We did try to hire a professional to write our manual. It ended in disaster, because indepth RouterOS knowledge is required to do this. It is a huge project, and this professional needs to work side-by-side with several RouterOS experts, who give suggestions and comment his work in real time. When we will have resources to do this, we will.
If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction.So, I am still having policy issue with my VPN .....
Yes, there is clear example of all three features:So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
I agree it would be nice if e.g. there was a separate installable package (that you can install when you have space) that will add a help button to the WebFig pages, which then point to the section of the manual for that feature. It could be a read-only version of the WiKi served by the webserver on the routerboard.I realize this request is possibly crazy, but is there a way to incorporate the manual into the actual router hardware/firmware? So you have the ability to press a help button in web/win/box and see a page dedicated to what you are doing?
Thank you MTeeker for your offer...I will consider your offer if I still continue to have issue (I get the VPN to work when I am home; it doesn't when I am on the road).If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction.So, I am still having policy issue with my VPN .....
Note that Microsoft, a member of the consortium behind the development of PPTP, specifically recommends against its use. As for L2TP/IPSec, it's also heavily compromised as per Edward_S.
But it's your choice.
Thank you MrZ for responding...what I mean is for listing all requirements for Mode_Conf first, then, all requirements for policy group second, then, all requirements for policy templates. That way, one can clearly follow her picked choice.Yes, there is clear example of all three features:So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
It shows how to use templates how to use policy groups and also how to use modeconf.
Not sure if it applies in your specific VPN case. However if you can connect via VPN at home but not on the road, it seems your firewall needs to allow a range of specific IPs from remote location to be able to connect via VPN.
...(I get the VPN to work when I am home; it doesn't when I am on the road).
First of all, I would like to see that "RouterOS Manual". Then we can talk about what should be improved.What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.
MrZ...I get the feeling that staff is asking for improvement insight, then being defensive when insights received. In the same page you sited above, the grammar so poorly wrote...no commas to make things easily understood and which leads to confusion.Yes, there is clear example of all three features:So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
It shows how to use templates how to use policy groups and also how to use modeconf.
like, for example, merging the pages of Mangle, Filter and Nat in IP Firewall: does it have any sense to have three copies of firewall rules properties? I'm always getting lost in those sectionsIf this teaches us anything, is that we need to improve search and manual structure for easy navigation
Where are the details? This seems like a very important consideration. "It limits part of the VLAN functionality..." How? Examples? Scenarios?Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.
Not clear enough. This seems like another important consideration. From what I understand, the default learning mode on the CRS is set to SVL and not IVL. Does this 2-liner description imply that on such a default implementation this setting has not impact?vlan-type (edge-port | network-port; Default: network-port) Port VLAN type specifies whether VLAN id is used in UFDB learning. Network port learns VLAN id in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.
This seems like another extremely important security consideration. The default is "yes" - whether to forward VLANs Where? In the Cisco world unknown VLANs would still be forwarded through Trunk Ports in some cases. In the Mikrotik world and with this one liner, I have insufficient information to understand the behavior of forwarded vlans which are not members of the VLAN table.forward-unknown-vlan (yes | no; Default: yes) Whether to allow forwarding VLANs which are not members of VLAN table.
I would also like to obtain some clarification on this particular concern. Mikrotik has evolved over the years and there seems to be great potential with the product lines being released.First of all, I would like to see that "RouterOS Manual". Then we can talk about what should be improved.What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.
With all do respect, wiki is *NOT* manual. It is just a bunch of web-pages, terribly outdated, badly structured, inconsistent, from different authors, with different styles of writing. RouterOS is great, but from documentation point of view, RouterOS is by far the worst software I have been working with...
Imagine new RouterOS-user with no older buddy to help him. Having no other choice he goes to wiki, checks "First time startup" just to find "Applies to RouterOS: 2.9, v3, v4". Nice welcome-message, but what about v5/v6? It is 2015, and the page was not modified for a few years. You call that "manual"?
The biggest problem of RouterOS Manual is: There is none at all!
For multi instance OSPF you have to use following command: /routing ospf instance print status
> /routing ospf monitor
bad command name monitor (line 1 column 15)
> /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
...
16 I 10.200.2.26/29 10.200.2.24 *1A
This is not the issue.Maybe before blindly copying scripts make sure that you have interface named "ether1" and that this "ether1" actually has an address to get.
[Michael@Goat-on-a-Rope] > ip address p
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.5.1/24 192.168.5.0 ether2
1 X 192.168.0.1/24 192.168.0.0 ether7
2 10.234.123.2/30 10.234.123.0 ether1
3 10.234.123.6/30 10.234.123.4 ether9-WAN MESA1
4 D 10.0.0.100/20 10.0.0.0 ether9-WAN MESA1
5 D 192.168.77.253/24 192.168.77.0 ether1
[Michael@Goat-on-a-Rope] > interface p
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ;;; ether1-WAN_WT
ether1 ether 1500 1520 1520 D4:CA:6D:59:FD:97
1 RS ether2 ether 1500 1520 1520 D4:CA:6D:59:FD:98
2 S ether3 ether 1500 1520 1520 D4:CA:6D:59:FD:99
3 RS ether4 ether 1500 1520 1520 D4:CA:6D:59:FD:9A
4 RS ether5 ether 1500 1520 1520 D4:CA:6D:59:FD:9B
5 ether6 ether 1500 1520 1520 D4:CA:6D:59:FD:9C
6 ether7 ether 1500 1520 1520 D4:CA:6D:59:FD:9D
7 X ether8-WAN3 GBAP ether 1500 1520 1520 D4:CA:6D:59:FD:9E
8 R ether9-WAN MESA1 ether 1500 1520 1520 D4:CA:6D:59:FD:9F
9 RS wlan1 wlan 1500 1600 00:0C:42:51:B2:34
10 X *********************************
11 R bridge1 bridge 1500 1520 D4:CA:6D:59:FD:98
[Michael@Goat-on-a-Rope] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1
{... }
invalid internal item number
[Michael@Goat-on-a-Rope] >
so what is the issue?This is not the issue.
:put [/ip address find interface="ether1"]
Now THAT was helpful, thanks! It seems that on a interface with more than one address it tanks:marria wrote:
This is not the issue.
so what is the issue?
looks like you have many addresses on ether1, not a single one. check with
Code: Select all
:put [/ip address find interface="ether1"]
{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}
[Michael@Goat-on-a-Rope] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1
{... }
invalid internal item number
[Michael@Goat-on-a-Rope] > :put [/ip address find interface="ether1"]
*18;*1b
[Michael@Goat-on-a-Rope] >
[Michael@RCWT1] > interface p
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ;;; 10.4.0.0
ether1 ether 1500 1520 1520 00:0C:42:6D:E0:00
1 R ether2-OUT ether 1500 1520 1520 00:0C:42:6D:E0:01
2 R ether3-NBM5_25-IN North ether 1500 1520 1520 00:0C:42:6D:E0:02
3 R wlan1 wlan 1500 1600 00:0C:42:2B:A1:A6
[Michael@RCWT1] > ip address p
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.4.0.1/20 10.4.0.0 ether1
1 ;;; North Clients
192.168.102.1/24 192.168.102.0 ether3-NBM5_25-IN North
2 10.2.2.1/24 10.2.2.0 wlan1
3 D 10.249.249.2/30 10.249.249.0 ether2-OUT
[Michael@RCWT1] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1
{... }
10.4.0.1/20
[Michael@RCWT1] > :put [/ip address find interface="ether1"]
*15
[Michael@RCWT1] >
See here what to do with arrays:find - Returns list of internal numbers for items that are matched by given expression.
that's completely incorrect command. first, you get ID of 'ether1' interface and then you try to get an address having the same ID as that interface. it's called 'unpredictable behaviour'furthermore the variation:is likely as not to give an address from a completely different interface under that situation.Code: Select all{ :local address1 [/ip address get [/interface ethernet find name=ether1] address] :put $address1 }
All right. Point well made, as I wouldn't know - having pulled these from the wiki.that's completely incorrect command. first, you get ID of 'ether1' interface and then you try to get an address having the same ID as that interface. it's called 'unpredictable behaviour'furthermore the variation:is likely as not to give an address from a completely different interface under that situation.Code: Select all{ :local address1 [/ip address get [/interface ethernet find name=ether1] address] :put $address1 }
Probably from the wiki. I'll try to find it in my history - likely less than a week back.is this incorrect command from the manual?.. a link?
also this thread:You can't use numbers of the items to get data. Find should be used instead.
For example
[/interface wireless registration-table get [find name=wlan1] rx-ccq]
:put [/interface ethernet get [/interface ethernet find name="ether1"] mtu]
{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}
There are quite a lot of things that could be clarified or updated in the wiki/manual. It's hard to list just from the top of my head. I would be much easier to insert comments or review request right on the spot, on the very page we feel something is missing, unclear, or obsolete.What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.