19e1d50b6SBrian Somers################################################################# 29e1d50b6SBrian Somers# 39e1d50b6SBrian Somers# PPP Sample Configuration File 49e1d50b6SBrian Somers# 59e1d50b6SBrian Somers# Originally written by Toshiharu OHNO 69e1d50b6SBrian Somers# 79e1d50b6SBrian Somers# 89e1d50b6SBrian Somers################################################################# 99e1d50b6SBrian Somers 109e1d50b6SBrian Somers# This file is separated into sections. Each section is named with 119e1d50b6SBrian Somers# a label starting in column 0 and followed directly by a ``:''. The 123a51f88aSBrian Somers# section continues until the next label. Blank lines and characters 133a51f88aSBrian Somers# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' 143a51f88aSBrian Somers# or quoted with ""). All commands inside sections that do not begin 153a51f88aSBrian Somers# with ``!'' (e.g., ``!include'') *must* be indented by at least one 163a51f88aSBrian Somers# space or tab or they will not be recognized! 179e1d50b6SBrian Somers# 189e1d50b6SBrian Somers# Lines beginning with "!include" will ``include'' another file. You 199e1d50b6SBrian Somers# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 209e1d50b6SBrian Somers# 219e1d50b6SBrian Somers 229e1d50b6SBrian Somers# Default setup. Always executed when PPP is invoked. 231d8fe861SBrian Somers# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 249e1d50b6SBrian Somers# 258e18db5aSBrian Somers# This is the best place to specify your modem device, its DTR rate, 261d8fe861SBrian Somers# your dial script and any logging specification. Logging specs should 271d8fe861SBrian Somers# be done first so that the results of subsequent commands are logged. 289e1d50b6SBrian Somers# 299e1d50b6SBrian Somersdefault: 309e1d50b6SBrian Somers set log Phase Chat LCP IPCP CCP tun command 31839f11a4SEitan Adler set device /dev/cuau1 329e1d50b6SBrian Somers set speed 115200 331d8fe861SBrian Somers set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 341d8fe861SBrian Somers OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 359e1d50b6SBrian Somers 369e1d50b6SBrian Somers# Client side PPP 379e1d50b6SBrian Somers# 389e1d50b6SBrian Somers# Although the PPP protocol is a peer to peer protocol, we normally 391d8fe861SBrian Somers# consider the side that initiates the connection as the client and 401d8fe861SBrian Somers# the side that receives the connection as the server. Authentication 417cb30d6dSBill Fumerola# is required by the server either using a unix-style login procedure 429e1d50b6SBrian Somers# or by demanding PAP or CHAP authentication from the client. 439e1d50b6SBrian Somers# 449e1d50b6SBrian Somers 451d8fe861SBrian Somers# An on demand example where we have dynamic IP addresses and wish to 461d8fe861SBrian Somers# use a unix-style login script: 471d8fe861SBrian Somers# 489e1d50b6SBrian Somers# If the peer assigns us an arbitrary IP (most ISPs do this) and we 499e1d50b6SBrian Somers# can't predict what their IP will be either, take a wild guess at 501d8fe861SBrian Somers# some IPs that you can't currently route to. Ppp can change this 511d8fe861SBrian Somers# when the link comes up. 529e1d50b6SBrian Somers# 539e1d50b6SBrian Somers# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 549e1d50b6SBrian Somers# specified IP actually being correct, therefore, the other side can assign 551d8fe861SBrian Somers# any IP number. 569e1d50b6SBrian Somers# 578e18db5aSBrian Somers# The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 581d8fe861SBrian Somers# IP number, forcing the peer to make the decision. This is necessary 591d8fe861SBrian Somers# when negotiating with some (broken) ppp implementations. 609e1d50b6SBrian Somers# 619e1d50b6SBrian Somers# This entry also works with static IP numbers or when not in -auto mode. 629e1d50b6SBrian Somers# The ``add'' line adds a `sticky' default route that will be updated if 639e1d50b6SBrian Somers# and when any of the IP numbers are changed in IPCP negotiations. 6481bb1040SBrian Somers# The "set ifaddr" is required in -auto mode only. 6581bb1040SBrian Somers# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 669e1d50b6SBrian Somers# 671d8fe861SBrian Somers# Finally, the ``enable dns'' line tells ppp to ask the peer for the 689e1d50b6SBrian Somers# nameserver addresses that should be used. This isn't always supported 691d8fe861SBrian Somers# by the other side, but if it is, ppp will update /etc/resolv.conf with 701d8fe861SBrian Somers# the correct nameserver values at connection time. 711d8fe861SBrian Somers# 721d8fe861SBrian Somers# The login script shown says that you're expecting ``ogin:''. If you 731d8fe861SBrian Somers# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 741d8fe861SBrian Somers# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 751d8fe861SBrian Somers# You *MUST* customise this login script according to your local 761d8fe861SBrian Somers# requirements. 779e1d50b6SBrian Somers# 789e1d50b6SBrian Somerspmdemand: 799e1d50b6SBrian Somers set phone 1234567 809e1d50b6SBrian Somers set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 819e1d50b6SBrian Somers set timeout 120 829e1d50b6SBrian Somers set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 839e1d50b6SBrian Somers add default HISADDR 849e1d50b6SBrian Somers enable dns 859e1d50b6SBrian Somers 861d8fe861SBrian Somers# If you want to use PAP or CHAP instead of using a unix-style login 877cb30d6dSBill Fumerola# procedure, do the following. Note, the peer suggests whether we 889e1d50b6SBrian Somers# should send PAP or CHAP. By default, we send whatever we're asked for. 899e1d50b6SBrian Somers# 901d8fe861SBrian Somers# You *MUST* customise ``MyName'' and ``MyKey'' below. 911d8fe861SBrian Somers# 929e1d50b6SBrian SomersPAPorCHAPpmdemand: 939e1d50b6SBrian Somers set phone 1234567 949e1d50b6SBrian Somers set login 95e40db2c4SGiorgos Keramidas set authname "MyName" 96e40db2c4SGiorgos Keramidas set authkey "MyKey" 979e1d50b6SBrian Somers set timeout 120 989e1d50b6SBrian Somers set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 999e1d50b6SBrian Somers add default HISADDR 1009e1d50b6SBrian Somers enable dns 1019e1d50b6SBrian Somers 1029e1d50b6SBrian Somers# On demand dialup example with static IP addresses: 1039e1d50b6SBrian Somers# Here, the local side uses 192.244.185.226 and the remote side 1049e1d50b6SBrian Somers# uses 192.244.176.44. 1059e1d50b6SBrian Somers# 1069e1d50b6SBrian Somers# # ppp -auto ondemand 1079e1d50b6SBrian Somers# 1089e1d50b6SBrian Somers# With static IP numbers, our setup is similar to dynamic: 1099e1d50b6SBrian Somers# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 1109d5abbddSJens Schweikhardt# an "ondemand" label, and finally the "MYADDR" label. 1119e1d50b6SBrian Somers# 1129e1d50b6SBrian Somersondemand: 1139e1d50b6SBrian Somers set phone 1234567 1149e1d50b6SBrian Somers set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 1159e1d50b6SBrian Somers set timeout 120 1169e1d50b6SBrian Somers set ifaddr 192.244.185.226 192.244.176.44 1179e1d50b6SBrian Somers add default HISADDR 1189e1d50b6SBrian Somers enable dns 1199e1d50b6SBrian Somers 120fa8c1aaaSBrian Somers# An on-demand dialup example using an external Terminal Adapter (TA) 121fa8c1aaaSBrian Somers# that supports multi-link ppp itself. 122fa8c1aaaSBrian Somers# 123fa8c1aaaSBrian Somers# This may be specific to the AETHRA TA. 124fa8c1aaaSBrian Somers# 125fa8c1aaaSBrian SomersTA: 126fa8c1aaaSBrian Somers set phone 12345678 # Replace this with your ISPs phone number 127fa8c1aaaSBrian Somers 128e40db2c4SGiorgos Keramidas set authname "somename" # Replace these with your login name & password. 129e40db2c4SGiorgos Keramidas set authkey "somepasswd" # This profile assumes you're using PAP or CHAP. 130fa8c1aaaSBrian Somers 1311f82daa5SBrian Somers enable lqr echo 132fa8c1aaaSBrian Somers set reconnect 3 5 133fa8c1aaaSBrian Somers set redial 3 10 134fa8c1aaaSBrian Somers set lqrperiod 45 135fa8c1aaaSBrian Somers disable pred1 deflate mppe 136fa8c1aaaSBrian Somers deny pred1 deflate mppe 137fa8c1aaaSBrian Somers 138fa8c1aaaSBrian Somers set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATB41CL2048 \ 139fa8c1aaaSBrian Somers OK-AT-OK ATB40&J3E1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 140fa8c1aaaSBrian Somers set login 141fa8c1aaaSBrian Somers set logout 142fa8c1aaaSBrian Somers set hangup 143fa8c1aaaSBrian Somers 144fa8c1aaaSBrian Somers set timeout 60 300 # The minimum charge period is 5 minutes, so don't 145fa8c1aaaSBrian Somers # hangup before then 146fa8c1aaaSBrian Somers 147839f11a4SEitan Adler set device /dev/cuau0 # Or whatever 148fa8c1aaaSBrian Somers set speed 115200 # Use as high a speed as possible 149fa8c1aaaSBrian Somers 150fa8c1aaaSBrian Somers enable dns # Ask the peer what to put in resolv.conf 151fa8c1aaaSBrian Somers 152fa8c1aaaSBrian Somers # Take a wild guess at an IP number and let the other side decide 153fa8c1aaaSBrian Somers set ifaddr 172.16.0.1/0 212.0.0.0/0 0 0 154fa8c1aaaSBrian Somers add! default hisaddr 155fa8c1aaaSBrian Somers 156fa8c1aaaSBrian Somers set mru 1504 # Some extra room for the MP header 157fa8c1aaaSBrian Somers 1587558c91fSCrist J. Clark set server /var/run/ppp/ppp-TA "" 0177 # The diagnostic port (-rw-------) 159fa8c1aaaSBrian Somers 160fa8c1aaaSBrian Somers 1619e1d50b6SBrian Somers# Example segments 1629e1d50b6SBrian Somers# 1639e1d50b6SBrian Somers# The following lines may be included as part of your configuration 1649e1d50b6SBrian Somers# section and aren't themselves complete. They're provided as examples 1659e1d50b6SBrian Somers# of how to achieve different things. 1669e1d50b6SBrian Somers 1679e1d50b6SBrian Somersexamples: 1689e1d50b6SBrian Somers# Multi-phone example. Numbers separated by a : are used sequentially. 1699e1d50b6SBrian Somers# Numbers separated by a | are used if the previous dial or login script 1709e1d50b6SBrian Somers# failed. Usually, you will prefer to use only one of | or :, but both 1719e1d50b6SBrian Somers# are allowed. 1729e1d50b6SBrian Somers# 1739e1d50b6SBrian Somers set phone 12345678|12345679:12345670|12345671 1749e1d50b6SBrian Somers# 1753a51f88aSBrian Somers# Some phone numbers may include # characters - don't forget to escape 1763a51f88aSBrian Somers# (or quote) them: 1773a51f88aSBrian Somers# 1783a51f88aSBrian Somers set phone "12345##678" 1793a51f88aSBrian Somers# 1809e1d50b6SBrian Somers# Ppp can accept control instructions from the ``pppctl'' program. 1819e1d50b6SBrian Somers# First, you must set up your control socket. It's safest to use 1829e1d50b6SBrian Somers# a UNIX domain socket, and watch the permissions: 1839e1d50b6SBrian Somers# 1847558c91fSCrist J. Clark set server /var/run/ppp/internet MySecretPassword 0177 1859e1d50b6SBrian Somers# 1869e1d50b6SBrian Somers# Although a TCP port may be used if you want to allow control 1879e1d50b6SBrian Somers# connections from other machines: 1889e1d50b6SBrian Somers# 1899e1d50b6SBrian Somers set server 6670 MySecretpassword 1909e1d50b6SBrian Somers# 1919e1d50b6SBrian Somers# If you don't like ppp's builtin chat, use an external one: 1929e1d50b6SBrian Somers# 1930a97e07cSBrian Somers set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 1949e1d50b6SBrian Somers# 1959e1d50b6SBrian Somers# If we have a ``strange'' modem that must be re-initialized when we 1969e1d50b6SBrian Somers# hangup: 1979e1d50b6SBrian Somers# 1989e1d50b6SBrian Somers set hangup "\"\" AT OK-AT-OK ATZ OK" 1999e1d50b6SBrian Somers# 20081bb1040SBrian Somers# To adjust logging without blowing away the setting in default: 2019e1d50b6SBrian Somers# 2029e1d50b6SBrian Somers set log -command +tcp/ip 2039e1d50b6SBrian Somers# 2049e1d50b6SBrian Somers# To see log messages on the screen in interactive mode: 2059e1d50b6SBrian Somers# 2069e1d50b6SBrian Somers set log local LCP IPCP CCP 2079e1d50b6SBrian Somers# 2089e1d50b6SBrian Somers# If you're seeing a lot of magic number problems and failed connections, 2099e1d50b6SBrian Somers# try this (see the man page): 2109e1d50b6SBrian Somers# 2119e1d50b6SBrian Somers set openmode active 5 2129e1d50b6SBrian Somers# 2139e1d50b6SBrian Somers# For noisy lines, we may want to reconnect (up to 20 times) after loss 2149e1d50b6SBrian Somers# of carrier, with 3 second delays between each attempt: 2159e1d50b6SBrian Somers# 2169e1d50b6SBrian Somers set reconnect 3 20 2179e1d50b6SBrian Somers# 2189e1d50b6SBrian Somers# When playing server for M$ clients, tell them who our NetBIOS name 2199e1d50b6SBrian Somers# servers are: 2209e1d50b6SBrian Somers# 2219e1d50b6SBrian Somers set nbns 10.0.0.1 10.0.0.2 2229e1d50b6SBrian Somers# 2239e1d50b6SBrian Somers# Inform the client if they ask for our DNS IP numbers: 2249e1d50b6SBrian Somers# 2259e1d50b6SBrian Somers enable dns 2269e1d50b6SBrian Somers# 227b10e6aceSBrian Somers# If you don't want to tell them what's in your /etc/resolv.conf file 2289e1d50b6SBrian Somers# with `enable dns', override the values: 2299e1d50b6SBrian Somers# 2309e1d50b6SBrian Somers set dns 10.0.0.1 10.0.0.2 2319e1d50b6SBrian Somers# 23228eb42e1SBrian Somers# Some people like to prioritize DNS packets: 23328eb42e1SBrian Somers# 23428eb42e1SBrian Somers set urgent udp +53 23528eb42e1SBrian Somers# 23673cf919aSBrian Somers# If we're using the -nat switch, redirect ftp and http to an internal 2379e1d50b6SBrian Somers# machine: 2389e1d50b6SBrian Somers# 23924870fabSBrian Somers nat port tcp 10.0.0.2:ftp ftp 24024870fabSBrian Somers nat port tcp 10.0.0.2:http http 2419e1d50b6SBrian Somers# 2429e1d50b6SBrian Somers# or don't trust the outside at all 2439e1d50b6SBrian Somers# 24473cf919aSBrian Somers nat deny_incoming yes 2459e1d50b6SBrian Somers# 2469e1d50b6SBrian Somers# I trust user brian to run ppp, so this goes in the `default' section: 2479e1d50b6SBrian Somers# 2489e1d50b6SBrian Somers allow user brian 2499e1d50b6SBrian Somers# 2509e1d50b6SBrian Somers# But label `internet' contains passwords that even brian can't have, so 2519e1d50b6SBrian Somers# I empty out the user access list in that section so that only root can 2529e1d50b6SBrian Somers# have access: 2539e1d50b6SBrian Somers# 2549e1d50b6SBrian Somers allow users 2559e1d50b6SBrian Somers# 2569e1d50b6SBrian Somers# I also may wish to set up my ppp login script so that it asks the client 2579e1d50b6SBrian Somers# for the label they wish to use. I may only want user ``dodgy'' to access 2589e1d50b6SBrian Somers# their own label in direct mode: 2599e1d50b6SBrian Somers# 2609e1d50b6SBrian Somersdodgy: 2619e1d50b6SBrian Somers allow user dodgy 2629e1d50b6SBrian Somers allow mode direct 2639e1d50b6SBrian Somers# 264a4ee552aSBrian Somers# We don't want certain packets to keep our connection alive 2659e1d50b6SBrian Somers# 266a4ee552aSBrian Somers set filter alive 0 deny udp src eq 520 # routed 267a4ee552aSBrian Somers set filter alive 1 deny udp dst eq 520 # routed 268a4ee552aSBrian Somers set filter alive 2 deny udp src eq 513 # rwhod 269a4ee552aSBrian Somers set filter alive 3 deny udp src eq 525 # timed 2709cf306dfSBrian Somers set filter alive 4 deny udp src eq 137 # NetBIOS name service 2719cf306dfSBrian Somers set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 272ae2bac96SBrian Somers set filter alive 6 deny tcp src eq 139 # NetBIOS session service 2739cf306dfSBrian Somers set filter alive 7 deny udp dst eq 137 # NetBIOS name service 2749cf306dfSBrian Somers set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 275ae2bac96SBrian Somers set filter alive 9 deny tcp dst eq 139 # NetBIOS session service 2769cf306dfSBrian Somers set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 2779cf306dfSBrian Somers set filter alive 11 permit 0/0 0/0 2789e1d50b6SBrian Somers# 279a4ee552aSBrian Somers# And in auto mode, we don't want certain packets to cause a dialup 2809e1d50b6SBrian Somers# 281a4ee552aSBrian Somers set filter dial 0 deny udp src eq 513 # rwhod 282a4ee552aSBrian Somers set filter dial 1 deny udp src eq 525 # timed 283a4ee552aSBrian Somers set filter dial 2 deny udp src eq 137 # NetBIOS name service 284a4ee552aSBrian Somers set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 285ae2bac96SBrian Somers set filter dial 4 deny tcp src eq 139 # NetBIOS session service 286a4ee552aSBrian Somers set filter dial 5 deny udp dst eq 137 # NetBIOS name service 287a4ee552aSBrian Somers set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 288ae2bac96SBrian Somers set filter dial 7 deny tcp dst eq 139 # NetBIOS session service 289a4ee552aSBrian Somers set filter dial 8 deny tcp finrst # Badly closed TCP channels 290a4ee552aSBrian Somers set filter dial 9 permit 0 0 2919e1d50b6SBrian Somers# 292a4ee552aSBrian Somers# Once the line's up, allow these connections 2939e1d50b6SBrian Somers# 294a4ee552aSBrian Somers set filter in 0 permit tcp dst eq 113 # ident 295a4ee552aSBrian Somers set filter out 0 permit tcp src eq 113 # ident 296a4ee552aSBrian Somers set filter in 1 permit tcp src eq 23 estab # telnet 297a4ee552aSBrian Somers set filter out 1 permit tcp dst eq 23 # telnet 298a4ee552aSBrian Somers set filter in 2 permit tcp src eq 21 estab # ftp 299a4ee552aSBrian Somers set filter out 2 permit tcp dst eq 21 # ftp 300a4ee552aSBrian Somers set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 301a4ee552aSBrian Somers set filter out 3 permit tcp dst eq 20 # ftp-data 302a4ee552aSBrian Somers set filter in 4 permit udp src eq 53 # DNS 303a4ee552aSBrian Somers set filter out 4 permit udp dst eq 53 # DNS 304a4ee552aSBrian Somers set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 305a4ee552aSBrian Somers set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 306a4ee552aSBrian Somers set filter in 6 permit icmp # pings 307a4ee552aSBrian Somers set filter out 6 permit icmp # pings 308a4ee552aSBrian Somers set filter in 7 permit udp dst gt 33433 # traceroute 309a4ee552aSBrian Somers set filter out 7 permit udp dst gt 33433 # traceroute 3109e1d50b6SBrian Somers 3114f65166aSBrian Somers# 3124f65166aSBrian Somers# ``dodgynet'' is an example intended for an autodial configuration which 3134f65166aSBrian Somers# is connecting a local network to a host on an untrusted network. 3144f65166aSBrian Somersdodgynet: 31581bb1040SBrian Somers set log Phase # Log link uptime 31681bb1040SBrian Somers allow mode auto # For autoconnect only 317839f11a4SEitan Adler set device /dev/cuau1 # Define modem device and speed 3184f65166aSBrian Somers set speed 115200 31981bb1040SBrian Somers deny lqr # Don't support LQR 32081bb1040SBrian Somers set phone 0W1194 # Remote system phone number, 321e40db2c4SGiorgos Keramidas set authname "pppLogin" # login 322e40db2c4SGiorgos Keramidas set authkey "MyPassword" # and password 32381bb1040SBrian Somers set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 32481bb1040SBrian Somers TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 32581bb1040SBrian Somers ATE1Q0M0 OK \\dATDT\\T \ 32681bb1040SBrian Somers TIMEOUT 40 CONNECT" 32781bb1040SBrian Somers set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 32881bb1040SBrian Somers gin:--gin: \\U word: \\P" 32981bb1040SBrian Somers 3304f65166aSBrian Somers # Drop the link after 15 minutes of inactivity 3314f65166aSBrian Somers # Inactivity is defined by the `set filter alive' line below 3324f65166aSBrian Somers set timeout 900 33381bb1040SBrian Somers 3344f65166aSBrian Somers # Hard-code remote system to appear within local subnet and use proxy arp 33581bb1040SBrian Somers # to make this system the gateway for the rest of the local network 3364f65166aSBrian Somers set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 3374f65166aSBrian Somers enable proxy 3384f65166aSBrian Somers 3394f65166aSBrian Somers # Allow any TCP packet to keep the link alive 3404f65166aSBrian Somers set filter alive 0 permit tcp 3414f65166aSBrian Somers 3424f65166aSBrian Somers # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 3434f65166aSBrian Somers # private TCP ports 24 and 4000 3444f65166aSBrian Somers set filter dial 0 7 0 0 tcp dst eq http 3454f65166aSBrian Somers set filter dial 1 7 0 0 tcp dst eq login 3464f65166aSBrian Somers set filter dial 2 7 0 0 tcp dst eq shell 3474f65166aSBrian Somers set filter dial 3 7 0 0 tcp dst eq telnet 3484f65166aSBrian Somers set filter dial 4 7 0 0 tcp dst eq ftp 3494f65166aSBrian Somers set filter dial 5 7 0 0 tcp dst eq 24 3504f65166aSBrian Somers set filter dial 6 deny ! 0 0 tcp dst eq 4000 35181bb1040SBrian Somers 3524f65166aSBrian Somers # From hosts on a couple of local subnets to the remote peer 3534f65166aSBrian Somers # If the remote host allowed IP forwarding and we wanted to use it, the 3544f65166aSBrian Somers # following rules could be split into two groups to separately validate 3554f65166aSBrian Somers # the source and destination addresses. 3564f65166aSBrian Somers set filter dial 7 permit 172.17.16.0/20 172.17.20.248 3574f65166aSBrian Somers set filter dial 8 permit 172.17.36.0/22 172.17.20.248 3584f65166aSBrian Somers set filter dial 9 permit 172.17.118.0/26 172.17.20.248 3594f65166aSBrian Somers set filter dial 10 permit 10.123.5.0/24 172.17.20.248 3604f65166aSBrian Somers 3614f65166aSBrian Somers # Once the link's up, limit outgoing access to the specified hosts 3624f65166aSBrian Somers set filter out 0 4 172.17.16.0/20 172.17.20.248 3634f65166aSBrian Somers set filter out 1 4 172.17.36.0/22 172.17.20.248 3644f65166aSBrian Somers set filter out 2 4 172.17.118.0/26 172.17.20.248 3654f65166aSBrian Somers set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 36681bb1040SBrian Somers 3674f65166aSBrian Somers # Allow established TCP connections 3684f65166aSBrian Somers set filter out 4 permit 0 0 tcp estab 36981bb1040SBrian Somers 3704f65166aSBrian Somers # And new connections to http, rlogin, rsh, telnet, ftp and ports 3714f65166aSBrian Somers # 24 and 4000 3724f65166aSBrian Somers set filter out 5 permit 0 0 tcp dst eq http 3734f65166aSBrian Somers set filter out 6 permit 0 0 tcp dst eq login 3744f65166aSBrian Somers set filter out 7 permit 0 0 tcp dst eq shell 3754f65166aSBrian Somers set filter out 8 permit 0 0 tcp dst eq telnet 3764f65166aSBrian Somers set filter out 9 permit 0 0 tcp dst eq ftp 3774f65166aSBrian Somers set filter out 10 permit 0 0 tcp dst eq 24 3784f65166aSBrian Somers set filter out 11 permit 0 0 tcp dst eq 4000 37981bb1040SBrian Somers 3804f65166aSBrian Somers # And outgoing icmp 3814f65166aSBrian Somers set filter out 12 permit 0 0 icmp 3824f65166aSBrian Somers 3834f65166aSBrian Somers # Once the link's up, limit incoming access to the specified hosts 3844f65166aSBrian Somers set filter in 0 4 172.17.20.248 172.17.16.0/20 3854f65166aSBrian Somers set filter in 1 4 172.17.20.248 172.17.36.0/22 3864f65166aSBrian Somers set filter in 2 4 172.17.20.248 172.17.118.0/26 3874f65166aSBrian Somers set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 38881bb1040SBrian Somers 3894f65166aSBrian Somers # Established TCP connections and non-PASV FTP 3904f65166aSBrian Somers set filter in 4 permit 0/0 0/0 tcp estab 3914f65166aSBrian Somers set filter in 5 permit 0/0 0/0 tcp src eq 20 39281bb1040SBrian Somers 3934f65166aSBrian Somers # Useful ICMP messages 3944f65166aSBrian Somers set filter in 6 permit 0/0 0/0 icmp src eq 3 3954f65166aSBrian Somers set filter in 7 permit 0/0 0/0 icmp src eq 4 3964f65166aSBrian Somers set filter in 8 permit 0/0 0/0 icmp src eq 11 3974f65166aSBrian Somers set filter in 9 permit 0/0 0/0 icmp src eq 12 39881bb1040SBrian Somers 3994f65166aSBrian Somers # Echo reply (local systems can ping the remote host) 4004f65166aSBrian Somers set filter in 10 permit 0/0 0/0 icmp src eq 0 40181bb1040SBrian Somers 4024f65166aSBrian Somers # And the remote host can ping the local gateway (only) 4034f65166aSBrian Somers set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 4044f65166aSBrian Somers 4059e1d50b6SBrian Somers 4069e1d50b6SBrian Somers# Server side PPP 4071d8fe861SBrian Somers# 4081d8fe861SBrian Somers# If you want the remote system to authenticate itself, you must insist 4091d8fe861SBrian Somers# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 4101d8fe861SBrian Somers# PAP are disabled by default. You may enable either or both. If both 4111d8fe861SBrian Somers# are enabled, CHAP is requested first. If the client doesn't agree, PAP 4121d8fe861SBrian Somers# will then be requested. 4131d8fe861SBrian Somers# 4141d8fe861SBrian Somers# Note: If you use the getty/login process to authenticate users, you 4151d8fe861SBrian Somers# don't need to enable CHAP or PAP, but the user that has logged 4161d8fe861SBrian Somers# in *MUST* be a member of the ``network'' group (in /etc/group). 4171d8fe861SBrian Somers# 41881bb1040SBrian Somers# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 41981bb1040SBrian Somers# 4201d8fe861SBrian Somers# If you wish to allow any user in the passwd database ppp access, you 42181bb1040SBrian Somers# can ``enable passwdauth'', but this will only work with PAP. 4221d8fe861SBrian Somers# 4231d8fe861SBrian Somers# When the peer authenticates itself, we use ppp.secret for verification 4241d8fe861SBrian Somers# (although refer to the ``set radius'' command below for an alternative). 4251d8fe861SBrian Somers# 4261d8fe861SBrian Somers# Note: We may supply a third field in ppp.secret specifying the IP 4278e18db5aSBrian Somers# address for that user, a fourth field to specify the 4281d8fe861SBrian Somers# ppp.link{up,down} label to use and a fifth field to specify 4291d8fe861SBrian Somers# callback characteristics. 4301d8fe861SBrian Somers# 4311d8fe861SBrian Somers# The easiest way to allow transparent LAN access to your dialin users 4321d8fe861SBrian Somers# is to assign them a number from your local LAN and tell ppp to make a 4331d8fe861SBrian Somers# ``proxy'' arp entry for them. In this example, we have a local LAN 4341d8fe861SBrian Somers# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 4351d8fe861SBrian Somers# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 4361d8fe861SBrian Somers# override the dynamic IP number with a static IP number specified in 4371d8fe861SBrian Somers# ppp.secret. 4389e1d50b6SBrian Somers# 4399e1d50b6SBrian Somers# Ppp is launched with: 4401d8fe861SBrian Somers# # ppp -direct server 4419e1d50b6SBrian Somers# 4421d8fe861SBrian Somersserver: 44381bb1040SBrian Somers enable chap chap80 chap81 pap passwdauth 4449e1d50b6SBrian Somers enable proxy 4451d8fe861SBrian Somers set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 4469e1d50b6SBrian Somers accept dns 4479e1d50b6SBrian Somers 4481d8fe861SBrian Somers# Example of a RADIUS configuration: 4491d8fe861SBrian Somers# If there are one or more radius servers available, we can use them 4501d8fe861SBrian Somers# instead of the ppp.secret file. Simply put then in a radius 4511d8fe861SBrian Somers# configuration file (usually /etc/radius.conf) and give ppp the 4521d8fe861SBrian Somers# file name. 4531d8fe861SBrian Somers# Ppp will use the FRAMED characteristics supplied by the radius server 4541d8fe861SBrian Somers# to configure the link. 4551d8fe861SBrian Somers 4561d8fe861SBrian Somersradius-server: 45781bb1040SBrian Somers load server # load in the server config from above 4581d8fe861SBrian Somers set radius /etc/radius.conf 4591d8fe861SBrian Somers 4609e1d50b6SBrian Somers 4619e1d50b6SBrian Somers# Example to connect using a null-modem cable: 4629e1d50b6SBrian Somers# The important thing here is to allow the lqr packets on both sides. 4639e1d50b6SBrian Somers# Without them enabled, we can't tell if the line's dropped - there 4649e1d50b6SBrian Somers# should always be carrier on a direct connection. 4659e1d50b6SBrian Somers# Here, the server sends lqr's every 10 seconds and quits if five in a 4669e1d50b6SBrian Somers# row fail. 4679e1d50b6SBrian Somers# 4689e1d50b6SBrian Somers# Make sure you don't have "deny lqr" in your default: on the client ! 4699e1d50b6SBrian Somers# If the peer denies LQR, we still send ECHO LQR packets at the given 4709e1d50b6SBrian Somers# lqrperiod interval (ppp-style-pings). 4719e1d50b6SBrian Somers# 4729e1d50b6SBrian Somersdirect-client: 47381bb1040SBrian Somers set dial 474839f11a4SEitan Adler set device /dev/cuau0 4759e1d50b6SBrian Somers set sp 115200 4769e1d50b6SBrian Somers set timeout 900 4779e1d50b6SBrian Somers set lqrperiod 10 4789e1d50b6SBrian Somers set log Phase Chat LQM 4799e1d50b6SBrian Somers set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 4809e1d50b6SBrian Somers set ifaddr 10.0.4.2 10.0.4.1 4811f82daa5SBrian Somers enable lqr echo 4829e1d50b6SBrian Somers accept lqr 4839e1d50b6SBrian Somers 4849e1d50b6SBrian Somersdirect-server: 4859e1d50b6SBrian Somers set timeout 0 4869e1d50b6SBrian Somers set lqrperiod 10 4879e1d50b6SBrian Somers set log Phase LQM 4889e1d50b6SBrian Somers set ifaddr 10.0.4.1 10.0.4.2 4891f82daa5SBrian Somers enable lqr echo 4909e1d50b6SBrian Somers accept lqr 4919e1d50b6SBrian Somers 4929e1d50b6SBrian Somers 4931d8fe861SBrian Somers# Example to connect via compuserve 4941d8fe861SBrian Somers# Compuserve insists on 7 bits even parity during the chat phase. Modem 4951d8fe861SBrian Somers# parity is always reset to ``none'' after the link has been established. 4969e1d50b6SBrian Somers# 4979e1d50b6SBrian Somerscompuserve: 4989e1d50b6SBrian Somers set phone 1234567 4999e1d50b6SBrian Somers set parity even 500f3574517SBrian Somers set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 501f3574517SBrian Somers word: XXXXXXXX PPP" 5029e1d50b6SBrian Somers set timeout 300 5039e1d50b6SBrian Somers set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 5049e1d50b6SBrian Somers delete ALL 5059e1d50b6SBrian Somers add default HISADDR 5069e1d50b6SBrian Somers 5079e1d50b6SBrian Somers 5089e1d50b6SBrian Somers# Example for PPP over TCP. 5099e1d50b6SBrian Somers# We assume that inetd on tcpsrv.mynet has been 5109e1d50b6SBrian Somers# configured to run "ppp -direct tcp-server" when it gets a connection on 51181bb1040SBrian Somers# port 1234 with an entry something like this in /etc/inetd.conf.: 51281bb1040SBrian Somers# 51381bb1040SBrian Somers# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 51481bb1040SBrian Somers# 51581bb1040SBrian Somers# with this in /etc/services: 51681bb1040SBrian Somers# 51781bb1040SBrian Somers# ppp 6671/tcp 51881bb1040SBrian Somers# 51981bb1040SBrian Somers# Read the man page for further details. 5209e1d50b6SBrian Somers# 5219e1d50b6SBrian Somers# Note, we assume we're using a binary-clean connection. If something 5229e1d50b6SBrian Somers# such as `rlogin' is involved, you may need to ``set escape 0xff'' 5239e1d50b6SBrian Somers# 5249e1d50b6SBrian Somerstcp-client: 52526b5613dSSevan Janiyan set device tcpsrv.mynet:6671 5269e1d50b6SBrian Somers set dial 5279e1d50b6SBrian Somers set login 5289e1d50b6SBrian Somers set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 5299e1d50b6SBrian Somers 5309e1d50b6SBrian Somerstcp-server: 5319e1d50b6SBrian Somers set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 5329e1d50b6SBrian Somers 53381bb1040SBrian Somers 53481bb1040SBrian Somers# Using UDP is also possible with this in /etc/inetd.conf: 53581bb1040SBrian Somers# 53681bb1040SBrian Somers# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 53781bb1040SBrian Somers# 53881bb1040SBrian Somers# and this in /etc/services: 53981bb1040SBrian Somers# 54026b5613dSSevan Janiyan# ppp 6671/udp 54181bb1040SBrian Somers# 54281bb1040SBrian Somersudp-client: 54326b5613dSSevan Janiyan set device udpsrv.mynet:6671/udp 54481bb1040SBrian Somers set dial 54581bb1040SBrian Somers set login 54681bb1040SBrian Somers set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 54781bb1040SBrian Somers 54881bb1040SBrian Somersudp-server: 54981bb1040SBrian Somers set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 55081bb1040SBrian Somers 55181bb1040SBrian Somers 5521d8fe861SBrian Somers# Example for PPP testing. 5531d8fe861SBrian Somers# If you want to test ppp, do it through the loopback interface: 5549e1d50b6SBrian Somers# 5559e1d50b6SBrian Somers# Requires a line in /etc/services: 5569e1d50b6SBrian Somers# ppploop 6671/tcp # loopback ppp daemon 5579e1d50b6SBrian Somers# 5589e1d50b6SBrian Somers# and a line in /etc/inetd.conf: 559d7937e18SBrian Somers# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct inet-loop-in 5609e1d50b6SBrian Somers# 561d7937e18SBrian Somersinet-loop: 5629e1d50b6SBrian Somers set timeout 0 5639e1d50b6SBrian Somers set log phase chat connect lcp ipcp command 5649e1d50b6SBrian Somers set device localhost:ppploop 5659e1d50b6SBrian Somers set dial 5669e1d50b6SBrian Somers set login 5679e1d50b6SBrian Somers set ifaddr 127.0.0.2 127.0.0.3 5687558c91fSCrist J. Clark set server /var/run/ppp/loop "" 0177 5699e1d50b6SBrian Somers 570d7937e18SBrian Somersinet-loop-in: 5719e1d50b6SBrian Somers set timeout 0 5729e1d50b6SBrian Somers set log phase lcp ipcp command 5739e1d50b6SBrian Somers allow mode direct 5749e1d50b6SBrian Somers 5751d8fe861SBrian Somers# Example of a VPN. 5769e1d50b6SBrian Somers# If you're going to create a tunnel through a public network, your VPN 5779e1d50b6SBrian Somers# should be set up something like this: 5789e1d50b6SBrian Somers# 5791d8fe861SBrian Somers# You should already have set up ssh using ssh-agent & ssh-add. 5801d8fe861SBrian Somers# 5819e1d50b6SBrian Somerssloop: 582d7937e18SBrian Somers load inet-loop 583be76e834SBrian Somers # Passive mode allows ssh plenty of time to establish the connection 584be76e834SBrian Somers set openmode passive 585d7937e18SBrian Somers set device "!ssh whatevermachine /usr/sbin/ppp -direct inet-loop-in" 5869e1d50b6SBrian Somers 58781bb1040SBrian Somers 58881bb1040SBrian Somers# or a better VPN solution (which doesn't run IP over a reliable 58981bb1040SBrian Somers# protocol like tcp) may be: 59081bb1040SBrian Somers# 59181bb1040SBrian Somersvpn-client: 59281bb1040SBrian Somers set device udpsrv.mynet:1234/udp # PPP over UDP 59381bb1040SBrian Somers set dial 59481bb1040SBrian Somers set login 59581bb1040SBrian Somers set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 59681bb1040SBrian Somers disable deflate pred1 59781bb1040SBrian Somers deny deflate pred1 59881bb1040SBrian Somers enable MPPE # With encryption 59981bb1040SBrian Somers accept MPPE 60081bb1040SBrian Somers 60181bb1040SBrian Somersvpn-server: 60281bb1040SBrian Somers set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 60381bb1040SBrian Somers disable deflate pred1 60481bb1040SBrian Somers deny deflate pred1 60581bb1040SBrian Somers enable MPPE 60681bb1040SBrian Somers accept MPPE 60781bb1040SBrian Somers enable chap81 # Required for MPPE 60881bb1040SBrian Somers 6091d8fe861SBrian Somers# Example of non-PPP callback. 6109e1d50b6SBrian Somers# If you wish to connect to a server that will dial back *without* using 6119e1d50b6SBrian Somers# the ppp callback facility (rfc1570), take advantage of the fact that 6129e1d50b6SBrian Somers# ppp doesn't look for carrier 'till `set login' is complete: 6139e1d50b6SBrian Somers# 6149e1d50b6SBrian Somers# Here, we expect the server to say DIALBACK then disconnect after 6159e1d50b6SBrian Somers# we've authenticated ourselves. When this has happened, we wait 6169e1d50b6SBrian Somers# 60 seconds for a RING. 6179e1d50b6SBrian Somers# 618889c1efbSBrian Somers# Note, it's important that we tell ppp not to expect carrier, otherwise 619889c1efbSBrian Somers# we'll drop out at the ``NO CARRIER'' stage. 620889c1efbSBrian Somers# 6219e1d50b6SBrian Somersdialback: 6229e1d50b6SBrian Somers set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 6239e1d50b6SBrian Somers ATDT\\T TIMEOUT 60 CONNECT" 624889c1efbSBrian Somers set cd off 6259e1d50b6SBrian Somers set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 6269e1d50b6SBrian Somers \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 6279e1d50b6SBrian Somers 6281d8fe861SBrian Somers# Example of PPP callback. 6291d8fe861SBrian Somers# Alternatively, if the peer is using the PPP callback protocol, we're 6301d8fe861SBrian Somers# happy either with ``auth'' style callback where the server dials us 6311d8fe861SBrian Somers# back based on what we authenticate ourselves with, ``cbcp'' style 6321d8fe861SBrian Somers# callback (invented by Microsoft but not agreed by the IETF) where 6331d8fe861SBrian Somers# we negotiate callback *after* authentication or E.164 callback where 6341d8fe861SBrian Somers# we specify only a phone number. I would recommend only ``auth'' and/or 6351d8fe861SBrian Somers# ``cbcp'' callback methods. 6361d8fe861SBrian Somers# For ``cbcp'', we insist that we choose ``1234567'' as the number that 6371d8fe861SBrian Somers# the server must call back. 6389e1d50b6SBrian Somers# 6391d8fe861SBrian Somerscallback: 64081bb1040SBrian Somers load pmdemand # load in the pmdemand config 6419e1d50b6SBrian Somers set callback auth cbcp e.164 1234567 6429e1d50b6SBrian Somers set cbcp 1234567 6439e1d50b6SBrian Somers 6449e1d50b6SBrian Somers# If we're running a ppp server that wants to only call back microsoft 6459e1d50b6SBrian Somers# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 6469e1d50b6SBrian Somers# 6471d8fe861SBrian Somerscallback-server: 6481d8fe861SBrian Somers load server 6499e1d50b6SBrian Somers set callback cbcp 6509e1d50b6SBrian Somers set cbcp 6519e1d50b6SBrian Somers set log +cbcp 6529e1d50b6SBrian Somers set redial 3 1 653839f11a4SEitan Adler set device /dev/cuau0 6549e1d50b6SBrian Somers set speed 115200 6559e1d50b6SBrian Somers set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 6569e1d50b6SBrian Somers 6579e1d50b6SBrian Somers# Or if we want to allow authenticated clients to specify their own 6581d8fe861SBrian Somers# callback number: 6599e1d50b6SBrian Somers# 6601d8fe861SBrian Somerscallback-server-client-decides: 6611d8fe861SBrian Somers load callback-server 6629e1d50b6SBrian Somers set cbcp * 6639e1d50b6SBrian Somers 6649e1d50b6SBrian Somers# Multilink mode is available (rfc1990). 66581bb1040SBrian Somers# To enable multi-link capabilities, you must specify a MRRU. 1500 is 6669e1d50b6SBrian Somers# a reasonable value. To create new links, use the ``clone'' command 6679e1d50b6SBrian Somers# to duplicate an existing link. If you already have more than one 6689e1d50b6SBrian Somers# link, you must specify which link you wish to run the command on via 6699e1d50b6SBrian Somers# the ``link'' command. 6709e1d50b6SBrian Somers# 67181bb1040SBrian Somers# It's worth increasing your MTU and MRU slightly in multi-link mode to 67281bb1040SBrian Somers# prevent full packets from being fragmented. 67381bb1040SBrian Somers# 6749e1d50b6SBrian Somers# You can now ``dial'' specific links, or even dial all links at the 6759e1d50b6SBrian Somers# same time. The `dial' command may also be prefixed with a specific 6769e1d50b6SBrian Somers# link that should do the dialing. 6779e1d50b6SBrian Somers# 6789e1d50b6SBrian Somersmloop: 6799e1d50b6SBrian Somers load loop 680839f11a4SEitan Adler set device /dev/cuau0 /dev/cuau1 /dev/cuau2 # Use any of these devices 6819e1d50b6SBrian Somers set mode interactive 6829e1d50b6SBrian Somers set mrru 1500 6835e57afbeSBrian Somers set mru 1504 # Room for the MP header 6849e1d50b6SBrian Somers clone 1 2 3 6859e1d50b6SBrian Somers link deflink remove 6869e1d50b6SBrian Somers # dial 6879e1d50b6SBrian Somers # link 2 dial 6889e1d50b6SBrian Somers # link 3 dial 6899e1d50b6SBrian Somers 6909e1d50b6SBrian Somersmloop-in: 69181bb1040SBrian Somers set timeout 0 # No idle timer 6929e1d50b6SBrian Somers set log tun phase 6939e1d50b6SBrian Somers allow mode direct 6949e1d50b6SBrian Somers set mrru 1500 6955e57afbeSBrian Somers set mru 1504 # Room for the MP header 6961d8fe861SBrian Somers 6971d8fe861SBrian Somers# User supplied authentication: 6981d8fe861SBrian Somers# It's possible to run ppp in the background while specifying a 6991d8fe861SBrian Somers# program to use to obtain authentication details on demand. 7001d8fe861SBrian Somers# This program would usually be a simple GUI that presents a 7011d8fe861SBrian Somers# prompt to a known user. The ``chap-auth'' program is supplied 7021d8fe861SBrian Somers# as an example (and requires tcl version 8.0). 7031d8fe861SBrian Somers# 7041d8fe861SBrian SomersCHAPprompt: 7051d8fe861SBrian Somers load PAPorCHAPpmdemand 7061d8fe861SBrian Somers set authkey !/usr/share/examples/ppp/chap-auth 7071d8fe861SBrian Somers 7081d8fe861SBrian Somers# It's possible to do the same sort of thing at the login prompt. 7091d8fe861SBrian Somers# Here, after sending ``brian'' in response to the ``name'' prompt, 7101d8fe861SBrian Somers# we're prompted with ``code:''. A window is then displayed on the 7111d8fe861SBrian Somers# ``keep:0.0'' display and the typed response is sent to the peer 7121d8fe861SBrian Somers# as the password. We then expect to see ``MTU'' and ``.'' in the 7131d8fe861SBrian Somers# servers response. 7141d8fe861SBrian Somers# 7151d8fe861SBrian Somersloginprompt: 7161d8fe861SBrian Somers load pmdemand 717e40db2c4SGiorgos Keramidas set authname "brian" 7181d8fe861SBrian Somers set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 7191d8fe861SBrian Somers code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 7201d8fe861SBrian Somers AUTHNAME\" MTU \\c ." 721a7a9b471SBrian Somers 722794e74c1SBrian Somers# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 723794e74c1SBrian Somers# the MAC address that connects to them, making it impossible to switch 724794e74c1SBrian Somers# your PPPoE connection between machines. 725a7a9b471SBrian Somers# 72681bb1040SBrian Somers# The current implementation requires Netgraph, so it doesn't work with 72781bb1040SBrian Somers# OpenBSD or NetBSD. 72881bb1040SBrian Somers# 72981bb1040SBrian Somers# The client should be something like this: 730a7a9b471SBrian Somers# 731a7a9b471SBrian Somerspppoe: 732a7a9b471SBrian Somers set device PPPoE:de0:pppoe-in 7331f82daa5SBrian Somers enable lqr echo 734a7a9b471SBrian Somers set cd 5 735a7a9b471SBrian Somers set dial 736a7a9b471SBrian Somers set login 737a7a9b471SBrian Somers set redial 0 0 738a7a9b471SBrian Somers 739a7a9b471SBrian Somers# And the server should be running 740a7a9b471SBrian Somers# 741a7a9b471SBrian Somers# /usr/libexec/pppoed -p pppoe-in fxp0 742a7a9b471SBrian Somers# 743e9ea8480SBrian Somers# See rc.conf(5) 744e9ea8480SBrian Somers# 745a7a9b471SBrian Somerspppoe-in: 746e9ea8480SBrian Somers allow mode direct # Only for use on server-side 7471f82daa5SBrian Somers enable lqr echo proxy # Enable LQR and proxy-arp 748e9ea8480SBrian Somers enable chap pap passwdauth # Force client authentication 749e9ea8480SBrian Somers set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 750e9ea8480SBrian Somers accept dns # Allow DNS negotiation 751d7937e18SBrian Somers 752d7937e18SBrian Somers# It's possible to run ppp back-to-back with itself. This is useful 753d7937e18SBrian Somers# for testing. 754d7937e18SBrian Somers# 755d7937e18SBrian Somers# When testing scalability and concurrency, the following profile might 756d7937e18SBrian Somers# be used. 757d7937e18SBrian Somers# 758d7937e18SBrian Somers# Note, you'll have to make some other machine adjustments: 759d7937e18SBrian Somers# 760d7937e18SBrian Somers# o Bump maxusers in your kernel configuration to about 256 so that there 761d7937e18SBrian Somers# are enough process table slots. 762d7937e18SBrian Somers# o Bump system file descriptors with ``sysctl kern.maxfiles=20480''. You'll 763d7937e18SBrian Somers# need 3 descriptors per ppp process (assuming no server socket). 764d7937e18SBrian Somers# 765d7937e18SBrian Somers# You can now create 2000 processes (1000 pairs) with: 766d7937e18SBrian Somers# 767d7937e18SBrian Somers# n=0 768d7937e18SBrian Somers# while [ $n -lt 1000 ]; do ppp -b loop; n=$(($n + 1)); done 769d7937e18SBrian Somers# 770d7937e18SBrian Somers# If you want to test concurrency, try using ``ppp -dd loop'' instead. 771d7937e18SBrian Somers# 772d7937e18SBrian Somersloop: 773d7937e18SBrian Somers set timeout 0 774d7937e18SBrian Somers set log 775d7937e18SBrian Somers set device "!ppp -direct loop-in" 776d7937e18SBrian Somers set dial 777d7937e18SBrian Somers set login 778d7937e18SBrian Somers set ifaddr 10.0.1.1/0 10.0.10.1-10.0.19.255 779d7937e18SBrian Somers disable deflate pred1 mppe 780d7937e18SBrian Somers deny deflate pred1 mppe 781d7937e18SBrian Somers 782d7937e18SBrian Somersloop-in: 783d7937e18SBrian Somers set timeout 0 784d7937e18SBrian Somers set log 785d7937e18SBrian Somers allow mode direct 786d7937e18SBrian Somers set ifaddr 10.0.10.1/0 10.0.1.1-10.0.9.255 787d7937e18SBrian Somers disable deflate pred1 mppe 788d7937e18SBrian Somers deny deflate pred1 mppe 789