1#################################################################
2#
3#              PPP  Sample Configuration File
4#
5#           Originally written by Toshiharu OHNO
6#
7# $FreeBSD: src/share/examples/ppp/ppp.conf.sample,v 1.16.2.10 2003/05/03 21:35:06 keramida Exp $
8# $DragonFly: src/share/examples/ppp/ppp.conf.sample,v 1.2 2003/06/17 04:36:57 dillon Exp $
9#
10#################################################################
11
12# This file is separated into sections.  Each section is named with
13# a label starting in column 0 and followed directly by a ``:''.  The
14# section continues until the next label.  Blank lines and characters
15# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\''
16# or quoted with "").  All commands inside sections that do not begin
17# with ``!'' (e.g., ``!include'') *must* be indented by at least one
18# space or tab or they will not be recognized!
19#
20# Lines beginning with "!include" will ``include'' another file.  You
21# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
22#
23
24# Default setup. Always executed when PPP is invoked.
25#  This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
26#
27#  This is the best place to specify your modem device, its DTR rate,
28#  your dial script and any logging specification.  Logging specs should
29#  be done first so that the results of subsequent commands are logged.
30#
31default:
32 set log Phase Chat LCP IPCP CCP tun command
33 set device /dev/cuaa1
34 set speed 115200
35 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
36           OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
37
38# Client side PPP
39#
40#  Although the PPP protocol is a peer to peer protocol, we normally
41#  consider the side that initiates the connection as the client and
42#  the side that receives the connection as the server.  Authentication
43#  is required by the server either using a unix-style login procedure
44#  or by demanding PAP or CHAP authentication from the client.
45#
46
47# An on demand example where we have dynamic IP addresses and wish to
48# use a unix-style login script:
49#
50#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
51#  can't predict what their IP will be either, take a wild guess at
52#  some IPs that you can't currently route to.  Ppp can change this
53#  when the link comes up.
54#
55#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
56#  specified IP actually being correct, therefore, the other side can assign
57#  any IP number.
58#
59#  The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
60#  IP number, forcing the peer to make the decision.  This is necessary
61#  when negotiating with some (broken) ppp implementations.
62#
63#  This entry also works with static IP numbers or when not in -auto mode.
64#  The ``add'' line adds a `sticky' default route that will be updated if
65#  and when any of the IP numbers are changed in IPCP negotiations.
66#  The "set ifaddr" is required in -auto mode only.
67#  It's better to put the ``add'' line in ppp.linkup when not in -auto mode.
68#
69#  Finally, the ``enable dns'' line tells ppp to ask the peer for the
70#  nameserver addresses that should be used.  This isn't always supported
71#  by the other side, but if it is, ppp will update /etc/resolv.conf with
72#  the correct nameserver values at connection time.
73#
74#  The login script shown says that you're expecting ``ogin:''.  If you
75#  don't receive that, send a ``\n'' and expect ``ogin:'' again.  When
76#  it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
77#  You *MUST* customise this login script according to your local
78#  requirements.
79#
80pmdemand:
81 set phone 1234567
82 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
83 set timeout 120
84 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
85 add default HISADDR
86 enable dns
87
88# If you want to use PAP or CHAP instead of using a unix-style login
89# procedure, do the following.  Note, the peer suggests whether we
90# should send PAP or CHAP.  By default, we send whatever we're asked for.
91#
92# You *MUST* customise ``MyName'' and ``MyKey'' below.
93#
94PAPorCHAPpmdemand:
95 set phone 1234567
96 set login
97 set authname "MyName"
98 set authkey "MyKey"
99 set timeout 120
100 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
101 add default HISADDR
102 enable dns
103
104# On demand dialup example with static IP addresses:
105#  Here, the local side uses 192.244.185.226 and the remote side
106#  uses 192.244.176.44.
107#
108#  # ppp -auto ondemand
109#
110#  With static IP numbers, our setup is similar to dynamic:
111#  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
112#  a "ondemand" label, and finally the "MYADDR" label.
113#
114ondemand:
115 set phone 1234567
116 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
117 set timeout 120
118 set ifaddr 192.244.185.226 192.244.176.44
119 add default HISADDR
120 enable dns
121
122# An on-demand dialup example using an external Terminal Adapter (TA)
123# that supports multi-link ppp itself.
124#
125# This may be specific to the AETHRA TA.
126#
127TA:
128 set phone 12345678	# Replace this with your ISPs phone number
129
130 set authname "somename"  # Replace these with your login name & password.
131 set authkey "somepasswd" # This profile assumes you're using PAP or CHAP.
132
133 enable lqr
134 set reconnect 3 5
135 set redial 3 10
136 set lqrperiod 45
137 disable pred1 deflate mppe
138 deny pred1 deflate mppe
139
140 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \
141           OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
142 set login
143 set logout
144 set hangup
145
146 set timeout 60 300	# The minimum charge period is 5 minutes, so don't
147			# hangup before then
148
149 set device /dev/cuaa0	# Or whatever
150 set speed 115200	# Use as high a speed as possible
151
152 enable dns		# Ask the peer what to put in resolv.conf
153
154 # Take a wild guess at an IP number and let the other side decide
155 set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0
156 add! default hisaddr
157
158 set mru 1504			# Some extra room for the MP header
159
160 set server /var/run/ppp/ppp-TA "" 0177	# The diagnostic port (-rw-------)
161
162
163#                          Example segments
164#
165# The following lines may be included as part of your configuration
166# section and aren't themselves complete.  They're provided as examples
167# of how to achieve different things.
168
169examples:
170# Multi-phone example.  Numbers separated by a : are used sequentially.
171# Numbers separated by a | are used if the previous dial or login script
172# failed.  Usually, you will prefer to use only one of | or :, but both
173# are allowed.
174#
175    set phone 12345678|12345679:12345670|12345671
176#
177# Some phone numbers may include # characters - don't forget to escape
178# (or quote) them:
179#
180    set phone "12345##678"
181#
182# Ppp can accept control instructions from the ``pppctl'' program.
183# First, you must set up your control socket.  It's safest to use
184# a UNIX domain socket, and watch the permissions:
185#
186    set server /var/run/ppp/internet MySecretPassword 0177
187#
188# Although a TCP port may be used if you want to allow control
189# connections from other machines:
190#
191    set server 6670 MySecretpassword
192#
193# If you don't like ppp's builtin chat, use an external one:
194#
195    set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
196#
197# If we have a ``strange'' modem that must be re-initialized when we
198# hangup:
199#
200    set hangup "\"\" AT OK-AT-OK ATZ OK"
201#
202# To adjust logging without blowing away the setting in default:
203#
204    set log -command +tcp/ip
205#
206# To see log messages on the screen in interactive mode:
207#
208    set log local LCP IPCP CCP
209#
210# If you're seeing a lot of magic number problems and failed connections,
211# try this (see the man page):
212#
213    set openmode active 5
214#
215# For noisy lines, we may want to reconnect (up to 20 times) after loss
216# of carrier, with 3 second delays between each attempt:
217#
218    set reconnect 3 20
219#
220# When playing server for M$ clients, tell them who our NetBIOS name
221# servers are:
222#
223    set nbns 10.0.0.1 10.0.0.2
224#
225# Inform the client if they ask for our DNS IP numbers:
226#
227    enable dns
228#
229# If you don't want to tell them what's in your /etc/resolv.conf file
230# with `enable dns', override the values:
231#
232    set dns 10.0.0.1 10.0.0.2
233#
234# Some people like to prioritize DNS packets:
235#
236   set urgent udp +53
237#
238# If we're using the -nat switch, redirect ftp and http to an internal
239# machine:
240#
241    nat port tcp 10.0.0.2:ftp ftp
242    nat port tcp 10.0.0.2:http http
243#
244# or don't trust the outside at all
245#
246    nat deny_incoming yes
247#
248# I trust user brian to run ppp, so this goes in the `default' section:
249#
250    allow user brian
251#
252# But label `internet' contains passwords that even brian can't have, so
253# I empty out the user access list in that section so that only root can
254# have access:
255#
256    allow users
257#
258# I also may wish to set up my ppp login script so that it asks the client
259# for the label they wish to use.  I may only want user ``dodgy'' to access
260# their own label in direct mode:
261#
262dodgy:
263    allow user dodgy
264    allow mode direct
265#
266# We don't want certain packets to keep our connection alive
267#
268    set filter alive 0 deny udp src eq 520         # routed
269    set filter alive 1 deny udp dst eq 520         # routed
270    set filter alive 2 deny udp src eq 513         # rwhod
271    set filter alive 3 deny udp src eq 525         # timed
272    set filter alive 4 deny udp src eq 137         # NetBIOS name service
273    set filter alive 5 deny udp src eq 138         # NetBIOS datagram service
274    set filter alive 6 deny tcp src eq 139         # NetBIOS session service
275    set filter alive 7 deny udp dst eq 137         # NetBIOS name service
276    set filter alive 8 deny udp dst eq 138         # NetBIOS datagram service
277    set filter alive 9 deny tcp dst eq 139         # NetBIOS session service
278    set filter alive 10 deny 0/0 MYADDR icmp       # Ping to us from outside
279    set filter alive 11 permit 0/0 0/0
280#
281# And in auto mode, we don't want certain packets to cause a dialup
282#
283    set filter dial 0 deny udp src eq 513          # rwhod
284    set filter dial 1 deny udp src eq 525          # timed
285    set filter dial 2 deny udp src eq 137          # NetBIOS name service
286    set filter dial 3 deny udp src eq 138          # NetBIOS datagram service
287    set filter dial 4 deny tcp src eq 139          # NetBIOS session service
288    set filter dial 5 deny udp dst eq 137          # NetBIOS name service
289    set filter dial 6 deny udp dst eq 138          # NetBIOS datagram service
290    set filter dial 7 deny tcp dst eq 139          # NetBIOS session service
291    set filter dial 8 deny tcp finrst              # Badly closed TCP channels
292    set filter dial 9 permit 0 0
293#
294# Once the line's up, allow these connections
295#
296    set filter in  0 permit tcp dst eq 113            # ident
297    set filter out 0 permit tcp src eq 113            # ident
298    set filter in  1 permit tcp src eq 23 estab       # telnet
299    set filter out 1 permit tcp dst eq 23             # telnet
300    set filter in  2 permit tcp src eq 21 estab       # ftp
301    set filter out 2 permit tcp dst eq 21             # ftp
302    set filter in  3 permit tcp src eq 20 dst gt 1023 # ftp-data
303    set filter out 3 permit tcp dst eq 20             # ftp-data
304    set filter in  4 permit udp src eq 53             # DNS
305    set filter out 4 permit udp dst eq 53             # DNS
306    set filter in  5 permit 192.244.191.0/24 0/0      # Where I work
307    set filter out 5 permit 0/0 192.244.191.0/24      # Where I work
308    set filter in  6 permit icmp                      # pings
309    set filter out 6 permit icmp                      # pings
310    set filter in  7 permit udp dst gt 33433          # traceroute
311    set filter out 7 permit udp dst gt 33433          # traceroute
312
313#
314# ``dodgynet'' is an example intended for an autodial configuration which
315# is connecting a local network to a host on an untrusted network.
316dodgynet:
317    set log Phase                               # Log link uptime
318    allow mode auto                             # For autoconnect only
319    set device /dev/cuaa1                       # Define modem device and speed
320    set speed 115200
321    deny lqr                                    # Don't support LQR
322    set phone 0W1194                            # Remote system phone number,
323    set authname "pppLogin"                     # login
324    set authkey "MyPassword"                    # and password
325    set dial "ABORT BUSY ABORT NO\\sCARRIER \   # Chat script to dial the peer
326              TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
327              ATE1Q0M0 OK \\dATDT\\T \
328              TIMEOUT 40 CONNECT"
329    set login "TIMEOUT 10 \"\" \"\" \           # And to login to remote system
330               gin:--gin: \\U word: \\P"
331
332    # Drop the link after 15 minutes of inactivity
333    # Inactivity is defined by the `set filter alive' line below
334    set timeout 900
335
336    # Hard-code remote system to appear within local subnet and use proxy arp
337    # to make this system the gateway for the rest of the local network
338    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
339    enable proxy
340
341    # Allow any TCP packet to keep the link alive
342    set filter alive 0 permit tcp
343
344    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
345    # private TCP ports 24 and 4000
346    set filter dial  0 7      0 0 tcp dst eq http
347    set filter dial  1 7      0 0 tcp dst eq login
348    set filter dial  2 7      0 0 tcp dst eq shell
349    set filter dial  3 7      0 0 tcp dst eq telnet
350    set filter dial  4 7      0 0 tcp dst eq ftp
351    set filter dial  5 7      0 0 tcp dst eq 24
352    set filter dial  6 deny ! 0 0 tcp dst eq 4000
353
354    # From hosts on a couple of local subnets to the remote peer
355    # If the remote host allowed IP forwarding and we wanted to use it, the
356    # following rules could be split into two groups to separately validate
357    # the source and destination addresses.
358    set filter dial  7 permit 172.17.16.0/20  172.17.20.248
359    set filter dial  8 permit 172.17.36.0/22  172.17.20.248
360    set filter dial  9 permit 172.17.118.0/26 172.17.20.248
361    set filter dial 10 permit 10.123.5.0/24   172.17.20.248
362
363    # Once the link's up, limit outgoing access to the specified hosts
364    set filter out  0 4      172.17.16.0/20  172.17.20.248
365    set filter out  1 4      172.17.36.0/22  172.17.20.248
366    set filter out  2 4      172.17.118.0/26 172.17.20.248
367    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248
368
369    # Allow established TCP connections
370    set filter out  4 permit 0 0 tcp estab
371
372    # And new connections to http, rlogin, rsh, telnet, ftp and ports
373    # 24 and 4000
374    set filter out  5 permit 0 0 tcp dst eq http
375    set filter out  6 permit 0 0 tcp dst eq login
376    set filter out  7 permit 0 0 tcp dst eq shell
377    set filter out  8 permit 0 0 tcp dst eq telnet
378    set filter out  9 permit 0 0 tcp dst eq ftp
379    set filter out 10 permit 0 0 tcp dst eq 24
380    set filter out 11 permit 0 0 tcp dst eq 4000
381
382    # And outgoing icmp
383    set filter out 12 permit 0 0 icmp
384
385    # Once the link's up, limit incoming access to the specified hosts
386    set filter in   0 4      172.17.20.248  172.17.16.0/20
387    set filter in   1 4      172.17.20.248  172.17.36.0/22
388    set filter in   2 4      172.17.20.248  172.17.118.0/26
389    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
390
391    # Established TCP connections and non-PASV FTP
392    set filter in   4 permit 0/0  0/0  tcp estab
393    set filter in   5 permit 0/0  0/0  tcp src eq 20
394
395    # Useful ICMP messages
396    set filter in   6 permit 0/0  0/0  icmp src eq 3
397    set filter in   7 permit 0/0  0/0  icmp src eq 4
398    set filter in   8 permit 0/0  0/0  icmp src eq 11
399    set filter in   9 permit 0/0  0/0  icmp src eq 12
400
401    # Echo reply (local systems can ping the remote host)
402    set filter in  10 permit 0/0  0/0  icmp src eq 0
403
404    # And the remote host can ping the local gateway (only)
405    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8
406
407
408# Server side PPP
409#
410#  If you want the remote system to authenticate itself, you must insist
411#  that the peer uses CHAP or PAP with the "enable" keyword.  Both CHAP and
412#  PAP are disabled by default.  You may enable either or both.  If both
413#  are enabled, CHAP is requested first.  If the client doesn't agree, PAP
414#  will then be requested.
415#
416#  Note:  If you use the getty/login process to authenticate users, you
417#         don't need to enable CHAP or PAP, but the user that has logged
418#         in *MUST* be a member of the ``network'' group (in /etc/group).
419#
420#  Note:  Chap80 and chap81 are Microsoft variations of standard chap (05).
421#
422#  If you wish to allow any user in the passwd database ppp access, you
423#  can ``enable passwdauth'', but this will only work with PAP.
424#
425#  When the peer authenticates itself, we use ppp.secret for verification
426#  (although refer to the ``set radius'' command below for an alternative).
427#
428#  Note:  We may supply a third field in ppp.secret specifying the IP
429#         address for that user, a fourth field to specify the
430#         ppp.link{up,down} label to use and a fifth field to specify
431#         callback characteristics.
432#
433#  The easiest way to allow transparent LAN access to your dialin users
434#  is to assign them a number from your local LAN and tell ppp to make a
435#  ``proxy'' arp entry for them.  In this example, we have a local LAN
436#  with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
437#  ppp clients between 10.0.0.100 and 10.0.0.199.  It is possible to
438#  override the dynamic IP number with a static IP number specified in
439#  ppp.secret.
440#
441#  Ppp is launched with:
442#   # ppp -direct server
443#
444server:
445 enable chap chap80 chap81 pap passwdauth
446 enable proxy
447 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
448 accept dns
449
450# Example of a RADIUS configuration:
451#  If there are one or more radius servers available, we can use them
452#  instead of the ppp.secret file.  Simply put then in a radius
453#  configuration file (usually /etc/radius.conf) and give ppp the
454#  file name.
455#  Ppp will use the FRAMED characteristics supplied by the radius server
456#  to configure the link.
457
458radius-server:
459 load server			# load in the server config from above
460 set radius /etc/radius.conf
461
462
463# Example to connect using a null-modem cable:
464#  The important thing here is to allow the lqr packets on both sides.
465#  Without them enabled, we can't tell if the line's dropped - there
466#  should always be carrier on a direct connection.
467#  Here, the server sends lqr's every 10 seconds and quits if five in a
468#  row fail.
469#
470#  Make sure you don't have "deny lqr" in your default: on the client !
471#  If the peer denies LQR, we still send ECHO LQR packets at the given
472#  lqrperiod interval (ppp-style-pings).
473#
474direct-client:
475 set dial
476 set device /dev/cuaa0
477 set sp 115200
478 set timeout 900
479 set lqrperiod 10
480 set log Phase Chat LQM
481 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
482 set ifaddr 10.0.4.2 10.0.4.1
483 enable lqr
484 accept lqr
485
486direct-server:
487 set timeout 0
488 set lqrperiod 10
489 set log Phase LQM
490 set ifaddr 10.0.4.1 10.0.4.2
491 enable lqr
492 accept lqr
493
494
495# Example to connect via compuserve
496#  Compuserve insists on 7 bits even parity during the chat phase.  Modem
497#  parity is always reset to ``none'' after the link has been established.
498#
499compuserve:
500 set phone 1234567
501 set parity even
502 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
503            word: XXXXXXXX PPP"
504 set timeout 300
505 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
506 delete ALL
507 add default HISADDR
508
509
510# Example for PPP over TCP.
511#  We assume that inetd on tcpsrv.mynet has been
512#  configured to run "ppp -direct tcp-server" when it gets a connection on
513#  port 1234 with an entry something like this in /etc/inetd.conf.:
514#
515#    ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server
516#
517#  with this in /etc/services:
518#
519#    ppp 6671/tcp
520#
521#  Read the man page for further details.
522#
523#  Note, we assume we're using a binary-clean connection.  If something
524#  such as `rlogin' is involved, you may need to ``set escape 0xff''
525#
526tcp-client:
527 set device tcpsrv.mynet:1234
528 set dial
529 set login
530 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
531
532tcp-server:
533 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
534
535
536# Using UDP is also possible with this in /etc/inetd.conf:
537#
538#   ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server
539#
540# and this in /etc/services:
541#
542#    ppp 6671/tcp
543#
544udp-client:
545 set device udpsrv.mynet:1234/udp
546 set dial
547 set login
548 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
549
550udp-server:
551 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
552
553
554# Example for PPP testing.
555#  If you want to test ppp, do it through the loopback interface:
556#
557#  Requires a line in /etc/services:
558#    ppploop 6671/tcp # loopback ppp daemon
559#
560#  and a line in /etc/inetd.conf:
561#    ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in
562#
563inet-loop:
564 set timeout 0
565 set log phase chat connect lcp ipcp command
566 set device localhost:ppploop
567 set dial
568 set login
569 set ifaddr 127.0.0.2 127.0.0.3
570 set server /var/run/ppp/loop "" 0177
571
572inet-loop-in:
573 set timeout 0
574 set log phase lcp ipcp command
575 allow mode direct
576
577# Example of a VPN.
578#  If you're going to create a tunnel through a public network, your VPN
579#  should be set up something like this:
580#
581#  You should already have set up ssh using ssh-agent & ssh-add.
582#
583sloop:
584 load inet-loop
585 # Passive mode allows ssh plenty of time to establish the connection
586 set openmode passive
587 set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in"
588
589
590# or a better VPN solution (which doesn't run IP over a reliable
591# protocol like tcp) may be:
592#
593vpn-client:
594 set device udpsrv.mynet:1234/udp               # PPP over UDP
595 set dial
596 set login
597 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
598 disable deflate pred1
599 deny deflate pred1
600 enable MPPE                                    # With encryption
601 accept MPPE
602
603vpn-server:
604 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
605 disable deflate pred1
606 deny deflate pred1
607 enable MPPE
608 accept MPPE
609 enable chap81                                  # Required for MPPE
610
611# Example of non-PPP callback.
612#  If you wish to connect to a server that will dial back *without* using
613#  the ppp callback facility (rfc1570), take advantage of the fact that
614#  ppp doesn't look for carrier 'till `set login' is complete:
615#
616#  Here, we expect the server to say DIALBACK then disconnect after
617#  we've authenticated ourselves.  When this has happened, we wait
618#  60 seconds for a RING.
619#
620#  Note, it's important that we tell ppp not to expect carrier, otherwise
621#  we'll drop out at the ``NO CARRIER'' stage.
622#
623dialback:
624 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
625           ATDT\\T TIMEOUT 60 CONNECT"
626 set cd off
627 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
628           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
629
630# Example of PPP callback.
631#  Alternatively, if the peer is using the PPP callback protocol, we're
632#  happy either with ``auth'' style callback where the server dials us
633#  back based on what we authenticate ourselves with, ``cbcp'' style
634#  callback (invented by Microsoft but not agreed by the IETF) where
635#  we negotiate callback *after* authentication or E.164 callback where
636#  we specify only a phone number.  I would recommend only ``auth'' and/or
637#  ``cbcp'' callback methods.
638#  For ``cbcp'', we insist that we choose ``1234567'' as the number that
639#  the server must call back.
640#
641callback:
642 load pmdemand                                    # load in the pmdemand config
643 set callback auth cbcp e.164 1234567
644 set cbcp 1234567
645
646# If we're running a ppp server that wants to only call back microsoft
647# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
648#
649callback-server:
650 load server
651 set callback cbcp
652 set cbcp
653 set log +cbcp
654 set redial 3 1
655 set device /dev/cuaa0
656 set speed 115200
657 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
658
659# Or if we want to allow authenticated clients to specify their own
660# callback number:
661#
662callback-server-client-decides:
663 load callback-server
664 set cbcp *
665
666# Multilink mode is available (rfc1990).
667#  To enable multi-link capabilities, you must specify a MRRU.  1500 is
668#  a reasonable value.  To create new links, use the ``clone'' command
669#  to duplicate an existing link.  If you already have more than one
670#  link, you must specify which link you wish to run the command on via
671#  the ``link'' command.
672#
673#  It's worth increasing your MTU and MRU slightly in multi-link mode to
674#  prevent full packets from being fragmented.
675#
676#  See ppp.conf.isdn for an example of how to do multi-link isdn.
677#
678#  You can now ``dial'' specific links, or even dial all links at the
679#  same time.  The `dial' command may also be prefixed with a specific
680#  link that should do the dialing.
681#
682mloop:
683 load loop
684 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2   # Use any of these devices
685 set mode interactive
686 set mrru 1500
687 set mru 1504                                  # Room for the MP header
688 clone 1 2 3
689 link deflink remove
690 # dial
691 # link 2 dial
692 # link 3 dial
693
694mloop-in:
695 set timeout 0                                 # No idle timer
696 set log tun phase
697 allow mode direct
698 set mrru 1500
699 set mru 1504                                  # Room for the MP header
700
701# User supplied authentication:
702#  It's possible to run ppp in the background while specifying a
703#  program to use to obtain authentication details on demand.
704#  This program would usually be a simple GUI that presents a
705#  prompt to a known user.  The ``chap-auth'' program is supplied
706#  as an example (and requires tcl version 8.0).
707#
708CHAPprompt:
709 load PAPorCHAPpmdemand
710 set authkey !/usr/share/examples/ppp/chap-auth
711
712#  It's possible to do the same sort of thing at the login prompt.
713#  Here, after sending ``brian'' in response to the ``name'' prompt,
714#  we're prompted with ``code:''.  A window is then displayed on the
715#  ``keep:0.0'' display and the typed response is sent to the peer
716#  as the password.  We then expect to see ``MTU'' and ``.'' in the
717#  servers response.
718#
719loginprompt:
720 load pmdemand
721 set authname "brian"
722 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
723            code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
724                    AUTHNAME\" MTU \\c ."
725
726# ppp supports ppp over ethernet (PPPoE).  Beware, many PPP servers cache
727# the MAC address that connects to them, making it impossible to switch
728# your PPPoE connection between machines.
729#
730# The current implementation requires Netgraph, so it doesn't work with
731# OpenBSD or NetBSD.
732#
733# The client should be something like this:
734#
735pppoe:
736 set device PPPoE:de0:pppoe-in
737 enable lqr
738 set cd 5
739 set dial
740 set login
741 set redial 0 0
742
743# And the server should be running
744#
745#   /usr/libexec/pppoed -p pppoe-in fxp0
746#
747# See rc.conf(5)
748#
749pppoe-in:
750 allow mode direct				# Only for use on server-side
751 enable lqr proxy				# Enable LQR and proxy-arp
752 enable chap pap passwdauth			# Force client authentication
753 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199	# Hand out up to 100 IP numbers
754 accept dns					# Allow DNS negotiation
755
756# It's possible to run ppp back-to-back with itself.  This is useful
757# for testing.
758#
759# When testing scalability and concurrency, the following profile might
760# be used.
761#
762# Note, you'll have to make some other machine adjustments:
763#
764#  o Bump maxusers in your kernel configuration to about 256 so that there
765#    are enough process table slots.
766#  o Bump system file descriptors with ``sysctl kern.maxfiles=20480''.  You'll
767#    need 3 descriptors per ppp process (assuming no server socket).
768#
769# You can now create 2000 processes (1000 pairs) with:
770#
771#    n=0
772#    while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done
773#
774# If you want to test concurrency, try using ``ppp -dd loop'' instead.
775#
776loop:
777 set timeout 0
778 set log
779 set device "!ppp -direct loop-in"
780 set dial
781 set login
782 set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255
783 disable deflate pred1 mppe
784 deny deflate pred1 mppe
785
786loop-in:
787 set timeout 0
788 set log
789 allow mode direct
790 set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255
791 disable deflate pred1 mppe
792 deny deflate pred1 mppe
793