (as a netwatch called script has failed now).

this is not something that should be changed with just a single line in the change log. mt, give examples of what works b4 and does not work now. below is just one example of my netwatch setups that im not clear on if its broken or not. (this script btw, was a workaround since mt WONT fix power cycle on hex POEs , see other threads, and support@mt acknowledged the issue, and that it may not get fixed)-

netwatch calls this script if down:
(which calls another script if needed , all to do poe powercycle when needed to a modem powered via poe):

:local ipPing ("70.xxxx")
:local pingip
#
# pingip below RUNS and sets the variable
# to number of successful pings ie 3 means 3 of 45 success
# can also use ($pingip > 1) or ($pingip >= 1) both TESTED
# ($pingip >= 1) means if only 1 or 0 pings do the IF, not the ELSE
#
:log info ("ping CHECK script IS RUNNING NOW")
# first delay 90 b4 ping test incase this is running at POWER UP
:delay 90
:set pingip [/ping $ipPing count=45]
:if ($pingip <= 3) do={
:log warning (">95% lost ping LOSS to COX GW IP 7xxxx via ether5-to-cox so DO POE powerCYCLE")
/interface ethernet poe set ether5-to-COX poe-out=off
:delay 12
/interface ethernet poe set ether5-to-COX poe-out=auto-on
:delay 10
:log warning ("ether5-to-cox POE HAS BEEN TURNED BACK ON")
:delay 90
/system script run emailPOEresult
} else={
:log warning ("PoeCyclePINGcheck ELSE ran so no ping loss detected by script")
}



-----


:global logMessages;
:set logMessages ""
:foreach i in=[/log find message~"poe"] do={
:set logMessages ($logMessages . [/log get $i time ] . " ");
:set logMessages ($logMessages . [/log get $i message ]);
:set logMessages ($logMessages . "\n")
}
#
# below to add time stamp
#
:set logMessages ($logMessages . "email sent at " . [sy clock get date] . " " . [sy clock get time])
#:log info $logMessages
/tool e-mail send to=xxxxx body=$logMessages server=[:resolve smtp.gmail.com] user=xxxxxxx start-tls=yes port=587;
:beep :beep :beep
 
pe1chl
Forum Guru
Forum Guru
Posts: 4725
Joined: Mon Jun 08, 2015 12:09 pm

Re: Netwatch deprecated ?

Sun Jul 29, 2018 1:17 pm

People please understand: the reason why this was changed is that it was a big security issue!
You can keep complaining that it is not doing anymore what you want it to do, but it is more important
that the router is secure and that it is not so easy to get admin access as it was before this change.

Hopefully some time a better security mechanism will be implemented that allows features like the old
netwatch functionality without causing security problems, but such a change will likely also have impact
on existing installations. It is a matter of fact that things that were very nice to have in the past, in the
current world of people hacking everything that is hackable really isn't possible anymore. Blame the hackers.

For now, when you want to do some monitoring doing pings and actions, do not start from netwatch but
write a script that does both the ping and the resulting actions, and schedule that. Problem solved.

Who is online

Users browsing this forum: No registered users and 41 guests