1################################################################# 2# 3# PPP Sample Configuration File 4# 5# Originally written by Toshiharu OHNO 6# 7# $FreeBSD: src/share/examples/ppp/ppp.conf.sample,v 1.16.2.10 2003/05/03 21:35:06 keramida Exp $ 8# $DragonFly: src/share/examples/ppp/ppp.conf.sample,v 1.2 2003/06/17 04:36:57 dillon Exp $ 9# 10################################################################# 11 12# This file is separated into sections. Each section is named with 13# a label starting in column 0 and followed directly by a ``:''. The 14# section continues until the next label. Blank lines and characters 15# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' 16# or quoted with ""). All commands inside sections that do not begin 17# with ``!'' (e.g., ``!include'') *must* be indented by at least one 18# space or tab or they will not be recognized! 19# 20# Lines beginning with "!include" will ``include'' another file. You 21# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 22# 23 24# Default setup. Always executed when PPP is invoked. 25# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 26# 27# This is the best place to specify your modem device, its DTR rate, 28# your dial script and any logging specification. Logging specs should 29# be done first so that the results of subsequent commands are logged. 30# 31default: 32 set log Phase Chat LCP IPCP CCP tun command 33 set device /dev/cuaa1 34 set speed 115200 35 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 36 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 37 38# Client side PPP 39# 40# Although the PPP protocol is a peer to peer protocol, we normally 41# consider the side that initiates the connection as the client and 42# the side that receives the connection as the server. Authentication 43# is required by the server either using a unix-style login procedure 44# or by demanding PAP or CHAP authentication from the client. 45# 46 47# An on demand example where we have dynamic IP addresses and wish to 48# use a unix-style login script: 49# 50# If the peer assigns us an arbitrary IP (most ISPs do this) and we 51# can't predict what their IP will be either, take a wild guess at 52# some IPs that you can't currently route to. Ppp can change this 53# when the link comes up. 54# 55# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 56# specified IP actually being correct, therefore, the other side can assign 57# any IP number. 58# 59# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 60# IP number, forcing the peer to make the decision. This is necessary 61# when negotiating with some (broken) ppp implementations. 62# 63# This entry also works with static IP numbers or when not in -auto mode. 64# The ``add'' line adds a `sticky' default route that will be updated if 65# and when any of the IP numbers are changed in IPCP negotiations. 66# The "set ifaddr" is required in -auto mode only. 67# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 68# 69# Finally, the ``enable dns'' line tells ppp to ask the peer for the 70# nameserver addresses that should be used. This isn't always supported 71# by the other side, but if it is, ppp will update /etc/resolv.conf with 72# the correct nameserver values at connection time. 73# 74# The login script shown says that you're expecting ``ogin:''. If you 75# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 76# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 77# You *MUST* customise this login script according to your local 78# requirements. 79# 80pmdemand: 81 set phone 1234567 82 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 83 set timeout 120 84 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 85 add default HISADDR 86 enable dns 87 88# If you want to use PAP or CHAP instead of using a unix-style login 89# procedure, do the following. Note, the peer suggests whether we 90# should send PAP or CHAP. By default, we send whatever we're asked for. 91# 92# You *MUST* customise ``MyName'' and ``MyKey'' below. 93# 94PAPorCHAPpmdemand: 95 set phone 1234567 96 set login 97 set authname "MyName" 98 set authkey "MyKey" 99 set timeout 120 100 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 101 add default HISADDR 102 enable dns 103 104# On demand dialup example with static IP addresses: 105# Here, the local side uses 192.244.185.226 and the remote side 106# uses 192.244.176.44. 107# 108# # ppp -auto ondemand 109# 110# With static IP numbers, our setup is similar to dynamic: 111# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 112# a "ondemand" label, and finally the "MYADDR" label. 113# 114ondemand: 115 set phone 1234567 116 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 117 set timeout 120 118 set ifaddr 192.244.185.226 192.244.176.44 119 add default HISADDR 120 enable dns 121 122# An on-demand dialup example using an external Terminal Adapter (TA) 123# that supports multi-link ppp itself. 124# 125# This may be specific to the AETHRA TA. 126# 127TA: 128 set phone 12345678 # Replace this with your ISPs phone number 129 130 set authname "somename" # Replace these with your login name & password. 131 set authkey "somepasswd" # This profile assumes you're using PAP or CHAP. 132 133 enable lqr 134 set reconnect 3 5 135 set redial 3 10 136 set lqrperiod 45 137 disable pred1 deflate mppe 138 deny pred1 deflate mppe 139 140 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \ 141 OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 142 set login 143 set logout 144 set hangup 145 146 set timeout 60 300 # The minimum charge period is 5 minutes, so don't 147 # hangup before then 148 149 set device /dev/cuaa0 # Or whatever 150 set speed 115200 # Use as high a speed as possible 151 152 enable dns # Ask the peer what to put in resolv.conf 153 154 # Take a wild guess at an IP number and let the other side decide 155 set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0 156 add! default hisaddr 157 158 set mru 1504 # Some extra room for the MP header 159 160 set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------) 161 162 163# Example segments 164# 165# The following lines may be included as part of your configuration 166# section and aren't themselves complete. They're provided as examples 167# of how to achieve different things. 168 169examples: 170# Multi-phone example. Numbers separated by a : are used sequentially. 171# Numbers separated by a | are used if the previous dial or login script 172# failed. Usually, you will prefer to use only one of | or :, but both 173# are allowed. 174# 175 set phone 12345678|12345679:12345670|12345671 176# 177# Some phone numbers may include # characters - don't forget to escape 178# (or quote) them: 179# 180 set phone "12345##678" 181# 182# Ppp can accept control instructions from the ``pppctl'' program. 183# First, you must set up your control socket. It's safest to use 184# a UNIX domain socket, and watch the permissions: 185# 186 set server /var/run/ppp/internet MySecretPassword 0177 187# 188# Although a TCP port may be used if you want to allow control 189# connections from other machines: 190# 191 set server 6670 MySecretpassword 192# 193# If you don't like ppp's builtin chat, use an external one: 194# 195 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 196# 197# If we have a ``strange'' modem that must be re-initialized when we 198# hangup: 199# 200 set hangup "\"\" AT OK-AT-OK ATZ OK" 201# 202# To adjust logging without blowing away the setting in default: 203# 204 set log -command +tcp/ip 205# 206# To see log messages on the screen in interactive mode: 207# 208 set log local LCP IPCP CCP 209# 210# If you're seeing a lot of magic number problems and failed connections, 211# try this (see the man page): 212# 213 set openmode active 5 214# 215# For noisy lines, we may want to reconnect (up to 20 times) after loss 216# of carrier, with 3 second delays between each attempt: 217# 218 set reconnect 3 20 219# 220# When playing server for M$ clients, tell them who our NetBIOS name 221# servers are: 222# 223 set nbns 10.0.0.1 10.0.0.2 224# 225# Inform the client if they ask for our DNS IP numbers: 226# 227 enable dns 228# 229# If you don't want to tell them what's in your /etc/resolv.conf file 230# with `enable dns', override the values: 231# 232 set dns 10.0.0.1 10.0.0.2 233# 234# Some people like to prioritize DNS packets: 235# 236 set urgent udp +53 237# 238# If we're using the -nat switch, redirect ftp and http to an internal 239# machine: 240# 241 nat port tcp 10.0.0.2:ftp ftp 242 nat port tcp 10.0.0.2:http http 243# 244# or don't trust the outside at all 245# 246 nat deny_incoming yes 247# 248# I trust user brian to run ppp, so this goes in the `default' section: 249# 250 allow user brian 251# 252# But label `internet' contains passwords that even brian can't have, so 253# I empty out the user access list in that section so that only root can 254# have access: 255# 256 allow users 257# 258# I also may wish to set up my ppp login script so that it asks the client 259# for the label they wish to use. I may only want user ``dodgy'' to access 260# their own label in direct mode: 261# 262dodgy: 263 allow user dodgy 264 allow mode direct 265# 266# We don't want certain packets to keep our connection alive 267# 268 set filter alive 0 deny udp src eq 520 # routed 269 set filter alive 1 deny udp dst eq 520 # routed 270 set filter alive 2 deny udp src eq 513 # rwhod 271 set filter alive 3 deny udp src eq 525 # timed 272 set filter alive 4 deny udp src eq 137 # NetBIOS name service 273 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 274 set filter alive 6 deny tcp src eq 139 # NetBIOS session service 275 set filter alive 7 deny udp dst eq 137 # NetBIOS name service 276 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 277 set filter alive 9 deny tcp dst eq 139 # NetBIOS session service 278 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 279 set filter alive 11 permit 0/0 0/0 280# 281# And in auto mode, we don't want certain packets to cause a dialup 282# 283 set filter dial 0 deny udp src eq 513 # rwhod 284 set filter dial 1 deny udp src eq 525 # timed 285 set filter dial 2 deny udp src eq 137 # NetBIOS name service 286 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 287 set filter dial 4 deny tcp src eq 139 # NetBIOS session service 288 set filter dial 5 deny udp dst eq 137 # NetBIOS name service 289 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 290 set filter dial 7 deny tcp dst eq 139 # NetBIOS session service 291 set filter dial 8 deny tcp finrst # Badly closed TCP channels 292 set filter dial 9 permit 0 0 293# 294# Once the line's up, allow these connections 295# 296 set filter in 0 permit tcp dst eq 113 # ident 297 set filter out 0 permit tcp src eq 113 # ident 298 set filter in 1 permit tcp src eq 23 estab # telnet 299 set filter out 1 permit tcp dst eq 23 # telnet 300 set filter in 2 permit tcp src eq 21 estab # ftp 301 set filter out 2 permit tcp dst eq 21 # ftp 302 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 303 set filter out 3 permit tcp dst eq 20 # ftp-data 304 set filter in 4 permit udp src eq 53 # DNS 305 set filter out 4 permit udp dst eq 53 # DNS 306 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 307 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 308 set filter in 6 permit icmp # pings 309 set filter out 6 permit icmp # pings 310 set filter in 7 permit udp dst gt 33433 # traceroute 311 set filter out 7 permit udp dst gt 33433 # traceroute 312 313# 314# ``dodgynet'' is an example intended for an autodial configuration which 315# is connecting a local network to a host on an untrusted network. 316dodgynet: 317 set log Phase # Log link uptime 318 allow mode auto # For autoconnect only 319 set device /dev/cuaa1 # Define modem device and speed 320 set speed 115200 321 deny lqr # Don't support LQR 322 set phone 0W1194 # Remote system phone number, 323 set authname "pppLogin" # login 324 set authkey "MyPassword" # and password 325 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 326 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 327 ATE1Q0M0 OK \\dATDT\\T \ 328 TIMEOUT 40 CONNECT" 329 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 330 gin:--gin: \\U word: \\P" 331 332 # Drop the link after 15 minutes of inactivity 333 # Inactivity is defined by the `set filter alive' line below 334 set timeout 900 335 336 # Hard-code remote system to appear within local subnet and use proxy arp 337 # to make this system the gateway for the rest of the local network 338 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 339 enable proxy 340 341 # Allow any TCP packet to keep the link alive 342 set filter alive 0 permit tcp 343 344 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 345 # private TCP ports 24 and 4000 346 set filter dial 0 7 0 0 tcp dst eq http 347 set filter dial 1 7 0 0 tcp dst eq login 348 set filter dial 2 7 0 0 tcp dst eq shell 349 set filter dial 3 7 0 0 tcp dst eq telnet 350 set filter dial 4 7 0 0 tcp dst eq ftp 351 set filter dial 5 7 0 0 tcp dst eq 24 352 set filter dial 6 deny ! 0 0 tcp dst eq 4000 353 354 # From hosts on a couple of local subnets to the remote peer 355 # If the remote host allowed IP forwarding and we wanted to use it, the 356 # following rules could be split into two groups to separately validate 357 # the source and destination addresses. 358 set filter dial 7 permit 172.17.16.0/20 172.17.20.248 359 set filter dial 8 permit 172.17.36.0/22 172.17.20.248 360 set filter dial 9 permit 172.17.118.0/26 172.17.20.248 361 set filter dial 10 permit 10.123.5.0/24 172.17.20.248 362 363 # Once the link's up, limit outgoing access to the specified hosts 364 set filter out 0 4 172.17.16.0/20 172.17.20.248 365 set filter out 1 4 172.17.36.0/22 172.17.20.248 366 set filter out 2 4 172.17.118.0/26 172.17.20.248 367 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 368 369 # Allow established TCP connections 370 set filter out 4 permit 0 0 tcp estab 371 372 # And new connections to http, rlogin, rsh, telnet, ftp and ports 373 # 24 and 4000 374 set filter out 5 permit 0 0 tcp dst eq http 375 set filter out 6 permit 0 0 tcp dst eq login 376 set filter out 7 permit 0 0 tcp dst eq shell 377 set filter out 8 permit 0 0 tcp dst eq telnet 378 set filter out 9 permit 0 0 tcp dst eq ftp 379 set filter out 10 permit 0 0 tcp dst eq 24 380 set filter out 11 permit 0 0 tcp dst eq 4000 381 382 # And outgoing icmp 383 set filter out 12 permit 0 0 icmp 384 385 # Once the link's up, limit incoming access to the specified hosts 386 set filter in 0 4 172.17.20.248 172.17.16.0/20 387 set filter in 1 4 172.17.20.248 172.17.36.0/22 388 set filter in 2 4 172.17.20.248 172.17.118.0/26 389 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 390 391 # Established TCP connections and non-PASV FTP 392 set filter in 4 permit 0/0 0/0 tcp estab 393 set filter in 5 permit 0/0 0/0 tcp src eq 20 394 395 # Useful ICMP messages 396 set filter in 6 permit 0/0 0/0 icmp src eq 3 397 set filter in 7 permit 0/0 0/0 icmp src eq 4 398 set filter in 8 permit 0/0 0/0 icmp src eq 11 399 set filter in 9 permit 0/0 0/0 icmp src eq 12 400 401 # Echo reply (local systems can ping the remote host) 402 set filter in 10 permit 0/0 0/0 icmp src eq 0 403 404 # And the remote host can ping the local gateway (only) 405 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 406 407 408# Server side PPP 409# 410# If you want the remote system to authenticate itself, you must insist 411# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 412# PAP are disabled by default. You may enable either or both. If both 413# are enabled, CHAP is requested first. If the client doesn't agree, PAP 414# will then be requested. 415# 416# Note: If you use the getty/login process to authenticate users, you 417# don't need to enable CHAP or PAP, but the user that has logged 418# in *MUST* be a member of the ``network'' group (in /etc/group). 419# 420# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 421# 422# If you wish to allow any user in the passwd database ppp access, you 423# can ``enable passwdauth'', but this will only work with PAP. 424# 425# When the peer authenticates itself, we use ppp.secret for verification 426# (although refer to the ``set radius'' command below for an alternative). 427# 428# Note: We may supply a third field in ppp.secret specifying the IP 429# address for that user, a fourth field to specify the 430# ppp.link{up,down} label to use and a fifth field to specify 431# callback characteristics. 432# 433# The easiest way to allow transparent LAN access to your dialin users 434# is to assign them a number from your local LAN and tell ppp to make a 435# ``proxy'' arp entry for them. In this example, we have a local LAN 436# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 437# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 438# override the dynamic IP number with a static IP number specified in 439# ppp.secret. 440# 441# Ppp is launched with: 442# # ppp -direct server 443# 444server: 445 enable chap chap80 chap81 pap passwdauth 446 enable proxy 447 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 448 accept dns 449 450# Example of a RADIUS configuration: 451# If there are one or more radius servers available, we can use them 452# instead of the ppp.secret file. Simply put then in a radius 453# configuration file (usually /etc/radius.conf) and give ppp the 454# file name. 455# Ppp will use the FRAMED characteristics supplied by the radius server 456# to configure the link. 457 458radius-server: 459 load server # load in the server config from above 460 set radius /etc/radius.conf 461 462 463# Example to connect using a null-modem cable: 464# The important thing here is to allow the lqr packets on both sides. 465# Without them enabled, we can't tell if the line's dropped - there 466# should always be carrier on a direct connection. 467# Here, the server sends lqr's every 10 seconds and quits if five in a 468# row fail. 469# 470# Make sure you don't have "deny lqr" in your default: on the client ! 471# If the peer denies LQR, we still send ECHO LQR packets at the given 472# lqrperiod interval (ppp-style-pings). 473# 474direct-client: 475 set dial 476 set device /dev/cuaa0 477 set sp 115200 478 set timeout 900 479 set lqrperiod 10 480 set log Phase Chat LQM 481 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 482 set ifaddr 10.0.4.2 10.0.4.1 483 enable lqr 484 accept lqr 485 486direct-server: 487 set timeout 0 488 set lqrperiod 10 489 set log Phase LQM 490 set ifaddr 10.0.4.1 10.0.4.2 491 enable lqr 492 accept lqr 493 494 495# Example to connect via compuserve 496# Compuserve insists on 7 bits even parity during the chat phase. Modem 497# parity is always reset to ``none'' after the link has been established. 498# 499compuserve: 500 set phone 1234567 501 set parity even 502 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 503 word: XXXXXXXX PPP" 504 set timeout 300 505 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 506 delete ALL 507 add default HISADDR 508 509 510# Example for PPP over TCP. 511# We assume that inetd on tcpsrv.mynet has been 512# configured to run "ppp -direct tcp-server" when it gets a connection on 513# port 1234 with an entry something like this in /etc/inetd.conf.: 514# 515# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 516# 517# with this in /etc/services: 518# 519# ppp 6671/tcp 520# 521# Read the man page for further details. 522# 523# Note, we assume we're using a binary-clean connection. If something 524# such as `rlogin' is involved, you may need to ``set escape 0xff'' 525# 526tcp-client: 527 set device tcpsrv.mynet:1234 528 set dial 529 set login 530 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 531 532tcp-server: 533 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 534 535 536# Using UDP is also possible with this in /etc/inetd.conf: 537# 538# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 539# 540# and this in /etc/services: 541# 542# ppp 6671/tcp 543# 544udp-client: 545 set device udpsrv.mynet:1234/udp 546 set dial 547 set login 548 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 549 550udp-server: 551 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 552 553 554# Example for PPP testing. 555# If you want to test ppp, do it through the loopback interface: 556# 557# Requires a line in /etc/services: 558# ppploop 6671/tcp # loopback ppp daemon 559# 560# and a line in /etc/inetd.conf: 561# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in 562# 563inet-loop: 564 set timeout 0 565 set log phase chat connect lcp ipcp command 566 set device localhost:ppploop 567 set dial 568 set login 569 set ifaddr 127.0.0.2 127.0.0.3 570 set server /var/run/ppp/loop "" 0177 571 572inet-loop-in: 573 set timeout 0 574 set log phase lcp ipcp command 575 allow mode direct 576 577# Example of a VPN. 578# If you're going to create a tunnel through a public network, your VPN 579# should be set up something like this: 580# 581# You should already have set up ssh using ssh-agent & ssh-add. 582# 583sloop: 584 load inet-loop 585 # Passive mode allows ssh plenty of time to establish the connection 586 set openmode passive 587 set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in" 588 589 590# or a better VPN solution (which doesn't run IP over a reliable 591# protocol like tcp) may be: 592# 593vpn-client: 594 set device udpsrv.mynet:1234/udp # PPP over UDP 595 set dial 596 set login 597 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 598 disable deflate pred1 599 deny deflate pred1 600 enable MPPE # With encryption 601 accept MPPE 602 603vpn-server: 604 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 605 disable deflate pred1 606 deny deflate pred1 607 enable MPPE 608 accept MPPE 609 enable chap81 # Required for MPPE 610 611# Example of non-PPP callback. 612# If you wish to connect to a server that will dial back *without* using 613# the ppp callback facility (rfc1570), take advantage of the fact that 614# ppp doesn't look for carrier 'till `set login' is complete: 615# 616# Here, we expect the server to say DIALBACK then disconnect after 617# we've authenticated ourselves. When this has happened, we wait 618# 60 seconds for a RING. 619# 620# Note, it's important that we tell ppp not to expect carrier, otherwise 621# we'll drop out at the ``NO CARRIER'' stage. 622# 623dialback: 624 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 625 ATDT\\T TIMEOUT 60 CONNECT" 626 set cd off 627 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 628 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 629 630# Example of PPP callback. 631# Alternatively, if the peer is using the PPP callback protocol, we're 632# happy either with ``auth'' style callback where the server dials us 633# back based on what we authenticate ourselves with, ``cbcp'' style 634# callback (invented by Microsoft but not agreed by the IETF) where 635# we negotiate callback *after* authentication or E.164 callback where 636# we specify only a phone number. I would recommend only ``auth'' and/or 637# ``cbcp'' callback methods. 638# For ``cbcp'', we insist that we choose ``1234567'' as the number that 639# the server must call back. 640# 641callback: 642 load pmdemand # load in the pmdemand config 643 set callback auth cbcp e.164 1234567 644 set cbcp 1234567 645 646# If we're running a ppp server that wants to only call back microsoft 647# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 648# 649callback-server: 650 load server 651 set callback cbcp 652 set cbcp 653 set log +cbcp 654 set redial 3 1 655 set device /dev/cuaa0 656 set speed 115200 657 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 658 659# Or if we want to allow authenticated clients to specify their own 660# callback number: 661# 662callback-server-client-decides: 663 load callback-server 664 set cbcp * 665 666# Multilink mode is available (rfc1990). 667# To enable multi-link capabilities, you must specify a MRRU. 1500 is 668# a reasonable value. To create new links, use the ``clone'' command 669# to duplicate an existing link. If you already have more than one 670# link, you must specify which link you wish to run the command on via 671# the ``link'' command. 672# 673# It's worth increasing your MTU and MRU slightly in multi-link mode to 674# prevent full packets from being fragmented. 675# 676# See ppp.conf.isdn for an example of how to do multi-link isdn. 677# 678# You can now ``dial'' specific links, or even dial all links at the 679# same time. The `dial' command may also be prefixed with a specific 680# link that should do the dialing. 681# 682mloop: 683 load loop 684 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 # Use any of these devices 685 set mode interactive 686 set mrru 1500 687 set mru 1504 # Room for the MP header 688 clone 1 2 3 689 link deflink remove 690 # dial 691 # link 2 dial 692 # link 3 dial 693 694mloop-in: 695 set timeout 0 # No idle timer 696 set log tun phase 697 allow mode direct 698 set mrru 1500 699 set mru 1504 # Room for the MP header 700 701# User supplied authentication: 702# It's possible to run ppp in the background while specifying a 703# program to use to obtain authentication details on demand. 704# This program would usually be a simple GUI that presents a 705# prompt to a known user. The ``chap-auth'' program is supplied 706# as an example (and requires tcl version 8.0). 707# 708CHAPprompt: 709 load PAPorCHAPpmdemand 710 set authkey !/usr/share/examples/ppp/chap-auth 711 712# It's possible to do the same sort of thing at the login prompt. 713# Here, after sending ``brian'' in response to the ``name'' prompt, 714# we're prompted with ``code:''. A window is then displayed on the 715# ``keep:0.0'' display and the typed response is sent to the peer 716# as the password. We then expect to see ``MTU'' and ``.'' in the 717# servers response. 718# 719loginprompt: 720 load pmdemand 721 set authname "brian" 722 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 723 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 724 AUTHNAME\" MTU \\c ." 725 726# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 727# the MAC address that connects to them, making it impossible to switch 728# your PPPoE connection between machines. 729# 730# The current implementation requires Netgraph, so it doesn't work with 731# OpenBSD or NetBSD. 732# 733# The client should be something like this: 734# 735pppoe: 736 set device PPPoE:de0:pppoe-in 737 enable lqr 738 set cd 5 739 set dial 740 set login 741 set redial 0 0 742 743# And the server should be running 744# 745# /usr/libexec/pppoed -p pppoe-in fxp0 746# 747# See rc.conf(5) 748# 749pppoe-in: 750 allow mode direct # Only for use on server-side 751 enable lqr proxy # Enable LQR and proxy-arp 752 enable chap pap passwdauth # Force client authentication 753 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 754 accept dns # Allow DNS negotiation 755 756# It's possible to run ppp back-to-back with itself. This is useful 757# for testing. 758# 759# When testing scalability and concurrency, the following profile might 760# be used. 761# 762# Note, you'll have to make some other machine adjustments: 763# 764# o Bump maxusers in your kernel configuration to about 256 so that there 765# are enough process table slots. 766# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll 767# need 3 descriptors per ppp process (assuming no server socket). 768# o If you're not using DEVFS, create device notes with 769# ``cd /dev; ./MAKEDEV tun5000''. 770# 771# You can now create 2000 processes (1000 pairs) with: 772# 773# n=0 774# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done 775# 776# If you want to test concurrency, try using ``ppp -dd loop'' instead. 777# 778loop: 779 set timeout 0 780 set log 781 set device "!ppp -direct loop-in" 782 set dial 783 set login 784 set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255 785 disable deflate pred1 mppe 786 deny deflate pred1 mppe 787 788loop-in: 789 set timeout 0 790 set log 791 allow mode direct 792 set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255 793 disable deflate pred1 mppe 794 deny deflate pred1 mppe 795