143902Sbrian################################################################# 243902Sbrian# 343948Sbrian# PPP Sample Configuration File 443902Sbrian# 543948Sbrian# Originally written by Toshiharu OHNO 643902Sbrian# 750476Speter# $FreeBSD$ 843902Sbrian# 943902Sbrian################################################################# 1043902Sbrian 1143902Sbrian# This file is separated into sections. Each section is named with 1243902Sbrian# a label starting in column 0 and followed directly by a ``:''. The 1376363Sbrian# section continues until the next label. Blank lines and characters 1476363Sbrian# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' 1576363Sbrian# or quoted with ""). All commands inside sections that do not begin 1676363Sbrian# with ``!'' (e.g., ``!include'') *must* be indented by at least one 1776363Sbrian# space or tab or they will not be recognized! 1843902Sbrian# 1943902Sbrian# Lines beginning with "!include" will ``include'' another file. You 2043902Sbrian# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 2143902Sbrian# 2243902Sbrian 2343902Sbrian# Default setup. Always executed when PPP is invoked. 2443948Sbrian# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 2543902Sbrian# 2679086Sbrian# This is the best place to specify your modem device, its DTR rate, 2743948Sbrian# your dial script and any logging specification. Logging specs should 2843948Sbrian# be done first so that the results of subsequent commands are logged. 2943902Sbrian# 3043902Sbriandefault: 3143902Sbrian set log Phase Chat LCP IPCP CCP tun command 32244040Seadler set device /dev/cuau1 3343902Sbrian set speed 115200 3443948Sbrian set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 3543948Sbrian OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 3643902Sbrian 3743902Sbrian# Client side PPP 3843902Sbrian# 3943902Sbrian# Although the PPP protocol is a peer to peer protocol, we normally 4043948Sbrian# consider the side that initiates the connection as the client and 4143948Sbrian# the side that receives the connection as the server. Authentication 4247634Sbillf# is required by the server either using a unix-style login procedure 4343902Sbrian# or by demanding PAP or CHAP authentication from the client. 4443902Sbrian# 4543902Sbrian 4643948Sbrian# An on demand example where we have dynamic IP addresses and wish to 4743948Sbrian# use a unix-style login script: 4843948Sbrian# 4943902Sbrian# If the peer assigns us an arbitrary IP (most ISPs do this) and we 5043902Sbrian# can't predict what their IP will be either, take a wild guess at 5143948Sbrian# some IPs that you can't currently route to. Ppp can change this 5243948Sbrian# when the link comes up. 5343902Sbrian# 5443902Sbrian# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 5543902Sbrian# specified IP actually being correct, therefore, the other side can assign 5643948Sbrian# any IP number. 5743902Sbrian# 5879086Sbrian# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 5943948Sbrian# IP number, forcing the peer to make the decision. This is necessary 6043948Sbrian# when negotiating with some (broken) ppp implementations. 6143902Sbrian# 6243902Sbrian# This entry also works with static IP numbers or when not in -auto mode. 6343902Sbrian# The ``add'' line adds a `sticky' default route that will be updated if 6443902Sbrian# and when any of the IP numbers are changed in IPCP negotiations. 6569470Sbrian# The "set ifaddr" is required in -auto mode only. 6669470Sbrian# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 6743902Sbrian# 6843948Sbrian# Finally, the ``enable dns'' line tells ppp to ask the peer for the 6943902Sbrian# nameserver addresses that should be used. This isn't always supported 7043948Sbrian# by the other side, but if it is, ppp will update /etc/resolv.conf with 7143948Sbrian# the correct nameserver values at connection time. 7243902Sbrian# 7343948Sbrian# The login script shown says that you're expecting ``ogin:''. If you 7443948Sbrian# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 7543948Sbrian# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 7643948Sbrian# You *MUST* customise this login script according to your local 7743948Sbrian# requirements. 7843948Sbrian# 7943902Sbrianpmdemand: 8043902Sbrian set phone 1234567 8143902Sbrian set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 8243902Sbrian set timeout 120 8343902Sbrian set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 8443902Sbrian add default HISADDR 8543902Sbrian enable dns 8643902Sbrian 8743948Sbrian# If you want to use PAP or CHAP instead of using a unix-style login 8847634Sbillf# procedure, do the following. Note, the peer suggests whether we 8943902Sbrian# should send PAP or CHAP. By default, we send whatever we're asked for. 9043902Sbrian# 9143948Sbrian# You *MUST* customise ``MyName'' and ``MyKey'' below. 9243948Sbrian# 9343902SbrianPAPorCHAPpmdemand: 9443902Sbrian set phone 1234567 9543902Sbrian set login 96113346Skeramida set authname "MyName" 97113346Skeramida set authkey "MyKey" 9843902Sbrian set timeout 120 9943902Sbrian set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 10043902Sbrian add default HISADDR 10143902Sbrian enable dns 10243902Sbrian 10343902Sbrian# On demand dialup example with static IP addresses: 10443902Sbrian# Here, the local side uses 192.244.185.226 and the remote side 10543902Sbrian# uses 192.244.176.44. 10643902Sbrian# 10743902Sbrian# # ppp -auto ondemand 10843902Sbrian# 10943902Sbrian# With static IP numbers, our setup is similar to dynamic: 11043902Sbrian# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 111108533Sschweikh# an "ondemand" label, and finally the "MYADDR" label. 11243902Sbrian# 11343902Sbrianondemand: 11443902Sbrian set phone 1234567 11543902Sbrian set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 11643902Sbrian set timeout 120 11743902Sbrian set ifaddr 192.244.185.226 192.244.176.44 11843902Sbrian add default HISADDR 11943902Sbrian enable dns 12043902Sbrian 12177171Sbrian# An on-demand dialup example using an external Terminal Adapter (TA) 12277171Sbrian# that supports multi-link ppp itself. 12377171Sbrian# 12477171Sbrian# This may be specific to the AETHRA TA. 12577171Sbrian# 12677171SbrianTA: 12777171Sbrian set phone 12345678 # Replace this with your ISPs phone number 12877171Sbrian 129113346Skeramida set authname "somename" # Replace these with your login name & password. 130113346Skeramida set authkey "somepasswd" # This profile assumes you're using PAP or CHAP. 13177171Sbrian 132138815Sbrian enable lqr echo 13377171Sbrian set reconnect 3 5 13477171Sbrian set redial 3 10 13577171Sbrian set lqrperiod 45 13677171Sbrian disable pred1 deflate mppe 13777171Sbrian deny pred1 deflate mppe 13877171Sbrian 13977171Sbrian set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \ 14077171Sbrian OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 14177171Sbrian set login 14277171Sbrian set logout 14377171Sbrian set hangup 14477171Sbrian 14577171Sbrian set timeout 60 300 # The minimum charge period is 5 minutes, so don't 14677171Sbrian # hangup before then 14777171Sbrian 148244040Seadler set device /dev/cuau0 # Or whatever 14977171Sbrian set speed 115200 # Use as high a speed as possible 15077171Sbrian 15177171Sbrian enable dns # Ask the peer what to put in resolv.conf 15277171Sbrian 15377171Sbrian # Take a wild guess at an IP number and let the other side decide 15477171Sbrian set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0 15577171Sbrian add! default hisaddr 15677171Sbrian 15777171Sbrian set mru 1504 # Some extra room for the MP header 15877171Sbrian 15985848Scjc set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------) 16077171Sbrian 16177171Sbrian 16243902Sbrian# Example segments 16343902Sbrian# 16443902Sbrian# The following lines may be included as part of your configuration 16543902Sbrian# section and aren't themselves complete. They're provided as examples 16643902Sbrian# of how to achieve different things. 16743902Sbrian 16843902Sbrianexamples: 16943902Sbrian# Multi-phone example. Numbers separated by a : are used sequentially. 17043902Sbrian# Numbers separated by a | are used if the previous dial or login script 17143902Sbrian# failed. Usually, you will prefer to use only one of | or :, but both 17243902Sbrian# are allowed. 17343902Sbrian# 17443902Sbrian set phone 12345678|12345679:12345670|12345671 17543902Sbrian# 17676363Sbrian# Some phone numbers may include # characters - don't forget to escape 17776363Sbrian# (or quote) them: 17876363Sbrian# 17976363Sbrian set phone "12345##678" 18076363Sbrian# 18143902Sbrian# Ppp can accept control instructions from the ``pppctl'' program. 18243902Sbrian# First, you must set up your control socket. It's safest to use 18343902Sbrian# a UNIX domain socket, and watch the permissions: 18443902Sbrian# 18585848Scjc set server /var/run/ppp/internet MySecretPassword 0177 18643902Sbrian# 18743902Sbrian# Although a TCP port may be used if you want to allow control 18843902Sbrian# connections from other machines: 18943902Sbrian# 19043902Sbrian set server 6670 MySecretpassword 19143902Sbrian# 19243902Sbrian# If you don't like ppp's builtin chat, use an external one: 19343902Sbrian# 19455247Sbrian set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 19543902Sbrian# 19643902Sbrian# If we have a ``strange'' modem that must be re-initialized when we 19743902Sbrian# hangup: 19843902Sbrian# 19943902Sbrian set hangup "\"\" AT OK-AT-OK ATZ OK" 20043902Sbrian# 20169470Sbrian# To adjust logging without blowing away the setting in default: 20243902Sbrian# 20343902Sbrian set log -command +tcp/ip 20443902Sbrian# 20543902Sbrian# To see log messages on the screen in interactive mode: 20643902Sbrian# 20743902Sbrian set log local LCP IPCP CCP 20843902Sbrian# 20943902Sbrian# If you're seeing a lot of magic number problems and failed connections, 21043902Sbrian# try this (see the man page): 21143902Sbrian# 21243902Sbrian set openmode active 5 21343902Sbrian# 21443902Sbrian# For noisy lines, we may want to reconnect (up to 20 times) after loss 21543902Sbrian# of carrier, with 3 second delays between each attempt: 21643902Sbrian# 21743902Sbrian set reconnect 3 20 21843902Sbrian# 21943902Sbrian# When playing server for M$ clients, tell them who our NetBIOS name 22043902Sbrian# servers are: 22143902Sbrian# 22243902Sbrian set nbns 10.0.0.1 10.0.0.2 22343902Sbrian# 22443902Sbrian# Inform the client if they ask for our DNS IP numbers: 22543902Sbrian# 22643902Sbrian enable dns 22743902Sbrian# 22858636Sbrian# If you don't want to tell them what's in your /etc/resolv.conf file 22943902Sbrian# with `enable dns', override the values: 23043902Sbrian# 23143902Sbrian set dns 10.0.0.1 10.0.0.2 23243902Sbrian# 23351050Sbrian# Some people like to prioritize DNS packets: 23451050Sbrian# 23551050Sbrian set urgent udp +53 23651050Sbrian# 23751049Sbrian# If we're using the -nat switch, redirect ftp and http to an internal 23843902Sbrian# machine: 23943902Sbrian# 24055427Sbrian nat port tcp 10.0.0.2:ftp ftp 24155427Sbrian nat port tcp 10.0.0.2:http http 24243902Sbrian# 24343902Sbrian# or don't trust the outside at all 24443902Sbrian# 24551049Sbrian nat deny_incoming yes 24643902Sbrian# 24743902Sbrian# I trust user brian to run ppp, so this goes in the `default' section: 24843902Sbrian# 24943902Sbrian allow user brian 25043902Sbrian# 25143902Sbrian# But label `internet' contains passwords that even brian can't have, so 25243902Sbrian# I empty out the user access list in that section so that only root can 25343902Sbrian# have access: 25443902Sbrian# 25543902Sbrian allow users 25643902Sbrian# 25743902Sbrian# I also may wish to set up my ppp login script so that it asks the client 25843902Sbrian# for the label they wish to use. I may only want user ``dodgy'' to access 25943902Sbrian# their own label in direct mode: 26043902Sbrian# 26143902Sbriandodgy: 26243902Sbrian allow user dodgy 26343902Sbrian allow mode direct 26443902Sbrian# 26556704Sbrian# We don't want certain packets to keep our connection alive 26643902Sbrian# 26756704Sbrian set filter alive 0 deny udp src eq 520 # routed 26856704Sbrian set filter alive 1 deny udp dst eq 520 # routed 26956704Sbrian set filter alive 2 deny udp src eq 513 # rwhod 27056704Sbrian set filter alive 3 deny udp src eq 525 # timed 27159152Sbrian set filter alive 4 deny udp src eq 137 # NetBIOS name service 27259152Sbrian set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 27384999Sbrian set filter alive 6 deny tcp src eq 139 # NetBIOS session service 27459152Sbrian set filter alive 7 deny udp dst eq 137 # NetBIOS name service 27559152Sbrian set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 27684999Sbrian set filter alive 9 deny tcp dst eq 139 # NetBIOS session service 27759152Sbrian set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 27859152Sbrian set filter alive 11 permit 0/0 0/0 27943902Sbrian# 28056704Sbrian# And in auto mode, we don't want certain packets to cause a dialup 28143902Sbrian# 28256704Sbrian set filter dial 0 deny udp src eq 513 # rwhod 28356704Sbrian set filter dial 1 deny udp src eq 525 # timed 28456704Sbrian set filter dial 2 deny udp src eq 137 # NetBIOS name service 28556704Sbrian set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 28684999Sbrian set filter dial 4 deny tcp src eq 139 # NetBIOS session service 28756704Sbrian set filter dial 5 deny udp dst eq 137 # NetBIOS name service 28856704Sbrian set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 28984999Sbrian set filter dial 7 deny tcp dst eq 139 # NetBIOS session service 29056704Sbrian set filter dial 8 deny tcp finrst # Badly closed TCP channels 29156704Sbrian set filter dial 9 permit 0 0 29243902Sbrian# 29356704Sbrian# Once the line's up, allow these connections 29443902Sbrian# 29556704Sbrian set filter in 0 permit tcp dst eq 113 # ident 29656704Sbrian set filter out 0 permit tcp src eq 113 # ident 29756704Sbrian set filter in 1 permit tcp src eq 23 estab # telnet 29856704Sbrian set filter out 1 permit tcp dst eq 23 # telnet 29956704Sbrian set filter in 2 permit tcp src eq 21 estab # ftp 30056704Sbrian set filter out 2 permit tcp dst eq 21 # ftp 30156704Sbrian set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 30256704Sbrian set filter out 3 permit tcp dst eq 20 # ftp-data 30356704Sbrian set filter in 4 permit udp src eq 53 # DNS 30456704Sbrian set filter out 4 permit udp dst eq 53 # DNS 30556704Sbrian set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 30656704Sbrian set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 30756704Sbrian set filter in 6 permit icmp # pings 30856704Sbrian set filter out 6 permit icmp # pings 30956704Sbrian set filter in 7 permit udp dst gt 33433 # traceroute 31056704Sbrian set filter out 7 permit udp dst gt 33433 # traceroute 31143902Sbrian 31249141Sbrian# 31349141Sbrian# ``dodgynet'' is an example intended for an autodial configuration which 31449141Sbrian# is connecting a local network to a host on an untrusted network. 31549141Sbriandodgynet: 31669470Sbrian set log Phase # Log link uptime 31769470Sbrian allow mode auto # For autoconnect only 318244040Seadler set device /dev/cuau1 # Define modem device and speed 31949141Sbrian set speed 115200 32069470Sbrian deny lqr # Don't support LQR 32169470Sbrian set phone 0W1194 # Remote system phone number, 322113346Skeramida set authname "pppLogin" # login 323113346Skeramida set authkey "MyPassword" # and password 32469470Sbrian set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 32569470Sbrian TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 32669470Sbrian ATE1Q0M0 OK \\dATDT\\T \ 32769470Sbrian TIMEOUT 40 CONNECT" 32869470Sbrian set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 32969470Sbrian gin:--gin: \\U word: \\P" 33069470Sbrian 33149141Sbrian # Drop the link after 15 minutes of inactivity 33249141Sbrian # Inactivity is defined by the `set filter alive' line below 33349141Sbrian set timeout 900 33469470Sbrian 33549141Sbrian # Hard-code remote system to appear within local subnet and use proxy arp 33669470Sbrian # to make this system the gateway for the rest of the local network 33749141Sbrian set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 33849141Sbrian enable proxy 33943902Sbrian 34049141Sbrian # Allow any TCP packet to keep the link alive 34149141Sbrian set filter alive 0 permit tcp 34249141Sbrian 34349141Sbrian # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 34449141Sbrian # private TCP ports 24 and 4000 34549141Sbrian set filter dial 0 7 0 0 tcp dst eq http 34649141Sbrian set filter dial 1 7 0 0 tcp dst eq login 34749141Sbrian set filter dial 2 7 0 0 tcp dst eq shell 34849141Sbrian set filter dial 3 7 0 0 tcp dst eq telnet 34949141Sbrian set filter dial 4 7 0 0 tcp dst eq ftp 35049141Sbrian set filter dial 5 7 0 0 tcp dst eq 24 35149141Sbrian set filter dial 6 deny ! 0 0 tcp dst eq 4000 35269470Sbrian 35349141Sbrian # From hosts on a couple of local subnets to the remote peer 35449141Sbrian # If the remote host allowed IP forwarding and we wanted to use it, the 35549141Sbrian # following rules could be split into two groups to separately validate 35649141Sbrian # the source and destination addresses. 357108533Sschweikh set filter dial 7 permit 172.17.16.0/20 172.17.20.248 358108533Sschweikh set filter dial 8 permit 172.17.36.0/22 172.17.20.248 359108533Sschweikh set filter dial 9 permit 172.17.118.0/26 172.17.20.248 360108533Sschweikh set filter dial 10 permit 10.123.5.0/24 172.17.20.248 36149141Sbrian 36249141Sbrian # Once the link's up, limit outgoing access to the specified hosts 363108533Sschweikh set filter out 0 4 172.17.16.0/20 172.17.20.248 364108533Sschweikh set filter out 1 4 172.17.36.0/22 172.17.20.248 365108533Sschweikh set filter out 2 4 172.17.118.0/26 172.17.20.248 366108533Sschweikh set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 36769470Sbrian 36849141Sbrian # Allow established TCP connections 36949141Sbrian set filter out 4 permit 0 0 tcp estab 37069470Sbrian 37149141Sbrian # And new connections to http, rlogin, rsh, telnet, ftp and ports 37249141Sbrian # 24 and 4000 37349141Sbrian set filter out 5 permit 0 0 tcp dst eq http 37449141Sbrian set filter out 6 permit 0 0 tcp dst eq login 37549141Sbrian set filter out 7 permit 0 0 tcp dst eq shell 37649141Sbrian set filter out 8 permit 0 0 tcp dst eq telnet 37749141Sbrian set filter out 9 permit 0 0 tcp dst eq ftp 37849141Sbrian set filter out 10 permit 0 0 tcp dst eq 24 37949141Sbrian set filter out 11 permit 0 0 tcp dst eq 4000 38069470Sbrian 38149141Sbrian # And outgoing icmp 38249141Sbrian set filter out 12 permit 0 0 icmp 38349141Sbrian 38449141Sbrian # Once the link's up, limit incoming access to the specified hosts 38549141Sbrian set filter in 0 4 172.17.20.248 172.17.16.0/20 38649141Sbrian set filter in 1 4 172.17.20.248 172.17.36.0/22 38749141Sbrian set filter in 2 4 172.17.20.248 172.17.118.0/26 38849141Sbrian set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 38969470Sbrian 39049141Sbrian # Established TCP connections and non-PASV FTP 39149141Sbrian set filter in 4 permit 0/0 0/0 tcp estab 39249141Sbrian set filter in 5 permit 0/0 0/0 tcp src eq 20 39369470Sbrian 39449141Sbrian # Useful ICMP messages 39549141Sbrian set filter in 6 permit 0/0 0/0 icmp src eq 3 39649141Sbrian set filter in 7 permit 0/0 0/0 icmp src eq 4 39749141Sbrian set filter in 8 permit 0/0 0/0 icmp src eq 11 39849141Sbrian set filter in 9 permit 0/0 0/0 icmp src eq 12 39969470Sbrian 40049141Sbrian # Echo reply (local systems can ping the remote host) 40149141Sbrian set filter in 10 permit 0/0 0/0 icmp src eq 0 40269470Sbrian 40349141Sbrian # And the remote host can ping the local gateway (only) 40449141Sbrian set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 40549141Sbrian 40649141Sbrian 40743902Sbrian# Server side PPP 40843902Sbrian# 40943948Sbrian# If you want the remote system to authenticate itself, you must insist 41043948Sbrian# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 41143948Sbrian# PAP are disabled by default. You may enable either or both. If both 41243948Sbrian# are enabled, CHAP is requested first. If the client doesn't agree, PAP 41343948Sbrian# will then be requested. 41443948Sbrian# 41543948Sbrian# Note: If you use the getty/login process to authenticate users, you 41643948Sbrian# don't need to enable CHAP or PAP, but the user that has logged 41743948Sbrian# in *MUST* be a member of the ``network'' group (in /etc/group). 41843948Sbrian# 41969470Sbrian# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 42069470Sbrian# 42143948Sbrian# If you wish to allow any user in the passwd database ppp access, you 42269470Sbrian# can ``enable passwdauth'', but this will only work with PAP. 42343948Sbrian# 42443948Sbrian# When the peer authenticates itself, we use ppp.secret for verification 42543948Sbrian# (although refer to the ``set radius'' command below for an alternative). 42643948Sbrian# 42743948Sbrian# Note: We may supply a third field in ppp.secret specifying the IP 42879086Sbrian# address for that user, a fourth field to specify the 42943948Sbrian# ppp.link{up,down} label to use and a fifth field to specify 43043948Sbrian# callback characteristics. 43143948Sbrian# 43243948Sbrian# The easiest way to allow transparent LAN access to your dialin users 43343948Sbrian# is to assign them a number from your local LAN and tell ppp to make a 43443948Sbrian# ``proxy'' arp entry for them. In this example, we have a local LAN 43543948Sbrian# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 43643948Sbrian# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 43743948Sbrian# override the dynamic IP number with a static IP number specified in 43843948Sbrian# ppp.secret. 43943948Sbrian# 44043902Sbrian# Ppp is launched with: 44143948Sbrian# # ppp -direct server 44243902Sbrian# 44343948Sbrianserver: 44469470Sbrian enable chap chap80 chap81 pap passwdauth 44543902Sbrian enable proxy 44643948Sbrian set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 44743902Sbrian accept dns 44843902Sbrian 44943948Sbrian# Example of a RADIUS configuration: 45043948Sbrian# If there are one or more radius servers available, we can use them 45143948Sbrian# instead of the ppp.secret file. Simply put then in a radius 45243948Sbrian# configuration file (usually /etc/radius.conf) and give ppp the 45343948Sbrian# file name. 45443948Sbrian# Ppp will use the FRAMED characteristics supplied by the radius server 45543948Sbrian# to configure the link. 45643902Sbrian 45743948Sbrianradius-server: 45869470Sbrian load server # load in the server config from above 45943948Sbrian set radius /etc/radius.conf 46043948Sbrian 46143948Sbrian 46243902Sbrian# Example to connect using a null-modem cable: 46343902Sbrian# The important thing here is to allow the lqr packets on both sides. 46443902Sbrian# Without them enabled, we can't tell if the line's dropped - there 46543902Sbrian# should always be carrier on a direct connection. 46643902Sbrian# Here, the server sends lqr's every 10 seconds and quits if five in a 46743902Sbrian# row fail. 46843902Sbrian# 46943902Sbrian# Make sure you don't have "deny lqr" in your default: on the client ! 47043902Sbrian# If the peer denies LQR, we still send ECHO LQR packets at the given 47143902Sbrian# lqrperiod interval (ppp-style-pings). 47243902Sbrian# 47343902Sbriandirect-client: 47469470Sbrian set dial 475244040Seadler set device /dev/cuau0 47643902Sbrian set sp 115200 47743902Sbrian set timeout 900 47843902Sbrian set lqrperiod 10 47943902Sbrian set log Phase Chat LQM 48043902Sbrian set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 48143902Sbrian set ifaddr 10.0.4.2 10.0.4.1 482138815Sbrian enable lqr echo 48343902Sbrian accept lqr 484108533Sschweikh 48543902Sbriandirect-server: 48643902Sbrian set timeout 0 48743902Sbrian set lqrperiod 10 48843902Sbrian set log Phase LQM 48943902Sbrian set ifaddr 10.0.4.1 10.0.4.2 490138815Sbrian enable lqr echo 49143902Sbrian accept lqr 49243902Sbrian 49343902Sbrian 49443948Sbrian# Example to connect via compuserve 49543948Sbrian# Compuserve insists on 7 bits even parity during the chat phase. Modem 49643948Sbrian# parity is always reset to ``none'' after the link has been established. 49743902Sbrian# 49843902Sbriancompuserve: 49943902Sbrian set phone 1234567 50043902Sbrian set parity even 50145070Sbrian set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 50245070Sbrian word: XXXXXXXX PPP" 50343902Sbrian set timeout 300 50443902Sbrian set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 50543902Sbrian delete ALL 50643902Sbrian add default HISADDR 50743902Sbrian 50843902Sbrian 50943902Sbrian# Example for PPP over TCP. 51043902Sbrian# We assume that inetd on tcpsrv.mynet has been 51143902Sbrian# configured to run "ppp -direct tcp-server" when it gets a connection on 51269470Sbrian# port 1234 with an entry something like this in /etc/inetd.conf.: 51343902Sbrian# 51469470Sbrian# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 51569470Sbrian# 51669470Sbrian# with this in /etc/services: 51769470Sbrian# 51869470Sbrian# ppp 6671/tcp 51969470Sbrian# 52069470Sbrian# Read the man page for further details. 52169470Sbrian# 52243902Sbrian# Note, we assume we're using a binary-clean connection. If something 52343902Sbrian# such as `rlogin' is involved, you may need to ``set escape 0xff'' 52443902Sbrian# 52543902Sbriantcp-client: 52643902Sbrian set device tcpsrv.mynet:1234 52743902Sbrian set dial 52843902Sbrian set login 52943902Sbrian set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 53043902Sbrian 53143902Sbriantcp-server: 53243902Sbrian set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 53343902Sbrian 53469470Sbrian 53569470Sbrian# Using UDP is also possible with this in /etc/inetd.conf: 53669470Sbrian# 53769470Sbrian# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 53869470Sbrian# 53969470Sbrian# and this in /etc/services: 54069470Sbrian# 54169470Sbrian# ppp 6671/tcp 54269470Sbrian# 54369470Sbrianudp-client: 54469470Sbrian set device udpsrv.mynet:1234/udp 54569470Sbrian set dial 54669470Sbrian set login 54769470Sbrian set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 54869470Sbrian 54969470Sbrianudp-server: 55069470Sbrian set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 55169470Sbrian 55269470Sbrian 55343948Sbrian# Example for PPP testing. 55443948Sbrian# If you want to test ppp, do it through the loopback interface: 55543902Sbrian# 55643948Sbrian# Requires a line in /etc/services: 55743948Sbrian# ppploop 6671/tcp # loopback ppp daemon 55843902Sbrian# 55943948Sbrian# and a line in /etc/inetd.conf: 56089211Sbrian# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in 56143902Sbrian# 56289211Sbrianinet-loop: 56343902Sbrian set timeout 0 56443902Sbrian set log phase chat connect lcp ipcp command 56543902Sbrian set device localhost:ppploop 56643902Sbrian set dial 56743902Sbrian set login 56843902Sbrian set ifaddr 127.0.0.2 127.0.0.3 56985848Scjc set server /var/run/ppp/loop "" 0177 570108533Sschweikh 57189211Sbrianinet-loop-in: 57243902Sbrian set timeout 0 57343902Sbrian set log phase lcp ipcp command 57443902Sbrian allow mode direct 57543902Sbrian 57643948Sbrian# Example of a VPN. 57743948Sbrian# If you're going to create a tunnel through a public network, your VPN 57843948Sbrian# should be set up something like this: 57943902Sbrian# 58043948Sbrian# You should already have set up ssh using ssh-agent & ssh-add. 58143948Sbrian# 58243902Sbriansloop: 58389211Sbrian load inet-loop 58449977Sbrian # Passive mode allows ssh plenty of time to establish the connection 58549977Sbrian set openmode passive 58689211Sbrian set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in" 58743902Sbrian 58869470Sbrian 58969470Sbrian# or a better VPN solution (which doesn't run IP over a reliable 59069470Sbrian# protocol like tcp) may be: 59169470Sbrian# 59269470Sbrianvpn-client: 59369470Sbrian set device udpsrv.mynet:1234/udp # PPP over UDP 59469470Sbrian set dial 59569470Sbrian set login 59669470Sbrian set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 59769470Sbrian disable deflate pred1 59869470Sbrian deny deflate pred1 59969470Sbrian enable MPPE # With encryption 60069470Sbrian accept MPPE 60169470Sbrian 60269470Sbrianvpn-server: 60369470Sbrian set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 60469470Sbrian disable deflate pred1 60569470Sbrian deny deflate pred1 60669470Sbrian enable MPPE 60769470Sbrian accept MPPE 60869470Sbrian enable chap81 # Required for MPPE 60969470Sbrian 61043948Sbrian# Example of non-PPP callback. 61143948Sbrian# If you wish to connect to a server that will dial back *without* using 61243948Sbrian# the ppp callback facility (rfc1570), take advantage of the fact that 61343948Sbrian# ppp doesn't look for carrier 'till `set login' is complete: 61443902Sbrian# 61543948Sbrian# Here, we expect the server to say DIALBACK then disconnect after 61643948Sbrian# we've authenticated ourselves. When this has happened, we wait 61743948Sbrian# 60 seconds for a RING. 61843902Sbrian# 61951700Sbrian# Note, it's important that we tell ppp not to expect carrier, otherwise 62051700Sbrian# we'll drop out at the ``NO CARRIER'' stage. 62151700Sbrian# 62243902Sbriandialback: 62343902Sbrian set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 62443902Sbrian ATDT\\T TIMEOUT 60 CONNECT" 62551700Sbrian set cd off 62643902Sbrian set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 62743902Sbrian \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 62843902Sbrian 62943948Sbrian# Example of PPP callback. 63043948Sbrian# Alternatively, if the peer is using the PPP callback protocol, we're 63143948Sbrian# happy either with ``auth'' style callback where the server dials us 63243948Sbrian# back based on what we authenticate ourselves with, ``cbcp'' style 63343948Sbrian# callback (invented by Microsoft but not agreed by the IETF) where 63443948Sbrian# we negotiate callback *after* authentication or E.164 callback where 63543948Sbrian# we specify only a phone number. I would recommend only ``auth'' and/or 63643948Sbrian# ``cbcp'' callback methods. 63743948Sbrian# For ``cbcp'', we insist that we choose ``1234567'' as the number that 63843948Sbrian# the server must call back. 63943902Sbrian# 64043948Sbriancallback: 64169470Sbrian load pmdemand # load in the pmdemand config 64243902Sbrian set callback auth cbcp e.164 1234567 64343902Sbrian set cbcp 1234567 64443902Sbrian 64543902Sbrian# If we're running a ppp server that wants to only call back microsoft 64643902Sbrian# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 64743902Sbrian# 64843948Sbriancallback-server: 64943948Sbrian load server 65043902Sbrian set callback cbcp 65143902Sbrian set cbcp 65243902Sbrian set log +cbcp 65343902Sbrian set redial 3 1 654244040Seadler set device /dev/cuau0 65543902Sbrian set speed 115200 65643902Sbrian set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 65743902Sbrian 65843902Sbrian# Or if we want to allow authenticated clients to specify their own 65943948Sbrian# callback number: 66043902Sbrian# 66143948Sbriancallback-server-client-decides: 66243948Sbrian load callback-server 66343902Sbrian set cbcp * 66443902Sbrian 66543902Sbrian# Multilink mode is available (rfc1990). 66669470Sbrian# To enable multi-link capabilities, you must specify a MRRU. 1500 is 66769470Sbrian# a reasonable value. To create new links, use the ``clone'' command 66869470Sbrian# to duplicate an existing link. If you already have more than one 66969470Sbrian# link, you must specify which link you wish to run the command on via 67069470Sbrian# the ``link'' command. 67143902Sbrian# 67269470Sbrian# It's worth increasing your MTU and MRU slightly in multi-link mode to 67369470Sbrian# prevent full packets from being fragmented. 67443902Sbrian# 67569470Sbrian# You can now ``dial'' specific links, or even dial all links at the 67669470Sbrian# same time. The `dial' command may also be prefixed with a specific 67769470Sbrian# link that should do the dialing. 67869470Sbrian# 67943902Sbrianmloop: 68043902Sbrian load loop 681244040Seadler set device /dev/cuau0 /dev/cuau1 /dev/cuau2 # Use any of these devices 68243902Sbrian set mode interactive 68343902Sbrian set mrru 1500 68469470Sbrian set mru 1504 # Room for the MP header 68543902Sbrian clone 1 2 3 68643902Sbrian link deflink remove 68743902Sbrian # dial 688108533Sschweikh # link 2 dial 689108533Sschweikh # link 3 dial 69043902Sbrian 69143902Sbrianmloop-in: 69269470Sbrian set timeout 0 # No idle timer 69343902Sbrian set log tun phase 69443902Sbrian allow mode direct 69543902Sbrian set mrru 1500 69669470Sbrian set mru 1504 # Room for the MP header 69743948Sbrian 69843948Sbrian# User supplied authentication: 69943948Sbrian# It's possible to run ppp in the background while specifying a 70043948Sbrian# program to use to obtain authentication details on demand. 70143948Sbrian# This program would usually be a simple GUI that presents a 70243948Sbrian# prompt to a known user. The ``chap-auth'' program is supplied 70343948Sbrian# as an example (and requires tcl version 8.0). 70443948Sbrian# 70543948SbrianCHAPprompt: 70643948Sbrian load PAPorCHAPpmdemand 70743948Sbrian set authkey !/usr/share/examples/ppp/chap-auth 70843948Sbrian 70943948Sbrian# It's possible to do the same sort of thing at the login prompt. 71043948Sbrian# Here, after sending ``brian'' in response to the ``name'' prompt, 71143948Sbrian# we're prompted with ``code:''. A window is then displayed on the 71243948Sbrian# ``keep:0.0'' display and the typed response is sent to the peer 71343948Sbrian# as the password. We then expect to see ``MTU'' and ``.'' in the 71443948Sbrian# servers response. 71543948Sbrian# 71643948Sbrianloginprompt: 71743948Sbrian load pmdemand 718113346Skeramida set authname "brian" 71943948Sbrian set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 72043948Sbrian code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 72143948Sbrian AUTHNAME\" MTU \\c ." 72253540Sbrian 72361097Sbrian# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 72461097Sbrian# the MAC address that connects to them, making it impossible to switch 72561097Sbrian# your PPPoE connection between machines. 72653540Sbrian# 72769470Sbrian# The current implementation requires Netgraph, so it doesn't work with 72869470Sbrian# OpenBSD or NetBSD. 72953540Sbrian# 73069470Sbrian# The client should be something like this: 73169470Sbrian# 73253540Sbrianpppoe: 73353540Sbrian set device PPPoE:de0:pppoe-in 734138815Sbrian enable lqr echo 73553540Sbrian set cd 5 73653540Sbrian set dial 73753540Sbrian set login 73853540Sbrian set redial 0 0 73953540Sbrian 74053540Sbrian# And the server should be running 74153540Sbrian# 74253540Sbrian# /usr/libexec/pppoed -p pppoe-in fxp0 74353540Sbrian# 74464679Sbrian# See rc.conf(5) 74564679Sbrian# 74653540Sbrianpppoe-in: 74764679Sbrian allow mode direct # Only for use on server-side 748138815Sbrian enable lqr echo proxy # Enable LQR and proxy-arp 74964679Sbrian enable chap pap passwdauth # Force client authentication 75064679Sbrian set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 75164679Sbrian accept dns # Allow DNS negotiation 75289211Sbrian 75389211Sbrian# It's possible to run ppp back-to-back with itself. This is useful 75489211Sbrian# for testing. 75589211Sbrian# 75689211Sbrian# When testing scalability and concurrency, the following profile might 75789211Sbrian# be used. 75889211Sbrian# 75989211Sbrian# Note, you'll have to make some other machine adjustments: 76089211Sbrian# 76189211Sbrian# o Bump maxusers in your kernel configuration to about 256 so that there 76289211Sbrian# are enough process table slots. 76389211Sbrian# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll 76489211Sbrian# need 3 descriptors per ppp process (assuming no server socket). 76589211Sbrian# 76689211Sbrian# You can now create 2000 processes (1000 pairs) with: 76789211Sbrian# 76889211Sbrian# n=0 76989211Sbrian# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done 77089211Sbrian# 77189211Sbrian# If you want to test concurrency, try using ``ppp -dd loop'' instead. 77289211Sbrian# 77389211Sbrianloop: 77489211Sbrian set timeout 0 77589211Sbrian set log 77689211Sbrian set device "!ppp -direct loop-in" 77789211Sbrian set dial 77889211Sbrian set login 779108533Sschweikh set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255 78089211Sbrian disable deflate pred1 mppe 78189211Sbrian deny deflate pred1 mppe 782108533Sschweikh 78389211Sbrianloop-in: 78489211Sbrian set timeout 0 78589211Sbrian set log 78689211Sbrian allow mode direct 78789211Sbrian set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255 78889211Sbrian disable deflate pred1 mppe 78989211Sbrian deny deflate pred1 mppe 790