Why does the default-encryption PPP profile uses *FFFFFFFE instead of 1 ?

RouterOS General
1

Hello all,

I’ve configured my new router as needed - nothing special. Nonetheless, I’m left wondering why the default config from the router uses *FFFFFFFE for the default-encryption profile instead of simply 1.

In more details - this sets the default-encryption profile :

## VPN/PPP settings
# PPP profile (default-encryption)
/ppp profile set *FFFFFFFE bridge=bridge dns-server=192.168.89.1 local-address=192.168.89.1 remote-address=vpn

This is what I use, it works the same :

## VPN/PPP settings
# PPP profile (default-encryption)
/ppp profile set 1 bridge=bridge dns-server=192.168.89.1 local-address=192.168.89.1 remote-address=vpn

The 1 is the number of the profile when you do as following :

[username@router] > ppp profile print
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" 
     on-up="" on-down="" 

 1 * name="default-encryption" local-address=192.168.89.1 remote-address=vpn bridge=bridge use-mpls=default use-compression=default use-encryption=yes 
     only-one=default change-tcp-mss=yes use-upnp=default address-list="" dns-server=192.168.89.1 on-up="" on-down=""

If its of any use, here is the entire config file.

# RouterOS 6.47.4
# software id = 
#
# model = RB760iGS
# serial number = 

# Start local scope
{
:local adminMac ""
:local pppoeUser ""
:local pppoePassword ""
:local ipsecSecret ""
:local vpnUser ""
:local vpnPassword ""
:local adminName ""
:local adminPassword ""

## Interfaces settings
# Bridge
/interface bridge add admin-mac=$adminMac arp=proxy-arp auto-mac=no name=bridge
/interface bridge port add bridge=bridge interface=ether1
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=sfp1
# PPPoE
/interface pppoe-client add add-default-route=yes disabled=no interface=ether5 name=pppoe-out1 password=$pppoePassword use-peer-dns=yes user=$pppoeUser
# L2TP
/interface l2tp-server server set authentication=mschap1,mschap2 enabled=yes ipsec-secret=$ipsecSecret use-ipsec=yes
# Interface lists
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=bridge list=LAN
/interface list member add interface=ether5 list=WAN
/interface list member add interface=pppoe-out1 list=WAN

## IP settings
# Router IP
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
# IP pools
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=vpn ranges=192.168.89.2-192.168.89.255
# DHCP server (LAN)
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=default-dhcp
/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1
# DHCP client (WAN)
/ip dhcp-client add interface=ether5
# DDNS for VPN
/ip cloud set ddns-enabled=yes

## VPN/PPP settings
# PPP profile (default-encryption)
/ppp profile set 1 bridge=bridge dns-server=192.168.89.1 local-address=192.168.89.1 remote-address=vpn
# PPP secret 
/ppp secret add name=$vpnUser password=$vpnPassword profile=default-encryption

## Firewall rules
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
/ip firewall filter add action=drop chain=input comment="drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="masquerade PPPoE" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="masquerade VPN" src-address=192.168.89.0/24

## Disable everything except winbox
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

## User configuration
# Add personal user
/user add name=$adminName password=$adminPassword group=full
# Remove admin account
/user remove admin

## Set time
/system clock set time-zone-name=Europe/Paris

#End local scope
}
Did the Mikrotik firewall block the open ports?
GP & CSA for Mikrotik devices
2

Hello all,

I’ve found the answer to my question : this is the internal ID of the default-encryption PPP profile. The Mikrotik documentation states that :

id (internal ID) - hexadecimal value prefixed by ‘*’ sign. Each menu item has assigned unique number - internal ID; (source : > https://wiki.mikrotik.com/wiki/Manual:Scripting#Data_types> )

You can find the internal ID by doing

:put [get <id>]

where

<id>

is the printable id.

In this case, this yields us the following results :

[username@router] /ppp profile> print
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" 
     on-up="" on-down="" 

 1 * name="default-encryption" local-address=192.168.89.1 remote-address=vpn bridge=bridge use-mpls=default use-compression=default use-encryption=yes 
     only-one=default change-tcp-mss=yes use-upnp=default address-list="" dns-server=192.168.89.1 on-up="" on-down="" 
[username@router] /ppp profile> :put [get 1]    
.id=*fffffffe;address-list=;bridge=bridge;change-tcp-mss=yes;default=true;dns-server=192.168.89.1;local-address=192.168.89.1;name=default-encryption;on-dow
n=;on-up=;only-one=default;remote-address=vpn;use-compression=default;use-encryption=yes;use-mpls=default;use-upnp=default

You can clearly see that the

.id

value of the default-encryption profile is *fffffffe.

There, I hope anybody googling *fffffffe Mikrotik will find this thread, and save himself a bit of digging.

Good evening all.