Cisco IOS Configuration Fundamentals Command Reference Release 12.2 is 974 pages long.If we know that 2.9 manual had a 709 pages, I expect the current version to have no less than 1000.
Amen.Each new feature has to be added promptly and new version of manual has to be released together with new release of ROS.
what do you mean exactly?Hello Mirkotik staff,
It looks like your documentation got corrupted, so why dont you reset it to factory defaults and start it from scratch?
From the manual:For VPN, there is no explanation of what policy override and policy strict means...
Okay, it has been added however, last year I checked and it wasn't there so I just gave up or put off completing the VPN setup.From the manual:For VPN, there is no explanation of what policy override and policy strict means...
no - do not generate policies
port-override -- generate policies and force policy to use any port (old behavior)
port-strict -- use ports from peer's proposal, which should match peer's policy
Since the manual is powered by a Wiki, you can see, that this text was there since 2012.Okay, it has been added however, last year I checked and it wasn't there so I just gave up or put off completing the VPN setup.
Ok, but at least have somewhere that is a wiki. I have tons of scripts I wrote to share, but can't post them.When it was editable by anyone, it only brought mistakes and problems. Currently we give edit rights to select people who have shown interest (trusted trainers with good knowledge).
You can do this in quicket with one click:What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support. During that time, I just gave up as it amounted to a waste of time. I have been attempting this before the changes in policy (policy strict, policy override) that promised to make things easier. Every week, it's safe to say some one has had issue implementing VPN...if the instruction are clear, despite the technical subject, we wouldn't see so much frustration from Mikrotik buyers.
Hello I followed this You tube guide -What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown.
Hello I followed this You tube guide -What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown.
https://www.youtube.com/watch?v=cgfXs6ZJrgs
Additions and Blog on my experience posted on this Mikrotik forum post -
http://forum.mikrotik.com/viewtopic.php?f=14&t=97223
This was done on a RB450 with RouterOS v6.27
Thank you Normis for responding. I saw that...wasn't sure how to apply that as I wanted to use my server (Apple) and my domain. Last year, I saw the IPsec box in the L2TP server and had asked the personnel who handled my support ticket...it seems that the personnel just avoided addressing my question just pointing things that made it more complex without resolution. Checking that box resolved my problem and I now have VPN working.You can do this in quicket with one click:What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support. During that time, I just gave up as it amounted to a waste of time. I have been attempting this before the changes in policy (policy strict, policy override) that promised to make things easier. Every week, it's safe to say some one has had issue implementing VPN...if the instruction are clear, despite the technical subject, we wouldn't see so much frustration from Mikrotik buyers.
+1 on this.Convert it back into a WIKI so people can add/fix things.
A lot of the pages need better explanations, and more examples.
As I said earlier, Mikrotik should provide accurate and up to date manual with best practices... and so on, but... if you have not succeed to set it up in two years with all available examples published on various places, I do not see how manual can help you (no offense).What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support. During that time, I just gave up as it amounted to a waste of time. I have been attempting this before the changes in policy (policy strict, policy override) that promised to make things easier. Every week, it's safe to say some one has had issue implementing VPN...if the instruction are clear, despite the technical subject, we wouldn't see so much frustration from Mikrotik buyers.
No offense took, and it doesn't mean I was at it every day of the 730days. In fact, I had all the settings up, then gave up after policy issues for 11/2 years and all I needed to do, as it turned out, was to checked the IPsec box in the L2TP server...hooray!As I said earlier, Mikrotik should provide accurate and up to date manual with best practices... and so on, but... if you have not succeed to set it up in two years with all available examples published on various places, I do not see how manual can help you (no offense).What I need is a clear, no nonsense instruction on setting up a VPN for folks who have an office at home and that wants to connect from anywhere in the world where the IP address is unknown. I have been wanting to have this done two years now and have been grossly disappointed with Mikrotik support. During that time, I just gave up as it amounted to a waste of time. I have been attempting this before the changes in policy (policy strict, policy override) that promised to make things easier. Every week, it's safe to say some one has had issue implementing VPN...if the instruction are clear, despite the technical subject, we wouldn't see so much frustration from Mikrotik buyers.
When it was editable by anyone, it only brought mistakes and problems. Currently we give edit rights to select people who have shown interest (trusted trainers with good knowledge).
I think it is appreciated by all, and thanks to MikroTik for trying.We did try to hire a professional to write our manual.
I would not suggest a professional communicator WITHOUT a basic knowledge of networking fundamentals (i.e. technical writer). Perhaps, concentrate on topics of basic to medium level of technical complexity first.It ended in disaster, because indepth RouterOS knowledge is required to do this.
I understand. But I'd say no more challenging than the Chinese Great Wall nor the Egyptian Pyramids.It is a huge project, and this professional needs to work side-by-side with several RouterOS experts, who give suggestions and comment his work in real time.
We did try to hire a professional to write our manual. It ended in disaster, because indepth RouterOS knowledge is required to do this. It is a huge project, and this professional needs to work side-by-side with several RouterOS experts, who give suggestions and comment his work in real time. When we will have resources to do this, we will.
If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction.So, I am still having policy issue with my VPN .....
Yes, there is clear example of all three features:So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
I agree it would be nice if e.g. there was a separate installable package (that you can install when you have space) that will add a help button to the WebFig pages, which then point to the section of the manual for that feature. It could be a read-only version of the WiKi served by the webserver on the routerboard.I realize this request is possibly crazy, but is there a way to incorporate the manual into the actual router hardware/firmware? So you have the ability to press a help button in web/win/box and see a page dedicated to what you are doing?
Thank you MTeeker for your offer...I will consider your offer if I still continue to have issue (I get the VPN to work when I am home; it doesn't when I am on the road).If you consider using OpenVPN using MikroTik as server instead, I can offer you a detailed step-by-step instruction.So, I am still having policy issue with my VPN .....
Note that Microsoft, a member of the consortium behind the development of PPTP, specifically recommends against its use. As for L2TP/IPSec, it's also heavily compromised as per Edward_S.
But it's your choice.
Thank you MrZ for responding...what I mean is for listing all requirements for Mode_Conf first, then, all requirements for policy group second, then, all requirements for policy templates. That way, one can clearly follow her picked choice.Yes, there is clear example of all three features:So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
It shows how to use templates how to use policy groups and also how to use modeconf.
Not sure if it applies in your specific VPN case. However if you can connect via VPN at home but not on the road, it seems your firewall needs to allow a range of specific IPs from remote location to be able to connect via VPN.
...(I get the VPN to work when I am home; it doesn't when I am on the road).
First of all, I would like to see that "RouterOS Manual". Then we can talk about what should be improved.What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.
MrZ...I get the feeling that staff is asking for improvement insight, then being defensive when insights received. In the same page you sited above, the grammar so poorly wrote...no commas to make things easily understood and which leads to confusion.Yes, there is clear example of all three features:So, I am still having policy issue with my VPN and reading this doesn't seem to be CLEAR: http://wiki.mikrotik.com/wiki/Manual:IP ... icy...talk about frustrating..."Mode Conf, policy group and policy templates will allow us to overcome these problems." However, there is no clear cut example...things just seem mixed up. I need to see separate example...I using Policy templates while the IPsec checked box in L2TP server generates a peer with dynamic policy...no win situation.
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
It shows how to use templates how to use policy groups and also how to use modeconf.
like, for example, merging the pages of Mangle, Filter and Nat in IP Firewall: does it have any sense to have three copies of firewall rules properties? I'm always getting lost in those sectionsIf this teaches us anything, is that we need to improve search and manual structure for easy navigation
Where are the details? This seems like a very important consideration. "It limits part of the VLAN functionality..." How? Examples? Scenarios?Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.
Not clear enough. This seems like another important consideration. From what I understand, the default learning mode on the CRS is set to SVL and not IVL. Does this 2-liner description imply that on such a default implementation this setting has not impact?vlan-type (edge-port | network-port; Default: network-port) Port VLAN type specifies whether VLAN id is used in UFDB learning. Network port learns VLAN id in UFDB, edge port does not - VLAN 0. It can be observed only in IVL learning mode.
This seems like another extremely important security consideration. The default is "yes" - whether to forward VLANs Where? In the Cisco world unknown VLANs would still be forwarded through Trunk Ports in some cases. In the Mikrotik world and with this one liner, I have insufficient information to understand the behavior of forwarded vlans which are not members of the VLAN table.forward-unknown-vlan (yes | no; Default: yes) Whether to allow forwarding VLANs which are not members of VLAN table.
I would also like to obtain some clarification on this particular concern. Mikrotik has evolved over the years and there seems to be great potential with the product lines being released.First of all, I would like to see that "RouterOS Manual". Then we can talk about what should be improved.What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.
With all do respect, wiki is *NOT* manual. It is just a bunch of web-pages, terribly outdated, badly structured, inconsistent, from different authors, with different styles of writing. RouterOS is great, but from documentation point of view, RouterOS is by far the worst software I have been working with...
Imagine new RouterOS-user with no older buddy to help him. Having no other choice he goes to wiki, checks "First time startup" just to find "Applies to RouterOS: 2.9, v3, v4". Nice welcome-message, but what about v5/v6? It is 2015, and the page was not modified for a few years. You call that "manual"?
The biggest problem of RouterOS Manual is: There is none at all!
For multi instance OSPF you have to use following command: /routing ospf instance print status
> /routing ospf monitor
bad command name monitor (line 1 column 15)
> /ip add pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
...
16 I 10.200.2.26/29 10.200.2.24 *1A
This is not the issue.Maybe before blindly copying scripts make sure that you have interface named "ether1" and that this "ether1" actually has an address to get.
[Michael@Goat-on-a-Rope] > ip address p
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.5.1/24 192.168.5.0 ether2
1 X 192.168.0.1/24 192.168.0.0 ether7
2 10.234.123.2/30 10.234.123.0 ether1
3 10.234.123.6/30 10.234.123.4 ether9-WAN MESA1
4 D 10.0.0.100/20 10.0.0.0 ether9-WAN MESA1
5 D 192.168.77.253/24 192.168.77.0 ether1
[Michael@Goat-on-a-Rope] > interface p
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ;;; ether1-WAN_WT
ether1 ether 1500 1520 1520 D4:CA:6D:59:FD:97
1 RS ether2 ether 1500 1520 1520 D4:CA:6D:59:FD:98
2 S ether3 ether 1500 1520 1520 D4:CA:6D:59:FD:99
3 RS ether4 ether 1500 1520 1520 D4:CA:6D:59:FD:9A
4 RS ether5 ether 1500 1520 1520 D4:CA:6D:59:FD:9B
5 ether6 ether 1500 1520 1520 D4:CA:6D:59:FD:9C
6 ether7 ether 1500 1520 1520 D4:CA:6D:59:FD:9D
7 X ether8-WAN3 GBAP ether 1500 1520 1520 D4:CA:6D:59:FD:9E
8 R ether9-WAN MESA1 ether 1500 1520 1520 D4:CA:6D:59:FD:9F
9 RS wlan1 wlan 1500 1600 00:0C:42:51:B2:34
10 X *********************************
11 R bridge1 bridge 1500 1520 D4:CA:6D:59:FD:98
[Michael@Goat-on-a-Rope] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1
{... }
invalid internal item number
[Michael@Goat-on-a-Rope] >
so what is the issue?This is not the issue.
:put [/ip address find interface="ether1"]
Now THAT was helpful, thanks! It seems that on a interface with more than one address it tanks:marria wrote:
This is not the issue.
so what is the issue?
looks like you have many addresses on ether1, not a single one. check with
Code: Select all
:put [/ip address find interface="ether1"]
{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}
[Michael@Goat-on-a-Rope] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1
{... }
invalid internal item number
[Michael@Goat-on-a-Rope] > :put [/ip address find interface="ether1"]
*18;*1b
[Michael@Goat-on-a-Rope] >
[Michael@RCWT1] > interface p
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ;;; 10.4.0.0
ether1 ether 1500 1520 1520 00:0C:42:6D:E0:00
1 R ether2-OUT ether 1500 1520 1520 00:0C:42:6D:E0:01
2 R ether3-NBM5_25-IN North ether 1500 1520 1520 00:0C:42:6D:E0:02
3 R wlan1 wlan 1500 1600 00:0C:42:2B:A1:A6
[Michael@RCWT1] > ip address p
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.4.0.1/20 10.4.0.0 ether1
1 ;;; North Clients
192.168.102.1/24 192.168.102.0 ether3-NBM5_25-IN North
2 10.2.2.1/24 10.2.2.0 wlan1
3 D 10.249.249.2/30 10.249.249.0 ether2-OUT
[Michael@RCWT1] > {
{... :local address1 [/ip address get [find interface="ether1"] address]
{... :put $address1
{... }
10.4.0.1/20
[Michael@RCWT1] > :put [/ip address find interface="ether1"]
*15
[Michael@RCWT1] >
See here what to do with arrays:find - Returns list of internal numbers for items that are matched by given expression.
that's completely incorrect command. first, you get ID of 'ether1' interface and then you try to get an address having the same ID as that interface. it's called 'unpredictable behaviour'furthermore the variation:is likely as not to give an address from a completely different interface under that situation.Code: Select all{ :local address1 [/ip address get [/interface ethernet find name=ether1] address] :put $address1 }
All right. Point well made, as I wouldn't know - having pulled these from the wiki.that's completely incorrect command. first, you get ID of 'ether1' interface and then you try to get an address having the same ID as that interface. it's called 'unpredictable behaviour'furthermore the variation:is likely as not to give an address from a completely different interface under that situation.Code: Select all{ :local address1 [/ip address get [/interface ethernet find name=ether1] address] :put $address1 }
Probably from the wiki. I'll try to find it in my history - likely less than a week back.is this incorrect command from the manual?.. a link?
also this thread:You can't use numbers of the items to get data. Find should be used instead.
For example
[/interface wireless registration-table get [find name=wlan1] rx-ccq]
:put [/interface ethernet get [/interface ethernet find name="ether1"] mtu]
{
:local address1 [/ip address get [/interface ethernet find name=ether1] address]
:put $address1
}
There are quite a lot of things that could be clarified or updated in the wiki/manual. It's hard to list just from the top of my head. I would be much easier to insert comments or review request right on the spot, on the very page we feel something is missing, unclear, or obsolete.What would you like to see more or what changes in the RouterOS Manual.
Detailed criticism is welcome.