ppp.conf.span-isp revision 138815
176082Sbmah# $FreeBSD: head/share/examples/ppp/ppp.conf.span-isp 138815 2004-12-13 17:54:30Z brian $ 276082Sbmah 376082Sbmah# This advanced ppp configuration file explains how to implement 476082Sbmah# the following: 576082Sbmah# 676082Sbmah# ------------- ------------- ------------- 776082Sbmah# | host1 | | host2 | | host3 | 876082Sbmah# ------------- ------------- ------------- 976082Sbmah# | | | 1082350Sbmah# |---------------------- LAN ----------------------| 1182350Sbmah# | 1276082Sbmah# ------------- 1376082Sbmah# | Gateway | 1476082Sbmah# ------------- 1582666Sbmah# | 1682666Sbmah# ----------------------------------- 1781327Sbmah# | | | | 1882666Sbmah# isp1 isp2 isp3 ispN 1981484Sbmah# | | | | 2082666Sbmah# ----------------------------------- 2181327Sbmah# | 2282666Sbmah# ------------ 2382666Sbmah# | Receiver | 2482666Sbmah# ------------ 2588820Sbmah# | 2682666Sbmah# Internet 2782666Sbmah# 2882666Sbmah# The connection is implemented so that any ISP connection can go down 2981327Sbmah# without loss of connectivity between the LAN and the Internet. It is 3082666Sbmah# of course also possible to shut down any link manually. 3182666Sbmah# 3288959Sbmah# There is a working example in ppp.*.span-isp.working that can be tested 3388959Sbmah# on a single machine ! 3488959Sbmah# 3588959Sbmah# 3682666Sbmah# Prerequisites: 3781327Sbmah# 3882666Sbmah# o The Receiver machine must be in the outside world and must be willing 3982666Sbmah# to accept a multilink ppp connection over UDP, assigning a routable IP 4081327Sbmah# number to the Gateway machine. This probably means that it must be 4182666Sbmah# a *BSD box as I know of no other ppp implementations that can use UDP 4282666Sbmah# as a transport. 4381327Sbmah# 4482666Sbmah# o The Receiver machine must be multi-homed with at least N+1 addresses 4582666Sbmah# where N is the maximun number of ISPs that you wish to use 4681327Sbmah# simultaneously. We assume the IP numbers to be RIP1, RIP2 ... RIPN. 4782666Sbmah# REAL-LOCAL-IP is the real IP number of the Receiver machine (and must 4882666Sbmah# not be the same as any of the RIP* numbers). 4982666Sbmah# 5083092Sbmah# o Both the Gateway and the Receiver machines must have several tun 5182666Sbmah# interfaces configured into the kernel (see below). 5282666Sbmah# 5382666Sbmah# o Both the Gateway and the Receiver machines must have the following 5482666Sbmah# entry in /etc/services: 5581327Sbmah# 5682666Sbmah# ppp 6671/udp 5782666Sbmah# 5882666Sbmah# The port number isn't important, but it must be consistent across 5982666Sbmah# machines. 6082666Sbmah# 6182666Sbmah# o The Receiver machine must have the following entry in 6282666Sbmah# /etc/inetd.conf: 6381327Sbmah# 6482666Sbmah# ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in 6582666Sbmah# 6682666Sbmah# Note: Because inetd ``wait''s for ppp to finish, a single ppp 6782666Sbmah# invocation receives all incoming packets. This creates 6882666Sbmah# havoc with LQR magic number checks, so LQR *must not* be 6982666Sbmah# enabled. 7082666Sbmah# Also, -direct invocations of ppp do sendto()s using the 7182666Sbmah# address that was last recvfrom()d. This means that the 7282666Sbmah# returning traffic is a bit unbalanced. Perhaps ppp should 7382666Sbmah# be smart enough to automatically clone an existing link 7482666Sbmah# when it detects a new incoming address.... tricky ! 7582666Sbmah# 7682666Sbmah# If you use ppp to connect to your ISPs, the isp* profiles shold be used, 7782666Sbmah# resulting in the vpn* profiles being called from ppp.linkup.span-isp. 7882666Sbmah# These invocations will bond together into a MP ppp invocation. 7982666Sbmah# 8082666Sbmah# If the link to your ISP is via another type of interface (cable modem 8181339Sbmah# etc), simply configure the interface with a netmask of 0xffffffff and 8281327Sbmah# add a route to RIPN via the interface address (no default). You can 8382666Sbmah# then start ppp using the vpn-nic label. 8482666Sbmah# 8582666Sbmah# The Receiver machine should have N tun interfaces (where N is the maximum 8682666Sbmah# number of ISPs that you wish to use simultaneously). The Gateway machine 8782666Sbmah# requires N interfaces plus an additional N interfaces (total 2 * N) if 8882666Sbmah# you're using ppp to talk to the ISPs. 8981327Sbmah 9082666Sbmah# Using ppp to connect to your ISPs (PPP over UDP over PPP): 9182666Sbmah# 9283425Sbmah# When we connect to our ISPs using ppp, we start the MP ppp invocation 9382666Sbmah# from ppp.linkup (see ppp.linkup.span-isp) for each link. We also remove 9482666Sbmah# the link from ppp.linkdown (see ppp.linkdown.span-isp). This is necessary 9582666Sbmah# because relying on our LQR strategy (dropping the link after 5 missing 9682666Sbmah# replies) is just too slow to be practical in this environment. 9782666Sbmah# 9882666Sbmah# This works because the MP invocations are smart enough to recognise that 9982666Sbmah# another process is already running and to pass the link over to that 10082666Sbmah# running version. 10181339Sbmah# 10281339Sbmah# Only the ISP links should be started manually. When they come up, they'll 10381339Sbmah# start the MP invocation. 10482666Sbmah 10582666Sbmahdefault: 10682666Sbmah set speed 115200 10782666Sbmah set device /dev/cuad0 /dev/cuad1 /dev/cuad2 /dev/cuad3 10882666Sbmah set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \ 10982666Sbmah \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n" 11081339Sbmah set login 11181339Sbmah set redial 3 5 11282666Sbmah set timeout 0 11382666Sbmah enable lqr echo 11481339Sbmah set lqrperiod 15 11582666Sbmah 11682666Sbmahisp1: 11781327Sbmah set phone "1234567" 11882666Sbmah set authname "isp1name" 11988959Sbmah set authkey "isp1key" 12082666Sbmah add! RIP1/32 HISADDR 12182666Sbmah 12281327Sbmahisp2: 12382666Sbmah set phone "2345678" 12482666Sbmah set authname "isp2name" 12581327Sbmah set authkey "isp2key" 12682666Sbmah add! RIP2/32 HISADDR 12782666Sbmah 12882666SbmahispN: 12982666Sbmah set phone "3456789" 13082666Sbmah set authname "ispNname" 13182666Sbmah set authkey "ispNkey" 13282666Sbmah add! RIPN/32 HISADDR 13381327Sbmah 13482666Sbmah 13582666Sbmah# Our MP version of ppp. vpn is a generic label used by each of the 13682666Sbmah# other vpn invocations by envoking ppp with both labels (see 13782666Sbmah# ppp.linkup.span-isp). 13882666Sbmah# Each ``set device'' command tells ppp to use UDP packets destined for 13981327Sbmah# the given IP/port as the link (transport). The routing table will 14082666Sbmah# ensure that these UDP packets use the correct ISP connection. 14182666Sbmah 14281327Sbmahvpn: 14382666Sbmah set enddisc LABEL 14482666Sbmah set speed sync 14582666Sbmah set mrru 1500 14682666Sbmah set mru 1504 # Room for the MP header 14782666Sbmah nat enable yes 14881327Sbmah set authname "vpnname" 14982666Sbmah set authkey "vpnkey" 15082666Sbmah add! default HISADDR 15182666Sbmah disable deflate pred1 lqr 15282666Sbmah deny deflate pred1 15382666Sbmah 15482666Sbmahvpn1: 15582666Sbmah rename 1 15681327Sbmah set device RIP1:ppp/udp 15782666Sbmah 15882666Sbmahvpn2: 15991249Skeramida rename 2 16091249Skeramida set device RIP2:ppp/udp 16191249Skeramida 16291249SkeramidavpnN: 16381327Sbmah rename N 16482666Sbmah set device RIPN:ppp/udp 16582666Sbmah 16688959Sbmahvpn-nic: 16788959Sbmah load vpn 16882666Sbmah clone 1 2 N 16981327Sbmah link deflink rm 17082666Sbmah link 1 set device RIP1:ppp/udp 17182666Sbmah link 2 set device RIP2:ppp/udp 17281327Sbmah link N set device RIPN:ppp/udp 17382666Sbmah 17482666Sbmah# The Receiver profile is a bit more straight forward, as it doesn't need 17581327Sbmah# to get bogged down with sublinks. Replace REAL-ASSIGNED-IP with the 17682666Sbmah# IP number to be assigned to the Gateway machine. Replace REAL-LOCAL-IP 17782666Sbmah# with the real IP number of the Receiver machine. 17881327Sbmah# 17982666Sbmah# No other entries are required on the Receiver machine, and this entry 18082666Sbmah# is not required on the Gateway machine. The Receiver machine also 18181327Sbmah# requires the contents of ppp.secret.span-isp. 18283425Sbmah# 18382666Sbmah# Of course it's simple to assign an IP block to the client with a simple 18482666Sbmah# ``add'' command, and then have the client use those IP numbers on its 18582666Sbmah# LAN rather than using ``nat enable yes''. 18681327Sbmah 18788959Sbmahvpn-in: 18888959Sbmah set enddisc label 18982666Sbmah set speed sync 19082666Sbmah set mrru 1500 19182666Sbmah set mru 1504 # Room for the MP header 19281327Sbmah enable chap 19382666Sbmah disable lqr 19488959Sbmah set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP 19588959Sbmah