Manual Improvements

Nollitik · Tue Jun 09, 2015 1:07 am

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.

Tue Jun 09, 2015 1:22 am

We did try to hire a professional to write our manual. It ended in disaster, because indepth RouterOS knowledge is required to do this. It is a huge project, and this professional needs to work side-by-side with several RouterOS experts, who give suggestions and comment his work in real time. When we will have resources to do this, we will.

i think forum its plenty of good examples to include on manual

MTeeker · Tue Jun 09, 2015 8:27 am

So, I am still having policy issue with my VPN .....

If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction.

Note that Microsoft, a member of the consortium behind the development of PPTP, specifically recommends against its use. As for L2TP/IPSec, it's also heavily compromised as per Edward_S.

But it's your choice.

Tue Jun 09, 2015 12:23 pm

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.

Yes, there is clear example of all three features:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf

It shows how to use templates how to use policy groups and also how to use modeconf.

pe1chl · Wed Jun 10, 2015 6:43 pm

I realize this request is possibly crazy, but is there a way to incorporate the manual into the actual router hardware/firmware? So you have the ability to press a help button in web/win/box and see a page dedicated to what you are doing?

I agree it would be nice if e.g. there was a separate installable package (that you can install when you have space) that will add a help button to the WebFig pages, which then point to the section of the manual for that feature. It could be a read-only version of the WiKi served by the webserver on the routerboard.
This kind of feature is appreciated by many users and may even be not much work to add.
(after all, the URL of the WebFig page already has a reference similar to what is used in the Wiki)

Nollitik · Wed Jun 10, 2015 10:32 pm

So, I am still having policy issue with my VPN .....
If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction.

Note that Microsoft, a member of the consortium behind the development of PPTP, specifically recommends against its use. As for L2TP/IPSec, it's also heavily compromised as per Edward_S.

But it's your choice.

Thank you MTeeker for your offer...I will consider your offer if I still continue to have issue (I get the VPN to work when I am home; it doesn't when I am on the road).

Nollitik · Wed Jun 10, 2015 10:41 pm

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
Yes, there is clear example of all three features:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf

It shows how to use templates how to use policy groups and also how to use modeconf.

Thank you MrZ for responding...what I mean is for listing all requirements for Mode_Conf first, then, all requirements for policy group second, then, all requirements for policy templates. That way, one can clearly follow her picked choice.

MTeeker · Thu Jun 11, 2015 4:04 am

...(I get the VPN to work when I am home; it doesn't when I am on the road).

Not sure if it applies in your specific VPN case. However if you can connect via VPN at home but not on the road, it seems your firewall needs to allow a range of specific IPs from remote location to be able to connect via VPN.

To avoid IP clash, you need to use a separate network, say 172.16.1.1/x for remote connection, different from say 192.168.1.1/x for internal ones.

( I think it is getting away from main topic raised by mrz. Sorry.)

Thu Jun 11, 2015 9:31 am

@Nollitik: Maybe you could open new topic in general section, MTeeker is right it is going in offtopic.

Jarry · Sat Jun 13, 2015 7:47 am

What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.

First of all, I would like to see that "RouterOS Manual". Then we can talk about what should be improved.

With all do respect, wiki is *NOT* manual. It is just a bunch of web-pages, terribly outdated, badly structured, inconsistent, from different authors, with different styles of writing. RouterOS is great, but from documentation point of view, RouterOS is by far the worst software I have been working with...

Imagine new RouterOS-user with no older buddy to help him. Having no other choice he goes to wiki, checks "First time startup" just to find "Applies to RouterOS: 2.9, v3, v4". Nice welcome-message, but what about v5/v6? It is 2015, and the page was not modified for a few years. You call that "manual"?

The biggest problem of RouterOS Manual is: There is none at all!

shahbazian · Sat Jun 13, 2015 10:07 am

RouterOS is great OS but have not enough examples. there is need more configuration examples. So need documentation in more languages.

Nollitik · Sat Jun 13, 2015 7:55 pm

So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
Yes, there is clear example of all three features:
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf

It shows how to use templates how to use policy groups and also how to use modeconf.

MrZ...I get the feeling that staff is asking for improvement insight, then being defensive when insights received. In the same page you sited above, the grammar so poorly wrote...no commas to make things easily understood and which leads to confusion.
Apple iOS (iPhone/iPad) Client

For iOS devices to be able to connect, proposal changes are needed:

does not work with 3des encryption algorithm, aes-128/256 works
auth algorithm must be sha1
PFS group must be none
lifetime must be 8 hours

Example of valid proposal configuration for iOS devices:

/ip ipsec proposal
set default enc-algorithms=aes-128-cbc,aes-256-cbc lifetime=8h \
pfs-group=none

However, when one selects IPsec in the L2TP server, one gets this:

Screen Shot 2015-06-13 at 11.27.50 AM.png

Note that aes-192 selected despite not applying to iOS devices...so the router wastes energy keeping going through the same process...even checking md5 algorithm despite not selected.

Mon Jun 15, 2015 1:51 pm

@Nollitik please open new topic with your problem. It has nothing to do with the manual.
You are looking at the wrong settings: "/ip ipsec peer" config and "/ip ipsec proposal" config are completely different ipsec phases.

mitkos45 · Mon Jun 15, 2015 2:28 pm

hi,
I've created a new forum post in wireless section on june 11th. It looks like it never got approved by a moderator. Can you please check it out.

Thany You,
mitkos

Chupaka · Tue Jun 16, 2015 4:18 pm

If this teaches us anything, is that we need to improve search and manual structure for easy navigation

like, for example, merging the pages of Mangle, Filter and Nat in IP Firewall: does it have any sense to have three copies of firewall rules properties? I'm always getting lost in those sections

secupath · Sun Jun 21, 2015 6:40 am

I would like to see some improvements on the CRS Documentations. Examples are great and can definitely help place scenarios with context for some cases.

I am starting to develop a serious issue with the methodology in which certain properties are explained with one and two liners. Especially where it should be implied that the method in which Mikrotik is making such properties available differs largely from methodologies of other common vendors e.g. Cisco, Juniper, etc...

I have created separate topics to address my specific questions, but here are some examples.

Example 1:

Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.

Where are the details? This seems like a very important consideration. "It limits part of the VLAN functionality..." How? Examples? Scenarios?

Example 2:

vlan-type (edge-port | network-port; Default: network-port) Port VLAN type specifies whether VLAN id is used in UFDB learning. Network port learns VLAN id in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.

Not clear enough. This seems like another important consideration. From what I understand, the default learning mode on the CRS is set to SVL and not IVL. Does this 2-liner description imply that on such a default implementation this setting has not impact?

Example 3:

forward-unknown-vlan (yes | no; Default: yes) Whether to allow forwarding VLANs which are not members of VLAN table.

This seems like another extremely important security consideration. The default is "yes" - whether to forward VLANs Where? In the Cisco world unknown VLANs would still be forwarded through Trunk Ports in some cases. In the Mikrotik world and with this one liner, I have insufficient information to understand the behavior of forwarded vlans which are not members of the VLAN table.

secupath · Sun Jun 21, 2015 6:50 am

What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.
First of all, I would like to see that "RouterOS Manual". Then we can talk about what should be improved.

With all do respect, wiki is *NOT* manual. It is just a bunch of web-pages, terribly outdated, badly structured, inconsistent, from different authors, with different styles of writing. RouterOS is great, but from documentation point of view, RouterOS is by far the worst software I have been working with...

Imagine new RouterOS-user with no older buddy to help him. Having no other choice he goes to wiki, checks "First time startup" just to find "Applies to RouterOS: 2.9, v3, v4". Nice welcome-message, but what about v5/v6? It is 2015, and the page was not modified for a few years. You call that "manual"?

The biggest problem of RouterOS Manual is: There is none at all!

I would also like to obtain some clarification on this particular concern. Mikrotik has evolved over the years and there seems to be great potential with the product lines being released.

The current business strategy of pushing out two mainstream categorical products (Routers and now Switches) should also come with the responsibility of releasing proper documentation. Especially when considering the level of intricate control given to end-users for those products.

I can understand the initial strategy of using a Wiki -- but with all due respect, Mikrotik is not what it was 5 Years ago when it was mainly pushing Wireless products. This has been well demonstrated in the recent product development cycle and push. Competing with the 'big boys' also should come with investing the appropriate capital in developing concise technical documentation.

pchott · Tue Jun 23, 2015 1:00 pm

I would appreciate more written about VoIP optimal configuration (priority) with examples.

Otherwise I must thank you for pretty good documentation regarding fast changes of RouterOS. Maybe at the bottom of each Wiki page to be written to which RouterBoard is concern and which RouterOS versions since configuration can varies from one to another.

infused · Mon Jun 29, 2015 2:51 am

It's pretty light. CRS, more on queue management and most of all, real world examples.

davidnvega · Tue Jun 30, 2015 5:45 am

It would be nice to be open to edit for more users in different languages for each article.

tmlll · Tue Jun 30, 2015 3:53 pm

I would really appreciate less bugs, and/or some tagging of commands with the version numbers of RouterOS where these commands are supposed to work. One example off the top of my head, with 6.29, 6.29.1 and 6.30rc23:

[MikroTik] > /routing ospf monitor
bad command name monitor (line1 column 15)

found here: http://wiki.mikrotik.com/wiki/Manual:Ro ... #Interface

Tue Jun 30, 2015 3:56 pm

For multi instance OSPF you have to use following command: /routing ospf instance print status

tmlll · Tue Jun 30, 2015 4:29 pm

Hi,

I tried to post one message to this thread, but don't know where it went. So here goes again:

I would like to see less bugs in the manual, and/or a good description which version of the software a command might apply to. Eg.

> /routing ospf monitor
bad command name monitor (line 1 column 15)

At this point it is not clear whether this feature should exist, but did not make it into the image, or did exist at some point, but was deprecated, and if so, in which version and/or which other command I should be using instead to achieve a similar effect.

But I, as a newbie, also frequently run into problems trying to set up stuff, and then find error messages like these:

> /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
...
16 I 10.200.2.26/29     10.200.2.24     *1A

I have no idea what "*1A" might mean. A comprehensive list of error messages and their supposed meanings would be very helpful.

blajah · Wed Jul 08, 2015 1:53 pm

Hello MT,

Just quick intro. I'm working as tech support in one bigger ISP in my country so i will try to forward issues of customers i have helped to and what simple scenarios would be really helpful:

*xDSL modem in bridge mode and Mikrotik dialing PPPoE ( NAT) config
*Fiber with WAN/30 and public block with /29 address plans config
*Basic firewall setup, described in "simple language" ( someone mentioned you need a basic network knowledge to understand Wiki, but you guys can make an exception for this simple setups)
*Simple PPTP server setup

For 2 first topics would be nice to make picture of wiring, then prerequisites ( modem config, user/pass etc etc) step by step config.

Btw, i'm running free tech support community website in Serbian language, so that's one more channel i'm listening what people are struggling with.

If i can contribute to this, please let me know, but i do not consider myself expert by any means ( i think you have much more competent guys here).
Regards!

silversword · Thu Jul 09, 2015 8:37 pm

When you download this: http://download2.mikrotik.com/routeros/ ... e-6.30.zip

There's 20 packages that don't match this list: http://wiki.mikrotik.com/wiki/Manual:System/Packages

Trying to determine what the difference between all the wireless____ ones are.

TomosRider · Fri Jul 10, 2015 2:18 pm

Any news about this?

silversword · Fri Jul 10, 2015 3:00 pm

This will probably need RouterOS work before you can fix the manual but it would sure be nice to have this:

http://wiki.mikrotik.com/wiki/Manual:Quickset

First need a consistent list of what's in that dropdown for all devices is first step (different devices have different sets of dropdowns).

Then define what the intention of each item is: CAP, CPE, Home AP, PTP Bridge, WISP AP etc.

TomosRider · Fri Jul 10, 2015 3:46 pm

I understand the volume of this work and i can appreciate all the effort Mtik staff is putting to get this thing done. I offer myself to help in any way possible.

marria · Sat Jul 11, 2015 2:48 pm

Let's have script examples that actually work, example:
from manual or wiki

{
:local address1 [/ip address get [find interface="ether1"] address]
:put $address1
}

result:
invalid internal item number

This type of thing adds hours if not days to what could be a nice learning flow

Mon Jul 13, 2015 2:41 pm

Maybe before blindly copying scripts make sure that you have interface named "ether1" and that this "ether1" actually has an address to get.

marria · Mon Jul 13, 2015 3:48 pm

Maybe before blindly copying scripts make sure that you have interface named "ether1" and that this "ether1" actually has an address to get.

This is not the issue.

ether1 exists on test unit with an address. your assumption is erroneous''

[Michael@Goat-on-a-Rope] > ip address p
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                           
 0   192.168.5.1/24     192.168.5.0     ether2                                                                                                                              
 1 X 192.168.0.1/24     192.168.0.0     ether7                                                                                                                              
 2   10.234.123.2/30    10.234.123.0    ether1                                                                                                                              
 3   10.234.123.6/30    10.234.123.4    ether9-WAN MESA1                                                                                                                    
 4 D 10.0.0.100/20      10.0.0.0        ether9-WAN MESA1                                                                                                                    
 5 D 192.168.77.253/24  192.168.77.0    ether1                                                                                                                              
[Michael@Goat-on-a-Rope] > interface p
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ;;; ether1-WAN_WT
       ether1                              ether            1500  1520       1520 D4:CA:6D:59:FD:97
 1  RS ether2                              ether            1500  1520       1520 D4:CA:6D:59:FD:98
 2   S ether3                              ether            1500  1520       1520 D4:CA:6D:59:FD:99
 3  RS ether4                              ether            1500  1520       1520 D4:CA:6D:59:FD:9A
 4  RS ether5                              ether            1500  1520       1520 D4:CA:6D:59:FD:9B
 5     ether6                              ether            1500  1520       1520 D4:CA:6D:59:FD:9C
 6     ether7                              ether            1500  1520       1520 D4:CA:6D:59:FD:9D
 7  X  ether8-WAN3 GBAP                    ether            1500  1520       1520 D4:CA:6D:59:FD:9E
 8  R  ether9-WAN MESA1                    ether            1500  1520       1520 D4:CA:6D:59:FD:9F
 9  RS wlan1                               wlan             1500  1600            00:0C:42:51:B2:34
10  X  ********************************* 
11  R  bridge1                             bridge           1500  1520            D4:CA:6D:59:FD:98
[Michael@Goat-on-a-Rope] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1                                                     
{... }             
invalid internal item number
[Michael@Goat-on-a-Rope] >

Chupaka · Mon Jul 13, 2015 3:53 pm

This is not the issue.

so what is the issue?
looks like you have many addresses on ether1, not a single one. check with

:put [/ip address find interface="ether1"]

marria · Mon Jul 13, 2015 4:16 pm

marria wrote:
This is not the issue.

so what is the issue?
looks like you have many addresses on ether1, not a single one. check with

Code: Select all
:put [/ip address find interface="ether1"]

Now THAT was helpful, thanks! It seems that on a interface with more than one address it tanks:

Note for manual - "this example cannot report multiple addresses on on interface, it will report none and give error"
furthermore the variation:

{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}

is likely as not to give an address from a completely different interface under that situation.

[Michael@Goat-on-a-Rope] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1                                                     
{... }             
invalid internal item number
[Michael@Goat-on-a-Rope] > :put [/ip address find interface="ether1"]
*18;*1b
[Michael@Goat-on-a-Rope] >

But on a unit with only a single address it works:

[Michael@RCWT1] > interface p
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ;;; 10.4.0.0
       ether1                              ether            1500  1520       1520 00:0C:42:6D:E0:00
 1  R  ether2-OUT                          ether            1500  1520       1520 00:0C:42:6D:E0:01
 2  R  ether3-NBM5_25-IN North             ether            1500  1520       1520 00:0C:42:6D:E0:02
 3  R  wlan1                               wlan             1500  1600            00:0C:42:2B:A1:A6
[Michael@RCWT1] > ip address p
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                           
 0   10.4.0.1/20        10.4.0.0        ether1                                                                                                                              
 1   ;;; North Clients
     192.168.102.1/24   192.168.102.0   ether3-NBM5_25-IN North                                                                                                             
 2   10.2.2.1/24        10.2.2.0        wlan1                                                                                                                               
 3 D 10.249.249.2/30    10.249.249.0    ether2-OUT                                                                                                                          
[Michael@RCWT1] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1                                                     
{... }             
10.4.0.1/20
[Michael@RCWT1] > :put [/ip address find interface="ether1"]
*15
[Michael@RCWT1] >

So.......what are the *values and how can I use them??

Mon Jul 13, 2015 4:56 pm

If there are multiple matches then list/array is returned.
Quote from the manual:

find - Returns list of internal numbers for items that are matched by given expression.

See here what to do with arrays:
http://wiki.mikrotik.com/wiki/Manual:Sc ... ith_Arrays

Chupaka · Mon Jul 13, 2015 7:01 pm

furthermore the variation:
Code: Select all
{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}
is likely as not to give an address from a completely different interface under that situation.

that's completely incorrect command. first, you get ID of 'ether1' interface and then you try to get an address having the same ID as that interface. it's called 'unpredictable behaviour'

marria · Mon Jul 13, 2015 7:54 pm

furthermore the variation:
Code: Select all
{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}
is likely as not to give an address from a completely different interface under that situation.
that's completely incorrect command. first, you get ID of 'ether1' interface and then you try to get an address having the same ID as that interface. it's called 'unpredictable behaviour'

All right. Point well made, as I wouldn't know - having pulled these from the wiki.

This reinforces the need for a good manual, for those of us trying to learn - very confusing!

I suppose this is wandering off topic, but if you can point me to some reliable scripting reference, I'd appreciate it!

Chupaka · Mon Jul 13, 2015 7:56 pm

is this incorrect command from the manual?.. a link?

marria · Mon Jul 13, 2015 11:51 pm

is this incorrect command from the manual?.. a link?

Probably from the wiki. I'll try to find it in my history - likely less than a week back.

Update: and crow for dinner.... no link, bad interpretations

To clarify, the original Line I questioned was from - Check if IP on interface have changed
http://wiki.mikrotik.com/wiki/Manual:Scripting-examples
it appeared just the example I needed but failed because of not knowing about the single address issue.

My mistake compounded after digging around for what would work - I found a link from MRZ :
http://forum.mikrotik.com/viewtopic.php ... ta#p265825

with

You can't use numbers of the items to get data. Find should be used instead.
For example
[/interface wireless registration-table get [find name=wlan1] rx-ccq]

also this thread:
http://forum.mikrotik.com/viewtopic.php?t=35136
which had a similar appearing example:

:put [/interface ethernet get [/interface ethernet find name="ether1"] mtu]

(reconstructing my memory) I am guessing I tried rewrite the original line based on those threads as:

{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}

and it worked! for this routeros code newbie, that time, anyway, when the other did not. Hard to know, if I reconstructed this right. My bad.

It was a long road to finding out about the affect of mutiple addresses on the interface tripping me up all along.
As the original code DOES work on interfaces with single IP addresses that the manual has the right to assume, I'll eat crow. I would, however, point that out in the manual.

favincen · Fri Aug 28, 2015 5:59 pm

What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.

There are quite a lot of things that could be clarified or updated in the wiki/manual. It's hard to list just from the top of my head. I would be much easier to insert comments or review request right on the spot, on the very page we feel something is missing, unclear, or obsolete.
That's my first suggestion: allow commenting on each page of the wiki. That would be much more efficient than trying to remember what point was unclear or missing some few weeks or months ago...

Without doubts some would try to ask for support in the wiki comments instead of the forums, so it would be wise to state and underline that no anwsers will be provided in the comments, just inputs for improving the documentation will be taken into account...

Also, as it is a wiki, it could be very efficient to allow some kind of editing, probably with some moderator to review and commit proposed changes (create/update/delete).
In other words, make it a real wiki, where all can interact !

my 2 cents.
Fabrice

BMan · Tue Sep 22, 2015 7:01 am

There is almost nothing about Policy Routing and _nothing_ about Route Rules in manual. Please add some information and examples about it.

lectrapon · Tue Oct 06, 2015 5:33 pm

We need a French version of Manual because there are some technical section that can't be easy for us to understand.

Tue Oct 06, 2015 7:42 pm

Sure. Someone should be so kind and translate the manual into all languages of the world (ironic) . Just French is not enough and there are much more needed languages than French (not ironic) .

wil · Wed Oct 07, 2015 10:36 pm

The manual made it quite difficult to figure some details out for me. These are some things that I want to point out particularily:
* IPv6:
The basic setup was actually reasonable well described in examples, but if you get dynamic prefixes from your ISP then there are parts that are not covered by the examples and you have do dig quite deep into the manual and find things out by yourself. It took me quite a while how I get the dynamic ipv6 pool from my ISP and setup prefix delegation for it. Also the router must pick its own address from the ipv6 pool and it takes too long to find the information on how this is supposed to work.

* Firewall in combination with ppp incoming/outgoing-filter option
I think there was just a sketchy example describing the feature that was not very helpful. But there was also some bad luck involved with some firmware bugs and the old firewall print command not showing dynamic rules by default.

* IPSec
There can never be enough documentation on this one, right?

Basic setup is fine but once you dig into policy groups / templates topics it gets hard to find good information.

Examples are nice when you have to get something fairly standard quickly done. There command reference is alright, although there could be some better descriptions for the parameters here and there. What I was often missing is documentation that describes the some mechanics that are implemented in the OS, like the dynamic ipv6 pools or firewall rules for the dynamic ppp interfaces. It just takes too long to find the little pieces of information from the command reference to understand how a particular feature works.

MartijnVdS · Fri Oct 30, 2015 10:05 am

I would like to see some improvement in the documentation for /certificate scep-server

A bit of explanation of what SCEP is, what the different roles are (CA, RA) or at least something about what all the configuration options mean would be great.

kurtkraut · Sun Nov 01, 2015 6:05 pm

MUM Videos are a valuable resource and many talks cover in a very instructive way. I suggest the effort of searching for MUM Videos and adding them to the bottom of each manual page as 'related videos'. So eventual gaps the text may leave might be covered in the video. Also most of the wiki pages lack of real world scenarios and example, which the MUM Videos are rich in that matter.

Who is online