ppp.8 revision 132273
117683Spstchangequote({,})dnl 275107Sfennerchangecom(,)dnl 3127664Sbms.\" 4127664Sbms.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 575107Sfenner.\" All rights reserved. 6127664Sbms.\" 775107Sfenner.\" Redistribution and use in source and binary forms, with or without 817683Spst.\" modification, are permitted provided that the following conditions 917683Spst.\" are met: 1026175Sfenner.\" 1. Redistributions of source code must retain the above copyright 1117683Spst.\" notice, this list of conditions and the following disclaimer. 1217683Spst.\" 2. Redistributions in binary form must reproduce the above copyright 1317683Spst.\" notice, this list of conditions and the following disclaimer in the 1417683Spst.\" documentation and/or other materials provided with the distribution. 1517683Spst.\" 1617683Spst.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1717683Spst.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1817683Spst.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1917683Spst.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2017683Spst.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2117683Spst.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2217683Spst.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2317683Spst.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2417683Spst.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2517683Spst.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2617683Spst.\" SUCH DAMAGE. 2717683Spst.\" 2817683Spst.\" $FreeBSD: head/usr.sbin/ppp/ppp.8.m4 132273 2004-07-17 01:07:53Z brian $ 2917683Spst.\" 3017683Spst.Dd September 20, 1995 3117683Spst.Dt PPP 8 32127664Sbms.Os 33127664Sbms.Sh NAME 3475107Sfenner.Nm ppp 3517683Spst.Nd Point to Point Protocol (a.k.a. user-ppp) 3617683Spst.Sh SYNOPSIS 3717683Spst.Nm 3817683Spst.Op Fl Va mode 3917683Spst.Op Fl nat 4017683Spst.Op Fl quiet 4117683Spst.Op Fl unit Ns Ar N 4217683Spst.Op Ar system ... 4317683Spst.Sh DESCRIPTION 4417683SpstThis is a user process 4517683Spst.Em PPP 4617683Spstsoftware package. 4717683SpstNormally, 4817683Spst.Em PPP 4917683Spstis implemented as a part of the kernel (e.g., as managed by 5017683Spst.Xr pppd 8 ) 5126175Sfennerand it's thus somewhat hard to debug and/or modify its behaviour. 5226175SfennerHowever, in this implementation 5317683Spst.Em PPP 5417683Spstis done as a user process with the help of the 5575107Sfennertunnel device driver (tun). 5617683Spst.Pp 5775107SfennerThe 5875107Sfenner.Fl nat 5975107Sfennerflag does the equivalent of a 6075107Sfenner.Dq nat enable yes , 6175107Sfennerenabling 6275107Sfenner.Nm Ns No 's 6375107Sfennernetwork address translation features. 6475107SfennerThis allows 6575107Sfenner.Nm 6675107Sfennerto act as a NAT or masquerading engine for all machines on an internal 6775107SfennerLAN. 6875107Sfennerifdef({LOCALNAT},{},{Refer to 6975107Sfenner.Xr libalias 3 7075107Sfennerfor details on the technical side of the NAT engine. 7175107Sfenner})dnl 7275107SfennerRefer to the 7398530Sfenner.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 7475107Sfennersection of this manual page for details on how to configure NAT in 7575107Sfenner.Nm . 7675107Sfenner.Pp 7775107SfennerThe 7875107Sfenner.Fl quiet 7975107Sfennerflag tells 8075107Sfenner.Nm 8175107Sfennerto be silent at startup rather than displaying the mode and interface 8275107Sfennerto standard output. 8375107Sfenner.Pp 8475107SfennerThe 8575107Sfenner.Fl unit 8675107Sfennerflag tells 8775107Sfenner.Nm 8875107Sfennerto only attempt to open 8975107Sfenner.Pa /dev/tun Ns Ar N . 9075107SfennerNormally, 9175107Sfenner.Nm 9275107Sfennerwill start with a value of 0 for 9375107Sfenner.Ar N , 9475107Sfennerand keep trying to open a tunnel device by incrementing the value of 9575107Sfenner.Ar N 9675107Sfennerby one each time until it succeeds. 9775107SfennerIf it fails three times in a row 9875107Sfennerbecause the device file is missing, it gives up. 9975107Sfenner.Pp 10075107SfennerThe following 10175107Sfenner.Va mode Ns No s 10275107Sfennerare understood by 10375107Sfenner.Nm : 10475107Sfenner.Bl -tag -width XXX -offset XXX 10575107Sfenner.It Fl auto 10675107Sfenner.Nm 10775107Sfenneropens the tun interface, configures it then goes into the background. 10875107SfennerThe link isn't brought up until outgoing data is detected on the tun 10975107Sfennerinterface at which point 11075107Sfenner.Nm 11175107Sfennerattempts to bring up the link. 11275107SfennerPackets received (including the first one) while 11375107Sfenner.Nm 11475107Sfenneris trying to bring the link up will remain queued for a default of 11517683Spst2 minutes. 11617683SpstSee the 11726175Sfenner.Dq set choked 11826175Sfennercommand below. 11926175Sfenner.Pp 12026175SfennerIn 121127664Sbms.Fl auto 122127664Sbmsmode, at least one 12326175Sfenner.Dq system 12426175Sfennermust be given on the command line (see below) and a 12526175Sfenner.Dq set ifaddr 12626175Sfennermust be done in the system profile that specifies a peer IP address to 12726175Sfenneruse when configuring the interface. 12826175SfennerSomething like 12926175Sfenner.Dq 10.0.0.1/0 13026175Sfenneris usually appropriate. 13126175SfennerSee the 13226175Sfenner.Dq pmdemand 13317683Spstsystem in 13417683Spst.Pa /usr/share/examples/ppp/ppp.conf.sample 13517683Spstfor an example. 13617683Spst.It Fl background 13717683SpstHere, 13817683Spst.Nm 13917683Spstattempts to establish a connection with the peer immediately. 14017683SpstIf it succeeds, 14117683Spst.Nm 14217683Spstgoes into the background and the parent process returns an exit code 14317683Spstof 0. 14417683SpstIf it fails, 14517683Spst.Nm 14617683Spstexits with a non-zero result. 14726175Sfenner.It Fl foreground 14875107SfennerIn foreground mode, 14917683Spst.Nm 15017683Spstattempts to establish a connection with the peer immediately, but never 15117683Spstbecomes a daemon. 15275107SfennerThe link is created in background mode. 15375107SfennerThis is useful if you wish to control 15475107Sfenner.Nm Ns No 's 15575107Sfennerinvocation from another process. 15675107Sfenner.It Fl direct 15775107SfennerThis is used for communicating over an already established connection, 15875107Sfennerusually when receiving incoming connections accepted by 15975107Sfenner.Xr getty 8 . 16075107Sfenner.Nm 16175107Sfennerignores the 162127664Sbms.Dq set device 163127664Sbmsline and uses descriptor 0 as the link. 164127664Sbms.Nm 165127664Sbmswill also ignore any configured chat scripts unless the 166127664Sbms.Dq force-scripts 167127664Sbmsoption has been enabled. 168127664Sbms.Pp 169127664SbmsIf callback is configured, 17017683Spst.Nm 17117683Spstwill use the 17217683Spst.Dq set device 17326175Sfennerinformation when dialing back. 17475107Sfenner.It Fl dedicated 17526175SfennerThis option is designed for machines connected with a dedicated 17626175Sfennerwire. 17717683Spst.Nm 17817683Spstwill always keep the device open and will ignore any configured 17926175Sfennerchat scripts unless the 18017683Spst.Dq force-scripts 18117683Spstoption has been enabled. 18217683Spst.It Fl ddial 18326175SfennerThis mode is equivalent to 18417683Spst.Fl auto 18517683Spstmode except that 18617683Spst.Nm 18726175Sfennerwill bring the link back up any time it's dropped for any reason. 18817683Spst.It Fl interactive 18917683SpstThis is a no-op, and gives the same behaviour as if none of the above 19017683Spstmodes have been specified. 19126175Sfenner.Nm 19217683Spstloads any sections specified on the command line then provides an 19375107Sfennerinteractive prompt. 19475107Sfenner.El 19575107Sfenner.Pp 19617683SpstOne or more configuration entries or systems 19717683Spst(as specified in 19826175Sfenner.Pa /etc/ppp/ppp.conf ) 19917683Spstmay also be specified on the command line. 20017683Spst.Nm 20117683Spstwill read the 20217683Spst.Dq default 20317683Spstsystem from 20426175Sfenner.Pa /etc/ppp/ppp.conf 20517683Spstat startup, followed by each of the systems specified on the command line. 20617683Spst.Sh Major Features 20717683Spst.Bl -diag 20817683Spst.It Provides an interactive user interface. 20917683SpstUsing its command mode, the user can 21017683Spsteasily enter commands to establish the connection with the remote end, check 21117683Spstthe status of connection and close the connection. 21217683SpstAll functions can also be optionally password protected for security. 21317683Spst.It Supports both manual and automatic dialing. 21417683SpstInteractive mode has a 21526175Sfenner.Dq term 21626175Sfennercommand which enables you to talk to the device directly. 21726175SfennerWhen you are connected to the remote peer and it starts to talk 21875107Sfenner.Em PPP , 21975107Sfenner.Nm 22075107Sfennerdetects it and switches to packet mode automatically. 22175107SfennerOnce you have 22217683Spstdetermined the proper sequence for connecting with the remote host, you 22317683Spstcan write a chat script to {define} the necessary dialing and login 22417683Spstprocedure for later convenience. 22517683Spst.It Supports on-demand dialup capability. 22617683SpstBy using 22717683Spst.Fl auto 228127664Sbmsmode, 229127664Sbms.Nm 230127664Sbmswill act as a daemon and wait for a packet to be sent over the 231127664Sbms.Em PPP 232127664Sbmslink. 233127664SbmsWhen this happens, the daemon automatically dials and establishes the 234127664Sbmsconnection. 235127664SbmsIn almost the same manner 236127664Sbms.Fl ddial 237127664Sbmsmode (direct-dial mode) also automatically dials and establishes the 238127664Sbmsconnection. 239127664SbmsHowever, it differs in that it will dial the remote site 240127664Sbmsany time it detects the link is down, even if there are no packets to be 241127664Sbmssent. 242127664SbmsThis mode is useful for full-time connections where we worry less 243127664Sbmsabout line charges and more about being connected full time. 244127664SbmsA third 245127664Sbms.Fl dedicated 246127664Sbmsmode is also available. 247127664SbmsThis mode is targeted at a dedicated link between two machines. 248127664Sbms.Nm 249127664Sbmswill never voluntarily quit from dedicated mode - you must send it the 250127664Sbms.Dq quit all 251127664Sbmscommand via its diagnostic socket. 252127664SbmsA 253127664Sbms.Dv SIGHUP 254127664Sbmswill force an LCP renegotiation, and a 255127664Sbms.Dv SIGTERM 256127664Sbmswill force it to exit. 257127664Sbms.It Supports client callback. 258127664Sbms.Nm 259127664Sbmscan use either the standard LCP callback protocol or the Microsoft 260127664SbmsCallBack Control Protocol (ftp://ftp.microsoft.com/developr/rfc/cbcp.txt). 261127664Sbms.It Supports NAT or packet aliasing. 262127664SbmsPacket aliasing (a.k.a.\& IP masquerading) allows computers on a 263127664Sbmsprivate, unregistered network to access the Internet. 264127664SbmsThe 265127664Sbms.Em PPP 266127664Sbmshost acts as a masquerading gateway. 267127664SbmsIP addresses as well as TCP and 268127664SbmsUDP port numbers are NAT'd for outgoing packets and de-NAT'd for 269127664Sbmsreturning packets. 270127664Sbms.It Supports background PPP connections. 271127664SbmsIn background mode, if 27217683Spst.Nm 27317683Spstsuccessfully establishes the connection, it will become a daemon. 27475107SfennerOtherwise, it will exit with an error. 27575107SfennerThis allows the setup of 27675107Sfennerscripts that wish to execute certain commands only if the connection 27775107Sfenneris successfully established. 27875107Sfenner.It Supports server-side PPP connections. 279127664SbmsIn direct mode, 28075107Sfenner.Nm 28175107Sfenneracts as server which accepts incoming 28226175Sfenner.Em PPP 28326175Sfennerconnections on stdin/stdout. 28426175Sfenner.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication. 28598530SfennerWith PAP or CHAP, it is possible to skip the Unix style 28626175Sfenner.Xr login 1 28726175Sfennerprocedure, and use the 28817683Spst.Em PPP 28917683Spstprotocol for authentication instead. 29017683SpstIf the peer requests Microsoft CHAP authentication and 29117683Spst.Nm 29217683Spstis compiled with DES support, an appropriate MD4/DES response will be 29317683Spstmade. 294127664Sbms.It Supports RADIUS (rfc 2138 & 2548) authentication. 295127664SbmsAn extension to PAP and CHAP, 296127664Sbms.Em \&R Ns No emote 297127664Sbms.Em \&A Ns No ccess 298127664Sbms.Em \&D Ns No ial 299127664Sbms.Em \&I Ns No n 300127664Sbms.Em \&U Ns No ser 301127664Sbms.Em \&S Ns No ervice 302127664Sbmsallows authentication information to be stored in a central or 303127664Sbmsdistributed database along with various per-user framed connection 304127664Sbmscharacteristics. 305127664Sbmsifdef({LOCALRAD},{},{If 306127664Sbms.Xr libradius 3 307127664Sbmsis available at compile time, 308127664Sbms.Nm 309127664Sbmswill use it to make 310127664Sbms.Em RADIUS 311127664Sbmsrequests when configured to do so. 312127664Sbms})dnl 313127664Sbms.It Supports Proxy Arp. 314127664Sbms.Nm 315127664Sbmscan be configured to make one or more proxy arp entries on behalf of 316127664Sbmsthe peer. 317127664SbmsThis allows routing from the peer to the LAN without 318127664Sbmsconfiguring each machine on that LAN. 319127664Sbms.It Supports packet filtering. 320127664SbmsUser can {define} four kinds of filters: the 321127664Sbms.Em in 322127664Sbmsfilter for incoming packets, the 323127664Sbms.Em out 324127664Sbmsfilter for outgoing packets, the 325127664Sbms.Em dial 326127664Sbmsfilter to {define} a dialing trigger packet and the 327127664Sbms.Em alive 328127664Sbmsfilter for keeping a connection alive with the trigger packet. 329127664Sbms.It Tunnel driver supports bpf. 330127664SbmsThe user can use 331127664Sbms.Xr tcpdump 1 332127664Sbmsto check the packet flow over the 333127664Sbms.Em PPP 334127664Sbmslink. 335127664Sbms.It Supports PPP over TCP and PPP over UDP. 336127664SbmsIf a device name is specified as 337127664Sbms.Em host Ns No : Ns Em port Ns 338127664Sbms.Xo 339127664Sbms.Op / Ns tcp|udp , 340127664Sbms.Xc 341127664Sbms.Nm 342127664Sbmswill open a TCP or UDP connection for transporting data rather than using a 343127664Sbmsconventional serial device. 344127664SbmsUDP connections force 345127664Sbms.Nm 346127664Sbmsinto synchronous mode. 347127664Sbms.It Supports PPP over ISDN. 348127664SbmsIf 34917683Spst.Nm 35017683Spstis given a raw B-channel i4b device to open as a link, it's able to talk 35117683Spstto the 35275107Sfenner.Xr isdnd 8 35375107Sfennerdaemon to establish an ISDN connection. 35475107Sfenner.It Supports PPP over Ethernet (rfc 2516). 35575107SfennerIf 35617683Spst.Nm 35717683Spstis given a device specification of the format 35817683Spst.No PPPoE: Ns Ar iface Ns Xo 35917683Spst.Op \&: Ns Ar provider Ns 36017683Spst.Xc 36117683Spstand if 36275107Sfenner.Xr netgraph 4 36375107Sfenneris available, 36475107Sfenner.Nm 36575107Sfennerwill attempt talk 36675107Sfenner.Em PPP 36775107Sfennerover Ethernet to 36875107Sfenner.Ar provider 36975107Sfennerusing the 37017683Spst.Ar iface 37117683Spstnetwork interface. 37217683Spst.Pp 37317683SpstOn systems that do not support 37417683Spst.Xr netgraph 4 , 37517683Spstan external program such as 37617683Spst.Xr pppoed 8 37717683Spstmay be used. 37817683Spst.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 37917683Spst.Nm 380127664Sbmssupports not only VJ-compression but also Predictor-1 and DEFLATE compression. 381127664SbmsNormally, a modem has built-in compression (e.g., v42.bis) and the system 382127664Sbmsmay receive higher data rates from it as a result of such compression. 38317683SpstWhile this is generally a good thing in most other situations, this 38417683Spsthigher speed data imposes a penalty on the system by increasing the 38517683Spstnumber of serial interrupts the system has to process in talking to the 38617683Spstmodem and also increases latency. 38717683SpstUnlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 38875107Sfenner.Em all 38917683Spstnetwork traffic flowing through the link, thus reducing overheads to a 39075107Sfennerminimum. 39175107Sfenner.It Supports Microsoft's IPCP extensions (rfc 1877). 39275107SfennerName Server Addresses and NetBIOS Name Server Addresses can be negotiated 39317683Spstwith clients using the Microsoft 39417683Spst.Em PPP 39575107Sfennerstack (i.e., Win95, WinNT) 39617683Spst.It Supports Multi-link PPP (rfc 1990) 39717683SpstIt is possible to configure 39817683Spst.Nm 39917683Spstto open more than one physical connection to the peer, combining the 40017683Spstbandwidth of all links for better throughput. 40117683Spst.It Supports MPPE (draft-ietf-pppext-mppe) 40275107SfennerMPPE is Microsoft Point to Point Encryption scheme. 40375107SfennerIt is possible to configure 40475107Sfenner.Nm 40575107Sfennerto participate in Microsoft's Windows VPN. 40626175SfennerFor now, 40726175Sfenner.Nm 40826175Sfennercan only get encryption keys from CHAP 81 authentication. 40926175Sfenner.Nm 41017683Spstmust be compiled with DES for MPPE to operate. 41117683Spst.It Supports IPV6CP (rfc 2023). 41217683SpstAn IPv6 connection can be made in addition to or instead of the normal 41317683SpstIPv4 connection. 414127664Sbms.El 415127664Sbms.Sh PERMISSIONS 416127664Sbms.Nm 417127664Sbmsis installed as user 41817683Spst.Dv root 41917683Spstand group 42017683Spst.Dv network , 42117683Spstwith permissions 42217683Spst.Dv 04554 . 42317683SpstBy default, 42417683Spst.Nm 42517683Spstwill not run if the invoking user id is not zero. 42617683SpstThis may be overridden by using the 42717683Spst.Dq allow users 42817683Spstcommand in 42917683Spst.Pa /etc/ppp/ppp.conf . 43017683SpstWhen running as a normal user, 43117683Spst.Nm 43217683Spstswitches to user id 0 in order to alter the system routing table, set up 43317683Spstsystem lock files and read the ppp configuration files. 43417683SpstAll external commands (executed via the "shell" or "!bg" commands) are executed 43517683Spstas the user id that invoked 43617683Spst.Nm . 43717683SpstRefer to the 438127664Sbms.Sq ID0 439127664Sbmslogging facility if you're interested in what exactly is done as user id 44017683Spstzero. 44117683Spst.Sh GETTING STARTED 44217683SpstWhen you first run 44317683Spst.Nm 44417683Spstyou may need to deal with some initial configuration details. 44575107Sfenner.Bl -bullet 44675107Sfenner.It 44775107SfennerYour kernel must {include} a tunnel device (the GENERIC kernel includes 44817683Spstone by default). 44917683SpstIf it doesn't, or if you require more than one tun 45017683Spstinterface, you'll need to rebuild your kernel with the following line in 45117683Spstyour kernel configuration file: 45217683Spst.Pp 45317683Spst.Dl pseudo-device tun N 454127664Sbms.Pp 455127664Sbmswhere 456127664Sbms.Ar N 457127664Sbmsis the maximum number of 458127664Sbms.Em PPP 459127664Sbmsconnections you wish to support. 460127664Sbms.It 461127664SbmsCheck your 46217683Spst.Pa /dev 46317683Spstdirectory for the tunnel device entries 46417683Spst.Pa /dev/tunN , 46517683Spstwhere 46617683Spst.Sq N 46717683Spstrepresents the number of the tun device, starting at zero. 46817683SpstIf they don't exist, you can create them by running "sh ./MAKEDEV tunN". 46917683SpstThis will create tun devices 0 through 47017683Spst.Ar N . 47117683Spst.It 47217683SpstMake sure that your system has a group named 47317683Spst.Dq network 47417683Spstin the 47517683Spst.Pa /etc/group 47617683Spstfile and that the group contains the names of all users expected to use 47717683Spst.Nm . 47817683SpstRefer to the 47917683Spst.Xr group 5 48017683Spstmanual page for details. 48117683SpstEach of these users must also be given access using the 48217683Spst.Dq allow users 48317683Spstcommand in 48417683Spst.Pa /etc/ppp/ppp.conf . 48517683Spst.It 48617683SpstCreate a log file. 48717683Spst.Nm 48817683Spstuses 48975107Sfenner.Xr syslog 3 49075107Sfennerto log information. 49175107SfennerA common log file name is 49275107Sfenner.Pa /var/log/ppp.log . 49317683SpstTo make output go to this file, put the following lines in the 49417683Spst.Pa /etc/syslog.conf 49517683Spstfile: 49617683Spst.Bd -literal -offset indent 49717683Spst!ppp 49817683Spst*.*<TAB>/var/log/ppp.log 49917683Spst.Ed 50017683Spst.Pp 50117683SpstIt is possible to have more than one 50217683Spst.Em PPP 50398530Sfennerlog file by creating a link to the 50498530Sfenner.Nm 50598530Sfennerexecutable: 50698530Sfenner.Pp 50717683Spst.Dl # cd /usr/sbin 50817683Spst.Dl # ln ppp ppp0 50917683Spst.Pp 51017683Spstand using 51117683Spst.Bd -literal -offset indent 51217683Spst!ppp0 51317683Spst*.*<TAB>/var/log/ppp0.log 51417683Spst.Ed 51575107Sfenner.Pp 51675107Sfennerin 51775107Sfenner.Pa /etc/syslog.conf . 51875107SfennerDon't forget to send a 51975107Sfenner.Dv HUP 52075107Sfennersignal to 52175107Sfenner.Xr syslogd 8 52275107Sfennerafter altering 52317683Spst.Pa /etc/syslog.conf . 52417683Spst.It 52517683SpstAlthough not strictly relevant to 52617683Spst.Nm Ns No 's 52717683Spstoperation, you should configure your resolver so that it works correctly. 52817683SpstThis can be done by configuring a local DNS 52917683Spst(using 53017683Spst.Xr named 8 ) 53117683Spstor by adding the correct 53217683Spst.Sq nameserver 53317683Spstlines to the file 53417683Spst.Pa /etc/resolv.conf . 53517683SpstRefer to the 53617683Spst.Xr resolv.conf 5 53717683Spstmanual page for details. 53875107Sfenner.Pp 53975107SfennerAlternatively, if the peer supports it, 54075107Sfenner.Nm 54117683Spstcan be configured to ask the peer for the nameserver address(es) and to 54217683Spstupdate 54317683Spst.Pa /etc/resolv.conf 54417683Spstautomatically. 54517683SpstRefer to the 54617683Spst.Dq enable dns 54775107Sfennerand 54875107Sfenner.Dq resolv 54975107Sfennercommands below for details. 55075107Sfenner.El 55117683Spst.Sh MANUAL DIALING 55217683SpstIn the following examples, we assume that your machine name is 55375107Sfenner.Dv awfulhak . 55475107Sfennerwhen you invoke 55575107Sfenner.Nm 55675107Sfenner(see 55775107Sfenner.Sx PERMISSIONS 55875107Sfennerabove) with no arguments, you are presented with a prompt: 55975107Sfenner.Bd -literal -offset indent 56075107Sfennerppp ON awfulhak> 56175107Sfenner.Ed 56275107Sfenner.Pp 56375107SfennerThe 56417683Spst.Sq ON 56517683Spstpart of your prompt should always be in upper case. 56617683SpstIf it is in lower case, it means that you must supply a password using the 56726175Sfenner.Dq passwd 56826175Sfennercommand. 56926175SfennerThis only ever happens if you connect to a running version of 57075107Sfenner.Nm 57175107Sfennerand have not authenticated yourself using the correct password. 57275107Sfenner.Pp 57375107SfennerYou can start by specifying the device name and speed: 57475107Sfenner.Bd -literal -offset indent 57575107Sfennerppp ON awfulhak> set device /dev/cuaa0 57675107Sfennerppp ON awfulhak> set speed 38400 57775107Sfenner.Ed 57817683Spst.Pp 57917683SpstNormally, hardware flow control (CTS/RTS) is used. 58017683SpstHowever, under 58117683Spstcertain circumstances (as may happen when you are connected directly 58298530Sfennerto certain PPP-capable terminal servers), this may result in 58326175Sfenner.Nm 58417683Spsthanging as soon as it tries to write data to your communications link 58517683Spstas it is waiting for the CTS (clear to send) signal - which will never 58698530Sfennercome. 58726175SfennerThus, if you have a direct line and can't seem to make a 58817683Spstconnection, try turning CTS/RTS off with 58917683Spst.Dq set ctsrts off . 59098530SfennerIf you need to do this, check the 59126175Sfenner.Dq set accmap 59217683Spstdescription below too - you'll probably need to 59317683Spst.Dq set accmap 000a0000 . 59498530Sfenner.Pp 59526175SfennerUsually, parity is set to 59617683Spst.Dq none , 59717683Spstand this is 59875107Sfenner.Nm Ns No 's 59975107Sfennerdefault. 60075107SfennerParity is a rather archaic error checking mechanism that is no 60175107Sfennerlonger used because modern modems do their own error checking, and most 60275107Sfennerlink-layer protocols (that's what 60375107Sfenner.Nm 60475107Sfenneris) use much more reliable checking mechanisms. 60575107SfennerParity has a relatively 60617683Spsthuge overhead (a 12.5% increase in traffic) and as a result, it is always 60717683Spstdisabled 60817683Spst(set to 60917683Spst.Dq none ) 61017683Spstwhen 61117683Spst.Dv PPP 61217683Spstis opened. 61317683SpstHowever, some ISPs (Internet Service Providers) may use 61417683Spstspecific parity settings at connection time (before 61517683Spst.Dv PPP 61617683Spstis opened). 61717683SpstNotably, Compuserve insist on even parity when logging in: 61817683Spst.Bd -literal -offset indent 61917683Spstppp ON awfulhak> set parity even 62017683Spst.Ed 62117683Spst.Pp 62217683SpstYou can now see what your current device settings look like: 62317683Spst.Bd -literal -offset indent 62417683Spstppp ON awfulhak> show physical 62517683SpstName: deflink 62617683Spst State: closed 62717683Spst Device: N/A 62817683Spst Link Type: interactive 62917683Spst Connect Count: 0 63017683Spst Queued Packets: 0 63198530Sfenner Phone Number: N/A 63298530Sfenner 63398530SfennerDefaults: 63498530Sfenner Device List: /dev/cuaa0 63517683Spst Characteristics: 38400bps, cs8, even parity, CTS/RTS on 63617683Spst 63717683SpstConnect time: 0 secs 63875107Sfenner0 octets in, 0 octets out 63975107SfennerOverall 0 bytes/sec 64075107Sfennerppp ON awfulhak> 64175107Sfenner.Ed 64217683Spst.Pp 64317683SpstThe term command can now be used to talk directly to the device: 64417683Spst.Bd -literal -offset indent 64517683Spstppp ON awfulhak> term 64617683Spstat 64717683SpstOK 64875107Sfenneratdt123456 64975107SfennerCONNECT 65075107Sfennerlogin: myispusername 65175107SfennerPassword: myisppassword 65275107SfennerProtocol: ppp 65375107Sfenner.Ed 65475107Sfenner.Pp 65575107SfennerWhen the peer starts to talk in 656127664Sbms.Em PPP , 657127664Sbms.Nm 658127664Sbmsdetects this automatically and returns to command mode. 659127664Sbms.Bd -literal -offset indent 66075107Sfennerppp ON awfulhak> # No link has been established 66198530SfennerPpp ON awfulhak> # We've connected & finished LCP 66275107SfennerPPp ON awfulhak> # We've authenticated 66375107SfennerPPP ON awfulhak> # We've agreed IP numbers 66475107Sfenner.Ed 66575107Sfenner.Pp 66675107SfennerIf it does not, it's probable that the peer is waiting for your end to 66775107Sfennerstart negotiating. 66817683SpstTo force 66917683Spst.Nm 67017683Spstto start sending 67117683Spst.Em PPP 67275107Sfennerconfiguration packets to the peer, use the 67375107Sfenner.Dq ~p 67475107Sfennercommand to drop out of terminal mode and enter packet mode. 67575107Sfenner.Pp 67675107SfennerIf you never even receive a login prompt, it is quite likely that the 67775107Sfennerpeer wants to use PAP or CHAP authentication instead of using Unix-style 67875107Sfennerlogin/password authentication. 67975107SfennerTo set things up properly, drop back to 68017683Spstthe prompt and set your authentication name and key, then reconnect: 68117683Spst.Bd -literal -offset indent 68217683Spst~. 68317683Spstppp ON awfulhak> set authname myispusername 68417683Spstppp ON awfulhak> set authkey myisppassword 68517683Spstppp ON awfulhak> term 68617683Spstat 68717683SpstOK 68817683Spstatdt123456 68917683SpstCONNECT 69017683Spst.Ed 69117683Spst.Pp 69275107SfennerYou may need to tell ppp to initiate negotiations with the peer here too: 69375107Sfenner.Bd -literal -offset indent 69475107Sfenner~p 69575107Sfennerppp ON awfulhak> # No link has been established 69617683SpstPpp ON awfulhak> # We've connected & finished LCP 69717683SpstPPp ON awfulhak> # We've authenticated 69817683SpstPPP ON awfulhak> # We've agreed IP numbers 69917683Spst.Ed 70017683Spst.Pp 70117683SpstYou are now connected! 70217683SpstNote that 70317683Spst.Sq PPP 70417683Spstin the prompt has changed to capital letters to indicate that you have 70517683Spsta peer connection. 70617683SpstIf only some of the three Ps go uppercase, wait until 70717683Spsteither everything is uppercase or lowercase. 70817683SpstIf they revert to lowercase, it means that 70917683Spst.Nm 71017683Spstcouldn't successfully negotiate with the peer. 71117683SpstA good first step for troubleshooting at this point would be to 71217683Spst.Bd -literal -offset indent 71317683Spstppp ON awfulhak> set log local phase lcp ipcp 71417683Spst.Ed 71517683Spst.Pp 71617683Spstand try again. 71717683SpstRefer to the 71817683Spst.Dq set log 71917683Spstcommand description below for further details. 72017683SpstIf things fail at this point, 72175107Sfennerit is quite important that you turn logging on and try again. 72275107SfennerIt is also 72375107Sfennerimportant that you note any prompt changes and report them to anyone trying 72475107Sfennerto help you. 72575107Sfenner.Pp 72675107SfennerWhen the link is established, the show command can be used to see how 72775107Sfennerthings are going: 72875107Sfenner.Bd -literal -offset indent 72917683SpstPPP ON awfulhak> show physical 73017683Spst* Modem related information is shown here * 73117683SpstPPP ON awfulhak> show ccp 732127664Sbms* CCP (compression) related information is shown here * 733127664SbmsPPP ON awfulhak> show lcp 734127664Sbms* LCP (line control) related information is shown here * 735127664SbmsPPP ON awfulhak> show ipcp 73675107Sfenner* IPCP (IP) related information is shown here * 73775107SfennerPPP ON awfulhak> show ipv6cp 73875107Sfenner* IPV6CP (IPv6) related information is shown here * 73975107SfennerPPP ON awfulhak> show link 74075107Sfenner* Link (high level) related information is shown here * 74175107SfennerPPP ON awfulhak> show bundle 74275107Sfenner* Logical (high level) connection related information is shown here * 743127664Sbms.Ed 744127664Sbms.Pp 745127664SbmsAt this point, your machine has a host route to the peer. 746127664SbmsThis means 747127664Sbmsthat you can only make a connection with the host on the other side 748127664Sbmsof the link. 749127664SbmsIf you want to add a default route entry (telling your 750127664Sbmsmachine to send all packets without another routing entry to the other 75175107Sfennerside of the 75275107Sfenner.Em PPP 75375107Sfennerlink), enter the following command: 75475107Sfenner.Bd -literal -offset indent 75575107SfennerPPP ON awfulhak> add default HISADDR 75675107Sfenner.Ed 75775107Sfenner.Pp 75875107SfennerThe string 75917683Spst.Sq HISADDR 76017683Spstrepresents the IP address of the connected peer. 76117683SpstIf the 76217683Spst.Dq add 76317683Spstcommand fails due to an existing route, you can overwrite the existing 76417683Spstroute using: 76517683Spst.Bd -literal -offset indent 76617683SpstPPP ON awfulhak> add! default HISADDR 76717683Spst.Ed 76817683Spst.Pp 76917683SpstThis command can also be executed before actually making the connection. 77017683SpstIf a new IP address is negotiated at connection time, 77117683Spst.Nm 77217683Spstwill update your default route accordingly. 773127664Sbms.Pp 77417683SpstYou can now use your network applications (ping, telnet, ftp, etc.) 77517683Spstin other windows or terminals on your machine. 776127664SbmsIf you wish to reuse the current terminal, you can put 77775107Sfenner.Nm 77817683Spstinto the background using your standard shell suspend and background 779127664Sbmscommands (usually 78075107Sfenner.Dq ^Z 78126175Sfennerfollowed by 782127664Sbms.Dq bg ) . 78375107Sfenner.Pp 78475107SfennerRefer to the 785127664Sbms.Sx PPP COMMAND LIST 786127664Sbmssection for details on all available commands. 787127664Sbms.Sh AUTOMATIC DIALING 788127664SbmsTo use automatic dialing, you must prepare some Dial and Login chat scripts. 78917683SpstSee the example definitions in 79017683Spst.Pa /usr/share/examples/ppp/ppp.conf.sample 79175107Sfenner(the format of 79226175Sfenner.Pa /etc/ppp/ppp.conf 79326175Sfenneris pretty simple). 794127664SbmsEach line contains one comment, inclusion, label or command: 79575107Sfenner.Bl -bullet 79617683Spst.It 797127664SbmsA line starting with a 798127664Sbms.Pq Dq # 799127664Sbmscharacter is treated as a comment line. 80017683SpstLeading whitespace are ignored when identifying comment lines. 80117683Spst.It 80217683SpstAn inclusion is a line beginning with the word 80375107Sfenner.Sq {!include} . 80417683SpstIt must have one argument - the file to {include}. 80517683SpstYou may wish to 806127664Sbms.Dq {!include} ~/.ppp.conf 80717683Spstfor compatibility with older versions of 80817683Spst.Nm . 80917683Spst.It 81017683SpstA label name starts in the first column and is followed by 811127664Sbmsa colon 81217683Spst.Pq Dq \&: . 81317683Spst.It 81417683SpstA command line must contain a space or tab in the first column. 815127664Sbms.El 816127664Sbms.Pp 817127664SbmsThe 818127664Sbms.Pa /etc/ppp/ppp.conf 819127664Sbmsfile should consist of at least a 820127664Sbms.Dq default 821127664Sbmssection. 822127664SbmsThis section is always executed. 823127664SbmsIt should also contain 824127664Sbmsone or more sections, named according to their purpose, for example, 82517683Spst.Dq MyISP 82617683Spstwould represent your ISP, and 82717683Spst.Dq ppp-in 82898530Sfennerwould represent an incoming 82998530Sfenner.Nm 83098530Sfennerconfiguration. 83198530SfennerYou can now specify the destination label name when you invoke 83275107Sfenner.Nm . 83375107SfennerCommands associated with the 83475107Sfenner.Dq default 83575107Sfennerlabel are executed, followed by those associated with the destination 83617683Spstlabel provided. 83717683SpstWhen 83817683Spst.Nm 83917683Spstis started with no arguments, the 84017683Spst.Dq default 84117683Spstsection is still executed. 842127664SbmsThe load command can be used to manually load a section from the 843127664Sbms.Pa /etc/ppp/ppp.conf 844127664Sbmsfile: 845127664Sbms.Bd -literal -offset indent 846127664Sbmsppp ON awfulhak> load MyISP 847127664Sbms.Ed 84875107Sfenner.Pp 84975107SfennerNote, no action is taken by 85075107Sfenner.Nm 85175107Sfennerafter a section is loaded, whether it's the result of passing a label on 852127664Sbmsthe command line or using the 853127664Sbms.Dq load 854127664Sbmscommand. 855127664SbmsOnly the commands specified for that label in the configuration 856127664Sbmsfile are executed. 857127664SbmsHowever, when invoking 858127664Sbms.Nm 859127664Sbmswith the 860127664Sbms.Fl background , 861127664Sbms.Fl ddial , 86217683Spstor 86317683Spst.Fl dedicated 86417683Spstswitches, the link mode tells 86517683Spst.Nm 86617683Spstto establish a connection. 86717683SpstRefer to the 86817683Spst.Dq set mode 869127664Sbmscommand below for further details. 870127664Sbms.Pp 871127664SbmsOnce the connection is made, the 872127664Sbms.Sq ppp 87375107Sfennerportion of the prompt will change to 87475107Sfenner.Sq PPP : 87575107Sfenner.Bd -literal -offset indent 87617683Spst# ppp MyISP 87717683Spst\&... 87817683Spstppp ON awfulhak> dial 87917683SpstPpp ON awfulhak> 88017683SpstPPp ON awfulhak> 88117683SpstPPP ON awfulhak> 88217683Spst.Ed 88375107Sfenner.Pp 88475107SfennerThe Ppp prompt indicates that 88575107Sfenner.Nm 88675107Sfennerhas entered the authentication phase. 88775107SfennerThe PPp prompt indicates that 88875107Sfenner.Nm 88975107Sfennerhas entered the network phase. 89017683SpstThe PPP prompt indicates that 89117683Spst.Nm 89217683Spsthas successfully negotiated a network layer protocol and is in 89317683Spsta usable state. 89417683Spst.Pp 89517683SpstIf the 89617683Spst.Pa /etc/ppp/ppp.linkup 89717683Spstfile is available, its contents are executed 89817683Spstwhen the 89917683Spst.Em PPP 90017683Spstconnection is established. 90117683SpstSee the provided 90217683Spst.Dq pmdemand 90317683Spstexample in 90417683Spst.Pa /usr/share/examples/ppp/ppp.conf.sample 90517683Spstwhich runs a script in the background after the connection is established 90617683Spst(refer to the 90717683Spst.Dq shell 90817683Spstand 90917683Spst.Dq bg 91017683Spstcommands below for a description of possible substitution strings). 91117683SpstSimilarly, when a connection is closed, the contents of the 91217683Spst.Pa /etc/ppp/ppp.linkdown 91317683Spstfile are executed. 91417683SpstBoth of these files have the same format as 91517683Spst.Pa /etc/ppp/ppp.conf . 91617683Spst.Pp 91717683SpstIn previous versions of 91817683Spst.Nm , 91917683Spstit was necessary to re-add routes such as the default route in the 92017683Spst.Pa ppp.linkup 92117683Spstfile. 92217683Spst.Nm 92317683Spstsupports 92417683Spst.Sq sticky routes , 92517683Spstwhere all routes that contain the 92617683Spst.Dv HISADDR , 92717683Spst.Dv MYADDR , 92817683Spst.Dv HISADDR6 92917683Spstor 93075107Sfenner.Dv MYADDR6 93175107Sfennerliterals will automatically be updated when the values of these variables 93275107Sfennerchange. 93375107Sfenner.Sh BACKGROUND DIALING 93417683SpstIf you want to establish a connection using 93517683Spst.Nm 93617683Spstnon-interactively (such as from a 93717683Spst.Xr crontab 5 93875107Sfennerentry or an 939127664Sbms.Xr at 1 94075107Sfennerjob) you should use the 94175107Sfenner.Fl background 942127664Sbmsoption. 943127664SbmsWhen 944127664Sbms.Fl background 945127664Sbmsis specified, 94675107Sfenner.Nm 94775107Sfennerattempts to establish the connection immediately. 94875107SfennerIf multiple phone 94975107Sfennernumbers are specified, each phone number will be tried once. 950127664SbmsIf the attempt fails, 951127664Sbms.Nm 952127664Sbmsexits immediately with a non-zero exit code. 953127664SbmsIf it succeeds, then 954127664Sbms.Nm 955127664Sbmsbecomes a daemon, and returns an exit status of zero to its caller. 956127664SbmsThe daemon exits automatically if the connection is dropped by the 957127664Sbmsremote system, or it receives a 95875107Sfenner.Dv TERM 95975107Sfennersignal. 96075107Sfenner.Sh DIAL ON DEMAND 96175107SfennerDemand dialing is enabled with the 96275107Sfenner.Fl auto 96375107Sfenneror 964127664Sbms.Fl ddial 965127664Sbmsoptions. 966127664SbmsYou must also specify the destination label in 967127664Sbms.Pa /etc/ppp/ppp.conf 96817683Spstto use. 96917683SpstIt must contain the 97017683Spst.Dq set ifaddr 971127664Sbmscommand to {define} the remote peers IP address. 972127664Sbms(refer to 973127664Sbms.Pa /usr/share/examples/ppp/ppp.conf.sample ) 974127664Sbms.Bd -literal -offset indent 97517683Spst# ppp -auto pmdemand 97617683Spst.Ed 97717683Spst.Pp 97817683SpstWhen 97917683Spst.Fl auto 98017683Spstor 98117683Spst.Fl ddial 98217683Spstis specified, 98375107Sfenner.Nm 98475107Sfennerruns as a daemon but you can still configure or examine its 98575107Sfennerconfiguration by using the 98675107Sfenner.Dq set server 98717683Spstcommand in 98817683Spst.Pa /etc/ppp/ppp.conf , 98917683Spst(for example, 99017683Spst.Dq Li "set server +3000 mypasswd" ) 99117683Spstand connecting to the diagnostic port as follows: 99217683Spst.Bd -literal -offset indent 99317683Spst# pppctl 3000 (assuming tun0) 99417683SpstPassword: 99575107SfennerPPP ON awfulhak> show who 996127664Sbmstcp (127.0.0.1:1028) * 997127664Sbms.Ed 99817683Spst.Pp 99917683SpstThe 100017683Spst.Dq show who 100117683Spstcommand lists users that are currently connected to 100217683Spst.Nm 100317683Spstitself. 100417683SpstIf the diagnostic socket is closed or changed to a different 100517683Spstsocket, all connections are immediately dropped. 100617683Spst.Pp 100717683SpstIn 100817683Spst.Fl auto 100917683Spstmode, when an outgoing packet is detected, 101075107Sfenner.Nm 101175107Sfennerwill perform the dialing action (chat script) and try to connect 101275107Sfennerwith the peer. 101375107SfennerIn 101475107Sfenner.Fl ddial 101575107Sfennermode, the dialing action is performed any time the line is found 101675107Sfennerto be down. 101775107SfennerIf the connect fails, the default behaviour is to wait 30 seconds 1018127664Sbmsand then attempt to connect when another outgoing packet is detected. 1019127664SbmsThis behaviour can be changed using the 1020127664Sbms.Dq set redial 1021127664Sbmscommand: 1022127664Sbms.Pp 102317683Spst.No set redial Ar secs Ns Xo 102417683Spst.Oo + Ns Ar inc Ns 102575107Sfenner.Op - Ns Ar max Ns 102675107Sfenner.Oc Ns Op . Ns Ar next 102775107Sfenner.Op Ar attempts 102875107Sfenner.Xc 102917683Spst.Pp 103017683Spst.Bl -tag -width attempts -compact 103117683Spst.It Ar secs 103217683Spstis the number of seconds to wait before attempting 103317683Spstto connect again. 103417683SpstIf the argument is the literal string 103517683Spst.Sq Li random , 103675107Sfennerthe delay period is a random value between 1 and 30 seconds inclusive. 103775107Sfenner.It Ar inc 103875107Sfenneris the number of seconds that 103975107Sfenner.Ar secs 104075107Sfennershould be incremented each time a new dial attempt is made. 104175107SfennerThe timeout reverts to 104275107Sfenner.Ar secs 104375107Sfenneronly after a successful connection is established. 104475107SfennerThe default value for 104517683Spst.Ar inc 104617683Spstis zero. 104717683Spst.It Ar max 104817683Spstis the maximum number of times 104917683Spst.Nm 105017683Spstshould increment 105117683Spst.Ar secs . 105217683SpstThe default value for 105317683Spst.Ar max 105498530Sfenneris 10. 105598530Sfenner.It Ar next 105698530Sfenneris the number of seconds to wait before attempting 105798530Sfennerto dial the next number in a list of numbers (see the 105817683Spst.Dq set phone 105917683Spstcommand). 106017683SpstThe default is 3 seconds. 106117683SpstAgain, if the argument is the literal string 106217683Spst.Sq Li random , 106317683Spstthe delay period is a random value between 1 and 30 seconds. 1064127664Sbms.It Ar attempts 106575107Sfenneris the maximum number of times to try to connect for each outgoing packet 106675107Sfennerthat triggers a dial. 1067127664SbmsThe previous value is unchanged if this parameter is omitted. 1068127664SbmsIf a value of zero is specified for 1069127664Sbms.Ar attempts , 107098530Sfenner.Nm 107117683Spstwill keep trying until a connection is made. 107217683Spst.El 1073127664Sbms.Pp 107417683SpstSo, for example: 107517683Spst.Bd -literal -offset indent 107617683Spstset redial 10.3 4 107717683Spst.Ed 107817683Spst.Pp 107917683Spstwill attempt to connect 4 times for each outgoing packet that causes 108017683Spsta dial attempt with a 3 second delay between each number and a 10 second 108117683Spstdelay after all numbers have been tried. 108275107SfennerIf multiple phone numbers 108375107Sfennerare specified, the total number of attempts is still 4 (it does not 108475107Sfennerattempt each number 4 times). 108575107Sfenner.Pp 108675107SfennerAlternatively, 108775107Sfenner.Pp 108898530Sfenner.Bd -literal -offset indent 108998530Sfennerset redial 10+10-5.3 20 109098530Sfenner.Ed 109117683Spst.Pp 109217683Spsttells 109317683Spst.Nm 109417683Spstto attempt to connect 20 times. 109517683SpstAfter the first attempt, 109617683Spst.Nm 109717683Spstpauses for 10 seconds. 109817683SpstAfter the next attempt it pauses for 20 seconds 109917683Spstand so on until after the sixth attempt it pauses for 1 minute. 110017683SpstThe next 14 pauses will also have a duration of one minute. 110117683SpstIf 110217683Spst.Nm 110317683Spstconnects, disconnects and fails to connect again, the timeout starts again 110417683Spstat 10 seconds. 110517683Spst.Pp 110617683SpstModifying the dial delay is very useful when running 110717683Spst.Nm 110817683Spstin 110917683Spst.Fl auto 111017683Spstmode on both ends of the link. 111117683SpstIf each end has the same timeout, 111217683Spstboth ends wind up calling each other at the same time if the link 111317683Spstdrops and both ends have packets queued. 111426175SfennerAt some locations, the serial link may not be reliable, and carrier 111526175Sfennermay be lost at inappropriate times. 111617683SpstIt is possible to have 111717683Spst.Nm 111817683Spstredial should carrier be unexpectedly lost during a session. 111917683Spst.Bd -literal -offset indent 112017683Spstset reconnect timeout ntries 112117683Spst.Ed 112217683Spst.Pp 112375107SfennerThis command tells 112417683Spst.Nm 112517683Spstto re-establish the connection 112675107Sfenner.Ar ntries 112775107Sfennertimes on loss of carrier with a pause of 112875107Sfenner.Ar timeout 112917683Spstseconds before each try. 113026175SfennerFor example, 113117683Spst.Bd -literal -offset indent 113217683Spstset reconnect 3 5 113317683Spst.Ed 113417683Spst.Pp 113517683Spsttells 113617683Spst.Nm 113726175Sfennerthat on an unexpected loss of carrier, it should wait 113817683Spst.Ar 3 113975107Sfennerseconds before attempting to reconnect. 114075107SfennerThis may happen up to 114126175Sfenner.Ar 5 114226175Sfennertimes before 1143127664Sbms.Nm 114475107Sfennergives up. 114517683SpstThe default value of ntries is zero (no reconnect). 114626175SfennerCare should be taken with this option. 1147127664SbmsIf the local timeout is slightly 114875107Sfennerlonger than the remote timeout, the reconnect feature will always be 1149127664Sbmstriggered (up to the given number of times) after the remote side 1150127664Sbmstimes out and hangs up. 115198530SfennerNOTE: In this context, losing too many LQRs constitutes a loss of 1152127664Sbmscarrier and will trigger a reconnect. 1153127664SbmsIf the 1154127664Sbms.Fl background 1155127664Sbmsflag is specified, all phone numbers are dialed at most once until 115617683Spsta connection is made. 115717683SpstThe next number redial period specified with the 115875107Sfenner.Dq set redial 115975107Sfennercommand is honoured, as is the reconnect tries value. 116098530SfennerIf your redial 116175107Sfennervalue is less than the number of phone numbers specified, not all 116275107Sfennerthe specified numbers will be tried. 116375107SfennerTo terminate the program, type 116475107Sfenner.Bd -literal -offset indent 116575107SfennerPPP ON awfulhak> close 116675107Sfennerppp ON awfulhak> quit all 1167127664Sbms.Ed 1168127664Sbms.Pp 116975107SfennerA simple 1170127664Sbms.Dq quit 117175107Sfennercommand will terminate the 117275107Sfenner.Xr pppctl 8 117375107Sfenneror 117475107Sfenner.Xr telnet 1 117575107Sfennerconnection but not the 117675107Sfenner.Nm 117775107Sfennerprogram itself. 117875107SfennerYou must use 1179127664Sbms.Dq quit all 1180127664Sbmsto terminate 1181127664Sbms.Nm 118226175Sfenneras well. 118326175Sfenner.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 118426175SfennerTo handle an incoming 118517683Spst.Em PPP 118617683Spstconnection request, follow these steps: 118717683Spst.Bl -enum 118817683Spst.It 118917683SpstMake sure the modem and (optionally) 119017683Spst.Pa /etc/rc.serial 119175107Sfenneris configured correctly. 119275107Sfenner.Bl -bullet -compact 119375107Sfenner.It 1194127664SbmsUse Hardware Handshake (CTS/RTS) for flow control. 1195127664Sbms.It 1196127664SbmsModem should be set to NO echo back (ATE0) and NO results string (ATQ1). 119775107Sfenner.El 119875107Sfenner.Pp 119975107Sfenner.It 120017683SpstEdit 120117683Spst.Pa /etc/ttys 120217683Spstto enable a 120317683Spst.Xr getty 8 120417683Spston the port where the modem is attached. 120517683SpstFor example: 120617683Spst.Pp 120717683Spst.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 120817683Spst.Pp 120917683SpstDon't forget to send a 121017683Spst.Dv HUP 121117683Spstsignal to the 121217683Spst.Xr init 8 121317683Spstprocess to start the 121417683Spst.Xr getty 8 : 1215127664Sbms.Pp 1216127664Sbms.Dl # kill -HUP 1 1217127664Sbms.Pp 121875107SfennerIt is usually also necessary to train your modem to the same DTR speed 121975107Sfenneras the getty: 122075107Sfenner.Bd -literal -offset indent 122117683Spst# ppp 122217683Spstppp ON awfulhak> set device /dev/cuaa1 122317683Spstppp ON awfulhak> set speed 38400 1224127664Sbmsppp ON awfulhak> term 1225127664Sbmsdeflink: Entering terminal mode on /dev/cuaa1 1226127664SbmsType `~?' for help 122726175Sfennerat 1228127664SbmsOK 122926175Sfennerat 123075107SfennerOK 123175107Sfenneratz 123275107SfennerOK 123317683Spstat 123417683SpstOK 123517683Spst~. 123617683Spstppp ON awfulhak> quit 123717683Spst.Ed 123817683Spst.It 123917683SpstCreate a 1240127664Sbms.Pa /usr/local/bin/ppplogin 1241127664Sbmsfile with the following contents: 1242127664Sbms.Bd -literal -offset indent 124317683Spst#! /bin/sh 124417683Spstexec /usr/sbin/ppp -direct incoming 124517683Spst.Ed 124617683Spst.Pp 124717683SpstDirect mode 124817683Spst.Pq Fl direct 124917683Spstlets 125017683Spst.Nm 125117683Spstwork with stdin and stdout. 125217683SpstYou can also use 125317683Spst.Xr pppctl 8 125417683Spstto connect to a configured diagnostic port, in the same manner as with 125517683Spstclient-side 125617683Spst.Nm . 125717683Spst.Pp 125817683SpstHere, the 125917683Spst.Ar incoming 126017683Spstsection must be set up in 126175107Sfenner.Pa /etc/ppp/ppp.conf . 126275107Sfenner.Pp 126375107SfennerMake sure that the 126475107Sfenner.Ar incoming 126575107Sfennersection contains the 126675107Sfenner.Dq allow users 126717683Spstcommand as appropriate. 126817683Spst.It 126917683SpstPrepare an account for the incoming user. 1270127664Sbms.Bd -literal 1271127664Sbmsppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 127275107Sfenner.Ed 1273127664Sbms.Pp 1274127664SbmsRefer to the manual entries for 1275127664Sbms.Xr adduser 8 1276127664Sbmsand 1277127664Sbms.Xr vipw 8 1278127664Sbmsfor details. 127917683Spst.It 128017683SpstSupport for IPCP Domain Name Server and NetBIOS Name Server negotiation 128117683Spstcan be enabled using the 128217683Spst.Dq accept dns 128317683Spstand 128417683Spst.Dq set nbns 128517683Spstcommands. 128617683SpstRefer to their descriptions below. 128717683Spst.El 128817683Spst.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 128917683SpstThis method differs in that we use 129017683Spst.Nm 129117683Spstto authenticate the connection rather than 129217683Spst.Xr login 1 : 129317683Spst.Bl -enum 129417683Spst.It 129517683SpstConfigure your default section in 129617683Spst.Pa /etc/gettytab 129717683Spstwith automatic ppp recognition by specifying the 129817683Spst.Dq pp 129917683Spstcapability: 130017683Spst.Bd -literal 130117683Spstdefault:\\ 130217683Spst :pp=/usr/local/bin/ppplogin:\\ 130317683Spst ..... 130475107Sfenner.Ed 130575107Sfenner.It 130675107SfennerConfigure your serial device(s), enable a 130717683Spst.Xr getty 8 130817683Spstand create 130917683Spst.Pa /usr/local/bin/ppplogin 1310127664Sbmsas in the first three steps for method 1 above. 1311127664Sbms.It 1312127664SbmsAdd either 1313127664Sbms.Dq enable chap 131498530Sfenneror 131598530Sfenner.Dq enable pap 131698530Sfenner(or both) 1317127664Sbmsto 131817683Spst.Pa /etc/ppp/ppp.conf 131917683Spstunder the 132017683Spst.Sq incoming 132117683Spstlabel (or whatever label 132217683Spst.Pa ppplogin 132317683Spstuses). 132417683Spst.It 132517683SpstCreate an entry in 132617683Spst.Pa /etc/ppp/ppp.secret 132717683Spstfor each incoming user: 132817683Spst.Bd -literal 132917683SpstPfred<TAB>xxxx 133017683SpstPgeorge<TAB>yyyy 133117683Spst.Ed 133217683Spst.El 133317683Spst.Pp 133417683SpstNow, as soon as 133575107Sfenner.Xr getty 8 133675107Sfennerdetects a ppp connection (by recognising the HDLC frame headers), it runs 133775107Sfenner.Dq /usr/local/bin/ppplogin . 133875107Sfenner.Pp 133975107SfennerIt is 134075107Sfenner.Em VITAL 134175107Sfennerthat either PAP or CHAP are enabled as above. 134275107SfennerIf they are not, you are 134375107Sfennerallowing anybody to establish a ppp session with your machine 1344127664Sbms.Em without 1345127664Sbmsa password, opening yourself up to all sorts of potential attacks. 1346127664Sbms.Sh AUTHENTICATING INCOMING CONNECTIONS 134717683SpstNormally, the receiver of a connection requires that the peer 134817683Spstauthenticates itself. 134917683SpstThis may be done using 135017683Spst.Xr login 1 , 135117683Spstbut alternatively, you can use PAP or CHAP. 135217683SpstCHAP is the more secure of the two, but some clients may not support it. 135375107SfennerOnce you decide which you wish to use, add the command 135475107Sfenner.Sq enable chap 135575107Sfenneror 135617683Spst.Sq enable pap 135717683Spstto the relevant section of 135817683Spst.Pa ppp.conf . 135975107Sfenner.Pp 136075107SfennerYou must then configure the 136175107Sfenner.Pa /etc/ppp/ppp.secret 136275107Sfennerfile. 136375107SfennerThis file contains one line per possible client, each line 136475107Sfennercontaining up to five fields: 136575107Sfenner.Pp 136675107Sfenner.Ar name Ar key Oo 136775107Sfenner.Ar hisaddr Op Ar label Op Ar callback-number 136817683Spst.Oc 136917683Spst.Pp 137017683SpstThe 137117683Spst.Ar name 137217683Spstand 137317683Spst.Ar key 137417683Spstspecify the client username and password. 137517683SpstIf 137617683Spst.Ar key 137717683Spstis 137875107Sfenner.Dq \&* 137917683Spstand PAP is being used, 138017683Spst.Nm 138117683Spstwill look up the password database 138217683Spst.Pq Xr passwd 5 138317683Spstwhen authenticating. 138417683SpstIf the client does not offer a suitable response based on any 138517683Spst.Ar name Ns No / Ns Ar key 138617683Spstcombination in 138717683Spst.Pa ppp.secret , 138817683Spstauthentication fails. 138917683Spst.Pp 139017683SpstIf authentication is successful, 139117683Spst.Ar hisaddr 139226175Sfenner(if specified) 139326175Sfenneris used when negotiating IP numbers. 139426175SfennerSee the 139517683Spst.Dq set ifaddr 139617683Spstcommand for details. 139717683Spst.Pp 139817683SpstIf authentication is successful and 139917683Spst.Ar label 140017683Spstis specified, the current system label is changed to match the given 140117683Spst.Ar label . 140217683SpstThis will change the subsequent parsing of the 140317683Spst.Pa ppp.linkup 140417683Spstand 140517683Spst.Pa ppp.linkdown 140617683Spstfiles. 140717683Spst.Pp 140817683SpstIf authentication is successful and 140917683Spst.Ar callback-number 1410127664Sbmsis specified and 141117683Spst.Dq set callback 141217683Spsthas been used in 1413127664Sbms.Pa ppp.conf , 141417683Spstthe client will be called back on the given number. 141517683SpstIf CBCP is being used, 141617683Spst.Ar callback-number 141717683Spstmay also contain a list of numbers or a 141817683Spst.Dq \&* , 1419127664Sbmsas if passed to the 142017683Spst.Dq set cbcp 142117683Spstcommand. 1422127664SbmsThe value will be used in 142317683Spst.Nm Ns No 's 142417683Spstsubsequent CBCP phase. 142517683Spst.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 142617683SpstInstead of running 142717683Spst.Nm 142898530Sfennerover a serial link, it is possible to 142926175Sfenneruse a TCP connection instead by specifying the host, port and protocol as the 143026175Sfennerdevice: 143175107Sfenner.Pp 143275107Sfenner.Dl set device ui-gate:6669/tcp 143375107Sfenner.Pp 143475107SfennerInstead of opening a serial device, 143575107Sfenner.Nm 143675107Sfennerwill open a TCP connection to the given machine on the given 143775107Sfennersocket. 143875107SfennerIt should be noted however that 143975107Sfenner.Nm 144075107Sfennerdoesn't use the telnet protocol and will be unable to negotiate 144175107Sfennerwith a telnet server. 144275107SfennerYou should set up a port for receiving this 144317683Spst.Em PPP 144417683Spstconnection on the receiving machine (ui-gate). 144517683SpstThis is done by first updating 144617683Spst.Pa /etc/services 144717683Spstto name the service: 144817683Spst.Pp 144917683Spst.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 145017683Spst.Pp 145117683Spstand updating 145217683Spst.Pa /etc/inetd.conf 145317683Spstto tell 145417683Spst.Xr inetd 8 145517683Spsthow to deal with incoming connections on that port: 145617683Spst.Pp 145717683Spst.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 145817683Spst.Pp 145917683SpstDon't forget to send a 146017683Spst.Dv HUP 146117683Spstsignal to 146217683Spst.Xr inetd 8 146317683Spstafter you've updated 146475107Sfenner.Pa /etc/inetd.conf . 146575107SfennerHere, we use a label named 146675107Sfenner.Dq ppp-in . 146717683SpstThe entry in 146817683Spst.Pa /etc/ppp/ppp.conf 146917683Spston ui-gate (the receiver) should contain the following: 147075107Sfenner.Bd -literal -offset indent 147175107Sfennerppp-in: 147275107Sfenner set timeout 0 147317683Spst set ifaddr 10.0.4.1 10.0.4.2 147417683Spst.Ed 147517683Spst.Pp 147617683Spstand the entry in 147717683Spst.Pa /etc/ppp/ppp.linkup 147817683Spstshould contain: 147917683Spst.Bd -literal -offset indent 148017683Spstppp-in: 148117683Spst add 10.0.1.0/24 HISADDR 148217683Spst.Ed 148317683Spst.Pp 148417683SpstIt is necessary to put the 148517683Spst.Dq add 148617683Spstcommand in 148717683Spst.Pa ppp.linkup 148875107Sfennerto ensure that the route is only added after 148917683Spst.Nm 149017683Spsthas negotiated and assigned addresses to its interface. 1491127664Sbms.Pp 1492127664SbmsYou may also want to enable PAP or CHAP for security. 1493127664SbmsTo enable PAP, add the following line: 149417683Spst.Bd -literal -offset indent 149517683Spst enable PAP 149617683Spst.Ed 1497127664Sbms.Pp 1498127664SbmsYou'll also need to create the following entry in 1499127664Sbms.Pa /etc/ppp/ppp.secret : 1500127664Sbms.Bd -literal -offset indent 150117683SpstMyAuthName MyAuthPasswd 150217683Spst.Ed 150326175Sfenner.Pp 150426175SfennerIf 150526175Sfenner.Ar MyAuthPasswd 150675107Sfenneris a 150775107Sfenner.Dq * , 150875107Sfennerthe password is looked up in the 150975107Sfenner.Xr passwd 5 151075107Sfennerdatabase. 151175107Sfenner.Pp 151298530SfennerThe entry in 151375107Sfenner.Pa /etc/ppp/ppp.conf 151475107Sfenneron awfulhak (the initiator) should contain the following: 1515127664Sbms.Bd -literal -offset indent 1516127664Sbmsui-gate: 1517127664Sbms set escape 0xff 151817683Spst set device ui-gate:ppp-in/tcp 151917683Spst set dial 152017683Spst set timeout 30 152117683Spst set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 152217683Spst set ifaddr 10.0.4.2 10.0.4.1 152317683Spst.Ed 152475107Sfenner.Pp 152575107Sfennerwith the route setup in 152675107Sfenner.Pa /etc/ppp/ppp.linkup : 152775107Sfenner.Bd -literal -offset indent 152875107Sfennerui-gate: 152975107Sfenner add 10.0.2.0/24 HISADDR 153075107Sfenner.Ed 153175107Sfenner.Pp 1532Again, if you're enabling PAP, you'll also need this in the 1533.Pa /etc/ppp/ppp.conf 1534profile: 1535.Bd -literal -offset indent 1536 set authname MyAuthName 1537 set authkey MyAuthKey 1538.Ed 1539.Pp 1540We're assigning the address of 10.0.4.1 to ui-gate, and the address 154110.0.4.2 to awfulhak. 1542To open the connection, just type 1543.Pp 1544.Dl awfulhak # ppp -background ui-gate 1545.Pp 1546The result will be an additional "route" on awfulhak to the 154710.0.2.0/24 network via the TCP connection, and an additional 1548"route" on ui-gate to the 10.0.1.0/24 network. 1549The networks are effectively bridged - the underlying TCP 1550connection may be across a public network (such as the 1551Internet), and the 1552.Em PPP 1553traffic is conceptually encapsulated 1554(although not packet by packet) inside the TCP stream between 1555the two gateways. 1556.Pp 1557The major disadvantage of this mechanism is that there are two 1558"guaranteed delivery" mechanisms in place - the underlying TCP 1559stream and whatever protocol is used over the 1560.Em PPP 1561link - probably TCP again. 1562If packets are lost, both levels will 1563get in each others way trying to negotiate sending of the missing 1564packet. 1565.Pp 1566To avoid this overhead, it is also possible to do all this using 1567UDP instead of TCP as the transport by simply changing the protocol 1568from "tcp" to "udp". 1569When using UDP as a transport, 1570.Nm 1571will operate in synchronous mode. 1572This is another gain as the incoming 1573data does not have to be rearranged into packets. 1574.Pp 1575Care should be taken when adding a default route through a tunneled 1576setup like this. 1577It is quite common for the default route 1578(added in 1579.Pa /etc/ppp/ppp.linkup ) 1580to end up routing the link's TCP connection through the tunnel, 1581effectively garrotting the connection. 1582To avoid this, make sure you add a static route for the benefit of 1583the link: 1584.Bd -literal -offset indent 1585ui-gate: 1586 set escape 0xff 1587 set device ui-gate:ppp-in/tcp 1588 add ui-gate x.x.x.x 1589 ..... 1590.Ed 1591.Pp 1592where 1593.Dq x.x.x.x 1594is the IP number that your route to 1595.Dq ui-gate 1596would normally use. 1597.Pp 1598When routing your connection accross a public network such as the Internet, 1599it is preferable to encrypt the data. 1600This can be done with the help of the MPPE protocol, although currently this 1601means that you will not be able to also compress the traffic as MPPE is 1602implemented as a compression layer (thank Microsoft for this). 1603To enable MPPE encryption, add the following lines to 1604.Pa /etc/ppp/ppp.conf 1605on the server: 1606.Bd -literal -offset indent 1607 enable MSCHAPv2 1608 disable deflate pred1 1609 deny deflate pred1 1610.Ed 1611.Pp 1612ensuring that you've put the requisite entry in 1613.Pa /etc/ppp/ppp.secret 1614(MSCHAPv2 is challenge based, so 1615.Xr passwd 5 1616cannot be used) 1617.Pp 1618MSCHAPv2 and MPPE are accepted by default, so the client end should work 1619without any additional changes (although ensure you have 1620.Dq set authname 1621and 1622.Dq set authkey 1623in your profile). 1624.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1625The 1626.Fl nat 1627command line option enables network address translation (a.k.a.\& packet 1628aliasing). 1629This allows the 1630.Nm 1631host to act as a masquerading gateway for other computers over 1632a local area network. 1633Outgoing IP packets are NAT'd so that they appear to come from the 1634.Nm 1635host, and incoming packets are de-NAT'd so that they are routed 1636to the correct machine on the local area network. 1637NAT allows computers on private, unregistered subnets to have Internet 1638access, although they are invisible from the outside world. 1639In general, correct 1640.Nm 1641operation should first be verified with network address translation disabled. 1642Then, the 1643.Fl nat 1644option should be switched on, and network applications (web browser, 1645.Xr telnet 1 , 1646.Xr ftp 1 , 1647.Xr ping 8 , 1648.Xr traceroute 8 ) 1649should be checked on the 1650.Nm 1651host. 1652Finally, the same or similar applications should be checked on other 1653computers in the LAN. 1654If network applications work correctly on the 1655.Nm 1656host, but not on other machines in the LAN, then the masquerading 1657software is working properly, but the host is either not forwarding 1658or possibly receiving IP packets. 1659Check that IP forwarding is enabled in 1660.Pa /etc/rc.conf 1661and that other machines have designated the 1662.Nm 1663host as the gateway for the LAN. 1664.Sh PACKET FILTERING 1665This implementation supports packet filtering. 1666There are four kinds of 1667filters: the 1668.Em in 1669filter, the 1670.Em out 1671filter, the 1672.Em dial 1673filter and the 1674.Em alive 1675filter. 1676Here are the basics: 1677.Bl -bullet 1678.It 1679A filter definition has the following syntax: 1680.Pp 1681set filter 1682.Ar name 1683.Ar rule-no 1684.Ar action 1685.Op !\& 1686.Oo 1687.Op host 1688.Ar src_addr Ns Op / Ns Ar width 1689.Op Ar dst_addr Ns Op / Ns Ar width 1690.Oc 1691.Ar [ proto Op src Ar cmp port 1692.Op dst Ar cmp port 1693.Op estab 1694.Op syn 1695.Op finrst 1696.Op timeout Ar secs ] 1697.Bl -enum 1698.It 1699.Ar Name 1700should be one of 1701.Sq in , 1702.Sq out , 1703.Sq dial 1704or 1705.Sq alive . 1706.It 1707.Ar Rule-no 1708is a numeric value between 1709.Sq 0 1710and 1711.Sq 39 1712specifying the rule number. 1713Rules are specified in numeric order according to 1714.Ar rule-no , 1715but only if rule 1716.Sq 0 1717is defined. 1718.It 1719.Ar Action 1720may be specified as 1721.Sq permit 1722or 1723.Sq deny , 1724in which case, if a given packet matches the rule, the associated action 1725is taken immediately. 1726.Ar Action 1727can also be specified as 1728.Sq clear 1729to clear the action associated with that particular rule, or as a new 1730rule number greater than the current rule. 1731In this case, if a given 1732packet matches the current rule, the packet will next be matched against 1733the new rule number (rather than the next rule number). 1734.Pp 1735The 1736.Ar action 1737may optionally be followed with an exclamation mark 1738.Pq Dq !\& , 1739telling 1740.Nm 1741to reverse the sense of the following match. 1742.It 1743.Op Ar src_addr Ns Op / Ns Ar width 1744and 1745.Op Ar dst_addr Ns Op / Ns Ar width 1746are the source and destination IP number specifications. 1747If 1748.Op / Ns Ar width 1749is specified, it gives the number of relevant netmask bits, 1750allowing the specification of an address range. 1751.Pp 1752Either 1753.Ar src_addr 1754or 1755.Ar dst_addr 1756may be given the values 1757.Dv MYADDR , 1758.Dv HISADDR , 1759.Dv MYADDR6 1760or 1761.Dv HISADDR6 1762(refer to the description of the 1763.Dq bg 1764command for a description of these values). 1765When these values are used, 1766the filters will be updated any time the values change. 1767This is similar to the behaviour of the 1768.Dq add 1769command below. 1770.It 1771.Ar Proto 1772may be any protocol from 1773.Xr protocols 5 . 1774.It 1775.Ar Cmp 1776is one of 1777.Sq \< , 1778.Sq \&eq 1779or 1780.Sq \> , 1781meaning less-than, equal and greater-than respectively. 1782.Ar Port 1783can be specified as a numeric port or by service name from 1784.Pa /etc/services . 1785.It 1786The 1787.Sq estab , 1788.Sq syn , 1789and 1790.Sq finrst 1791flags are only allowed when 1792.Ar proto 1793is set to 1794.Sq tcp , 1795and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1796.It 1797The timeout value adjusts the current idle timeout to at least 1798.Ar secs 1799seconds. 1800If a timeout is given in the alive filter as well as in the in/out 1801filter, the in/out value is used. 1802If no timeout is given, the default timeout (set using 1803.Ic set timeout 1804and defaulting to 180 seconds) is used. 1805.El 1806.Pp 1807.It 1808Each filter can hold up to 40 rules, starting from rule 0. 1809The entire rule set is not effective until rule 0 is defined, 1810i.e., the default is to allow everything through. 1811.It 1812If no rule in a defined set of rules matches a packet, that packet will 1813be discarded (blocked). 1814If there are no rules in a given filter, the packet will be permitted. 1815.It 1816It's possible to filter based on the payload of UDP frames where those 1817frames contain a 1818.Em PROTO_IP 1819.Em PPP 1820frame header. 1821See the 1822.Ar filter-decapsulation 1823option below for further details. 1824.It 1825Use 1826.Dq set filter Ar name No -1 1827to flush all rules. 1828.El 1829.Pp 1830See 1831.Pa /usr/share/examples/ppp/ppp.conf.sample . 1832.Sh SETTING THE IDLE TIMER 1833To check/set the idle timer, use the 1834.Dq show bundle 1835and 1836.Dq set timeout 1837commands: 1838.Bd -literal -offset indent 1839ppp ON awfulhak> set timeout 600 1840.Ed 1841.Pp 1842The timeout period is measured in seconds, the default value for which 1843is 180 seconds 1844(or 3 min). 1845To disable the idle timer function, use the command 1846.Bd -literal -offset indent 1847ppp ON awfulhak> set timeout 0 1848.Ed 1849.Pp 1850In 1851.Fl ddial 1852and 1853.Fl dedicated 1854modes, the idle timeout is ignored. 1855In 1856.Fl auto 1857mode, when the idle timeout causes the 1858.Em PPP 1859session to be 1860closed, the 1861.Nm 1862program itself remains running. 1863Another trigger packet will cause it to attempt to re-establish the link. 1864.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1865.Nm 1866supports both Predictor type 1 and deflate compression. 1867By default, 1868.Nm 1869will attempt to use (or be willing to accept) both compression protocols 1870when the peer agrees 1871(or requests them). 1872The deflate protocol is preferred by 1873.Nm . 1874Refer to the 1875.Dq disable 1876and 1877.Dq deny 1878commands if you wish to disable this functionality. 1879.Pp 1880It is possible to use a different compression algorithm in each direction 1881by using only one of 1882.Dq disable deflate 1883and 1884.Dq deny deflate 1885(assuming that the peer supports both algorithms). 1886.Pp 1887By default, when negotiating DEFLATE, 1888.Nm 1889will use a window size of 15. 1890Refer to the 1891.Dq set deflate 1892command if you wish to change this behaviour. 1893.Pp 1894A special algorithm called DEFLATE24 is also available, and is disabled 1895and denied by default. 1896This is exactly the same as DEFLATE except that 1897it uses CCP ID 24 to negotiate. 1898This allows 1899.Nm 1900to successfully negotiate DEFLATE with 1901.Nm pppd 1902version 2.3.*. 1903.Sh CONTROLLING IP ADDRESS 1904For IPv4, 1905.Nm 1906uses IPCP to negotiate IP addresses. 1907Each side of the connection 1908specifies the IP address that it's willing to use, and if the requested 1909IP address is acceptable then 1910.Nm 1911returns an ACK to the requester. 1912Otherwise, 1913.Nm 1914returns NAK to suggest that the peer use a different IP address. 1915When 1916both sides of the connection agree to accept the received request (and 1917send an ACK), IPCP is set to the open state and a network level connection 1918is established. 1919To control this IPCP behaviour, this implementation has the 1920.Dq set ifaddr 1921command for defining the local and remote IP address: 1922.Bd -ragged -offset indent 1923.No set ifaddr Oo Ar src_addr Ns 1924.Op / Ns Ar \&nn 1925.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1926.Oo Ar netmask 1927.Op Ar trigger_addr 1928.Oc 1929.Oc 1930.Oc 1931.Ed 1932.Pp 1933where, 1934.Sq src_addr 1935is the IP address that the local side is willing to use, 1936.Sq dst_addr 1937is the IP address which the remote side should use and 1938.Sq netmask 1939is the netmask that should be used. 1940.Sq Src_addr 1941defaults to the current 1942.Xr hostname 1 , 1943.Sq dst_addr 1944defaults to 0.0.0.0, and 1945.Sq netmask 1946defaults to whatever mask is appropriate for 1947.Sq src_addr . 1948It is only possible to make 1949.Sq netmask 1950smaller than the default. 1951The usual value is 255.255.255.255, as 1952most kernels ignore the netmask of a POINTOPOINT interface. 1953.Pp 1954Some incorrect 1955.Em PPP 1956implementations require that the peer negotiates a specific IP 1957address instead of 1958.Sq src_addr . 1959If this is the case, 1960.Sq trigger_addr 1961may be used to specify this IP number. 1962This will not affect the 1963routing table unless the other side agrees with this proposed number. 1964.Bd -literal -offset indent 1965set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1966.Ed 1967.Pp 1968The above specification means: 1969.Pp 1970.Bl -bullet -compact 1971.It 1972I will first suggest that my IP address should be 0.0.0.0, but I 1973will only accept an address of 192.244.177.38. 1974.It 1975I strongly insist that the peer uses 192.244.177.2 as his own 1976address and won't permit the use of any IP address but 192.244.177.2. 1977When the peer requests another IP address, I will always suggest that 1978it uses 192.244.177.2. 1979.It 1980The routing table entry will have a netmask of 0xffffffff. 1981.El 1982.Pp 1983This is all fine when each side has a pre-determined IP address, however 1984it is often the case that one side is acting as a server which controls 1985all IP addresses and the other side should go along with it. 1986In order to allow more flexible behaviour, the 1987.Dq set ifaddr 1988command allows the user to specify IP addresses more loosely: 1989.Pp 1990.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1991.Pp 1992A number followed by a slash 1993.Pq Dq / 1994represents the number of bits significant in the IP address. 1995The above example means: 1996.Pp 1997.Bl -bullet -compact 1998.It 1999I'd like to use 192.244.177.38 as my address if it is possible, but I'll 2000also accept any IP address between 192.244.177.0 and 192.244.177.255. 2001.It 2002I'd like to make him use 192.244.177.2 as his own address, but I'll also 2003permit him to use any IP address between 192.244.176.0 and 2004192.244.191.255. 2005.It 2006As you may have already noticed, 192.244.177.2 is equivalent to saying 2007192.244.177.2/32. 2008.It 2009As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 2010preferred IP address and will obey the remote peers selection. 2011When using zero, no routing table entries will be made until a connection 2012is established. 2013.It 2014192.244.177.2/0 means that I'll accept/permit any IP address but I'll 2015suggest that 192.244.177.2 be used first. 2016.El 2017.Pp 2018When negotiating IPv6 addresses, no control is given to the user. 2019IPV6CP negotiation is fully automatic. 2020.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 2021The following steps should be taken when connecting to your ISP: 2022.Bl -enum 2023.It 2024Describe your providers phone number(s) in the dial script using the 2025.Dq set phone 2026command. 2027This command allows you to set multiple phone numbers for 2028dialing and redialing separated by either a pipe 2029.Pq Dq \&| 2030or a colon 2031.Pq Dq \&: : 2032.Bd -ragged -offset indent 2033.No set phone Ar telno Ns Xo 2034.Oo \&| Ns Ar backupnumber 2035.Oc Ns ... Ns Oo : Ns Ar nextnumber 2036.Oc Ns ... 2037.Xc 2038.Ed 2039.Pp 2040Numbers after the first in a pipe-separated list are only used if the 2041previous number was used in a failed dial or login script. 2042Numbers 2043separated by a colon are used sequentially, irrespective of what happened 2044as a result of using the previous number. 2045For example: 2046.Bd -literal -offset indent 2047set phone "1234567|2345678:3456789|4567890" 2048.Ed 2049.Pp 2050Here, the 1234567 number is attempted. 2051If the dial or login script fails, 2052the 2345678 number is used next time, but *only* if the dial or login script 2053fails. 2054On the dial after this, the 3456789 number is used. 2055The 4567890 2056number is only used if the dial or login script using the 3456789 fails. 2057If the login script of the 2345678 number fails, the next number is still the 20583456789 number. 2059As many pipes and colons can be used as are necessary 2060(although a given site would usually prefer to use either the pipe or the 2061colon, but not both). 2062The next number redial timeout is used between all numbers. 2063When the end of the list is reached, the normal redial period is 2064used before starting at the beginning again. 2065The selected phone number is substituted for the \\\\T string in the 2066.Dq set dial 2067command (see below). 2068.It 2069Set up your redial requirements using 2070.Dq set redial . 2071For example, if you have a bad telephone line or your provider is 2072usually engaged (not so common these days), you may want to specify 2073the following: 2074.Bd -literal -offset indent 2075set redial 10 4 2076.Ed 2077.Pp 2078This says that up to 4 phone calls should be attempted with a pause of 10 2079seconds before dialing the first number again. 2080.It 2081Describe your login procedure using the 2082.Dq set dial 2083and 2084.Dq set login 2085commands. 2086The 2087.Dq set dial 2088command is used to talk to your modem and establish a link with your 2089ISP, for example: 2090.Bd -literal -offset indent 2091set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2092 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2093.Ed 2094.Pp 2095This modem "chat" string means: 2096.Bl -bullet 2097.It 2098Abort if the string "BUSY" or "NO CARRIER" are received. 2099.It 2100Set the timeout to 4 seconds. 2101.It 2102Expect nothing. 2103.It 2104Send ATZ. 2105.It 2106Expect OK. 2107If that's not received within the 4 second timeout, send ATZ 2108and expect OK. 2109.It 2110Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2111above. 2112.It 2113Set the timeout to 60. 2114.It 2115Wait for the CONNECT string. 2116.El 2117.Pp 2118Once the connection is established, the login script is executed. 2119This script is written in the same style as the dial script, but care should 2120be taken to avoid having your password logged: 2121.Bd -literal -offset indent 2122set authkey MySecret 2123set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2124 word: \\\\P ocol: PPP HELLO" 2125.Ed 2126.Pp 2127This login "chat" string means: 2128.Bl -bullet 2129.It 2130Set the timeout to 15 seconds. 2131.It 2132Expect "login:". 2133If it's not received, send a carriage return and expect 2134"login:" again. 2135.It 2136Send "awfulhak" 2137.It 2138Expect "word:" (the tail end of a "Password:" prompt). 2139.It 2140Send whatever our current 2141.Ar authkey 2142value is set to. 2143.It 2144Expect "ocol:" (the tail end of a "Protocol:" prompt). 2145.It 2146Send "PPP". 2147.It 2148Expect "HELLO". 2149.El 2150.Pp 2151The 2152.Dq set authkey 2153command is logged specially. 2154When 2155.Ar command 2156or 2157.Ar chat 2158logging is enabled, the actual password is not logged; 2159.Sq ******** 2160is logged instead. 2161.Pp 2162Login scripts vary greatly between ISPs. 2163If you're setting one up for the first time, 2164.Em ENABLE CHAT LOGGING 2165so that you can see if your script is behaving as you expect. 2166.It 2167Use 2168.Dq set device 2169and 2170.Dq set speed 2171to specify your serial line and speed, for example: 2172.Bd -literal -offset indent 2173set device /dev/cuaa0 2174set speed 115200 2175.Ed 2176.Pp 2177Cuaa0 is the first serial port on 2178.Fx . 2179If you're running 2180.Nm 2181on 2182.Ox , 2183cua00 is the first. 2184A speed of 115200 should be specified 2185if you have a modem capable of bit rates of 28800 or more. 2186In general, the serial speed should be about four times the modem speed. 2187.It 2188Use the 2189.Dq set ifaddr 2190command to {define} the IP address. 2191.Bl -bullet 2192.It 2193If you know what IP address your provider uses, then use it as the remote 2194address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2195.It 2196If your provider has assigned a particular IP address to you, then use 2197it as your address (src_addr). 2198.It 2199If your provider assigns your address dynamically, choose a suitably 2200unobtrusive and unspecific IP number as your address. 220110.0.0.1/0 would be appropriate. 2202The bit after the / specifies how many bits of the 2203address you consider to be important, so if you wanted to insist on 2204something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2205.It 2206If you find that your ISP accepts the first IP number that you suggest, 2207specify third and forth arguments of 2208.Dq 0.0.0.0 . 2209This will force your ISP to assign a number. 2210(The third argument will 2211be ignored as it is less restrictive than the default mask for your 2212.Sq src_addr ) . 2213.El 2214.Pp 2215An example for a connection where you don't know your IP number or your 2216ISPs IP number would be: 2217.Bd -literal -offset indent 2218set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2219.Ed 2220.Pp 2221.It 2222In most cases, your ISP will also be your default router. 2223If this is the case, add the line 2224.Bd -literal -offset indent 2225add default HISADDR 2226.Ed 2227.Pp 2228to 2229.Pa /etc/ppp/ppp.conf 2230(or to 2231.Pa /etc/ppp/ppp.linkup 2232for setups that don't use 2233.Fl auto 2234mode). 2235.Pp 2236This tells 2237.Nm 2238to add a default route to whatever the peer address is 2239(10.0.0.2 in this example). 2240This route is 2241.Sq sticky , 2242meaning that should the value of 2243.Dv HISADDR 2244change, the route will be updated accordingly. 2245.It 2246If your provider requests that you use PAP/CHAP authentication methods, add 2247the next lines to your 2248.Pa /etc/ppp/ppp.conf 2249file: 2250.Bd -literal -offset indent 2251set authname MyName 2252set authkey MyPassword 2253.Ed 2254.Pp 2255Both are accepted by default, so 2256.Nm 2257will provide whatever your ISP requires. 2258.Pp 2259It should be noted that a login script is rarely (if ever) required 2260when PAP or CHAP are in use. 2261.It 2262Ask your ISP to authenticate your nameserver address(es) with the line 2263.Bd -literal -offset indent 2264enable dns 2265.Ed 2266.Pp 2267Do 2268.Em NOT 2269do this if you are running a local DNS unless you also either use 2270.Dq resolv readonly 2271or have 2272.Dq resolv restore 2273in 2274.Pa /etc/ppp/ppp.linkdown , 2275as 2276.Nm 2277will simply circumvent its use by entering some nameserver lines in 2278.Pa /etc/resolv.conf . 2279.El 2280.Pp 2281Please refer to 2282.Pa /usr/share/examples/ppp/ppp.conf.sample 2283and 2284.Pa /usr/share/examples/ppp/ppp.linkup.sample 2285for some real examples. 2286The pmdemand label should be appropriate for most ISPs. 2287.Sh LOGGING FACILITY 2288.Nm 2289is able to generate the following log info either via 2290.Xr syslog 3 2291or directly to the screen: 2292.Pp 2293.Bl -tag -width XXXXXXXXX -offset XXX -compact 2294.It Li All 2295Enable all logging facilities. 2296This generates a lot of log. 2297The most common use of 'all' is as a basis, where you remove some facilities 2298after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2299.It Li Async 2300Dump async level packet in hex. 2301.It Li CBCP 2302Generate CBCP (CallBack Control Protocol) logs. 2303.It Li CCP 2304Generate a CCP packet trace. 2305.It Li Chat 2306Generate 2307.Sq dial , 2308.Sq login , 2309.Sq logout 2310and 2311.Sq hangup 2312chat script trace logs. 2313.It Li Command 2314Log commands executed either from the command line or any of the configuration 2315files. 2316.It Li Connect 2317Log Chat lines containing the string "CONNECT". 2318.It Li Debug 2319Log debug information. 2320.It Li DNS 2321Log DNS QUERY packets. 2322.It Li Filter 2323Log packets permitted by the dial filter and denied by any filter. 2324.It Li HDLC 2325Dump HDLC packet in hex. 2326.It Li ID0 2327Log all function calls specifically made as user id 0. 2328.It Li IPCP 2329Generate an IPCP packet trace. 2330.It Li LCP 2331Generate an LCP packet trace. 2332.It Li LQM 2333Generate LQR reports. 2334.It Li Phase 2335Phase transition log output. 2336.It Li Physical 2337Dump physical level packet in hex. 2338.It Li Radius 2339Dump RADIUS information. 2340RADIUS information resulting from the link coming up or down is logged at 2341.Dq Phase 2342level unless 2343.Dq Radius 2344logging is enabled. 2345This log level is most useful for monitoring RADIUS alive information. 2346.It Li Sync 2347Dump sync level packet in hex. 2348.It Li TCP/IP 2349Dump all TCP/IP packets. 2350.It Li Timer 2351Log timer manipulation. 2352.It Li TUN 2353Include the tun device on each log line. 2354.It Li Warning 2355Output to the terminal device. 2356If there is currently no terminal, 2357output is sent to the log file using syslogs 2358.Dv LOG_WARNING . 2359.It Li Error 2360Output to both the terminal device 2361and the log file using syslogs 2362.Dv LOG_ERROR . 2363.It Li Alert 2364Output to the log file using 2365.Dv LOG_ALERT . 2366.El 2367.Pp 2368The 2369.Dq set log 2370command allows you to set the logging output level. 2371Multiple levels can be specified on a single command line. 2372The default is equivalent to 2373.Dq set log Phase . 2374.Pp 2375It is also possible to log directly to the screen. 2376The syntax is the same except that the word 2377.Dq local 2378should immediately follow 2379.Dq set log . 2380The default is 2381.Dq set log local 2382(i.e., only the un-maskable warning, error and alert output). 2383.Pp 2384If The first argument to 2385.Dq set log Op local 2386begins with a 2387.Sq + 2388or a 2389.Sq - 2390character, the current log levels are 2391not cleared, for example: 2392.Bd -literal -offset indent 2393PPP ON awfulhak> set log phase 2394PPP ON awfulhak> show log 2395Log: Phase Warning Error Alert 2396Local: Warning Error Alert 2397PPP ON awfulhak> set log +tcp/ip -warning 2398PPP ON awfulhak> set log local +command 2399PPP ON awfulhak> show log 2400Log: Phase TCP/IP Warning Error Alert 2401Local: Command Warning Error Alert 2402.Ed 2403.Pp 2404Log messages of level Warning, Error and Alert are not controllable 2405using 2406.Dq set log Op local . 2407.Pp 2408The 2409.Ar Warning 2410level is special in that it will not be logged if it can be displayed 2411locally. 2412.Sh SIGNAL HANDLING 2413.Nm 2414deals with the following signals: 2415.Bl -tag -width "USR2" 2416.It INT 2417Receipt of this signal causes the termination of the current connection 2418(if any). 2419This will cause 2420.Nm 2421to exit unless it is in 2422.Fl auto 2423or 2424.Fl ddial 2425mode. 2426.It HUP, TERM & QUIT 2427These signals tell 2428.Nm 2429to exit. 2430.It USR1 2431This signal, tells 2432.Nm 2433to re-open any existing server socket, dropping all existing diagnostic 2434connections. 2435Sockets that couldn't previously be opened will be retried. 2436.It USR2 2437This signal, tells 2438.Nm 2439to close any existing server socket, dropping all existing diagnostic 2440connections. 2441.Dv SIGUSR1 2442can still be used to re-open the socket. 2443.El 2444.Sh MULTI-LINK PPP 2445If you wish to use more than one physical link to connect to a 2446.Em PPP 2447peer, that peer must also understand the 2448.Em MULTI-LINK PPP 2449protocol. 2450Refer to RFC 1990 for specification details. 2451.Pp 2452The peer is identified using a combination of his 2453.Dq endpoint discriminator 2454and his 2455.Dq authentication id . 2456Either or both of these may be specified. 2457It is recommended that 2458at least one is specified, otherwise there is no way of ensuring that 2459all links are actually connected to the same peer program, and some 2460confusing lock-ups may result. 2461Locally, these identification variables are specified using the 2462.Dq set enddisc 2463and 2464.Dq set authname 2465commands. 2466The 2467.Sq authname 2468(and 2469.Sq authkey ) 2470must be agreed in advance with the peer. 2471.Pp 2472Multi-link capabilities are enabled using the 2473.Dq set mrru 2474command (set maximum reconstructed receive unit). 2475Once multi-link is enabled, 2476.Nm 2477will attempt to negotiate a multi-link connection with the peer. 2478.Pp 2479By default, only one 2480.Sq link 2481is available 2482(called 2483.Sq deflink ) . 2484To create more links, the 2485.Dq clone 2486command is used. 2487This command will clone existing links, where all 2488characteristics are the same except: 2489.Bl -enum 2490.It 2491The new link has its own name as specified on the 2492.Dq clone 2493command line. 2494.It 2495The new link is an 2496.Sq interactive 2497link. 2498Its mode may subsequently be changed using the 2499.Dq set mode 2500command. 2501.It 2502The new link is in a 2503.Sq closed 2504state. 2505.El 2506.Pp 2507A summary of all available links can be seen using the 2508.Dq show links 2509command. 2510.Pp 2511Once a new link has been created, command usage varies. 2512All link specific commands must be prefixed with the 2513.Dq link Ar name 2514command, specifying on which link the command is to be applied. 2515When only a single link is available, 2516.Nm 2517is smart enough not to require the 2518.Dq link Ar name 2519prefix. 2520.Pp 2521Some commands can still be used without specifying a link - resulting 2522in an operation at the 2523.Sq bundle 2524level. 2525For example, once two or more links are available, the command 2526.Dq show ccp 2527will show CCP configuration and statistics at the multi-link level, and 2528.Dq link deflink show ccp 2529will show the same information at the 2530.Dq deflink 2531link level. 2532.Pp 2533Armed with this information, the following configuration might be used: 2534.Pp 2535.Bd -literal -offset indent 2536mp: 2537 set timeout 0 2538 set log phase chat 2539 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2540 set phone "123456789" 2541 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2542 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2543 set login 2544 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2545 set authname ppp 2546 set authkey ppppassword 2547 2548 set mrru 1500 2549 clone 1,2,3 # Create 3 new links - duplicates of the default 2550 link deflink remove # Delete the default link (called ``deflink'') 2551.Ed 2552.Pp 2553Note how all cloning is done at the end of the configuration. 2554Usually, the link will be configured first, then cloned. 2555If you wish all links 2556to be up all the time, you can add the following line to the end of your 2557configuration. 2558.Pp 2559.Bd -literal -offset indent 2560 link 1,2,3 set mode ddial 2561.Ed 2562.Pp 2563If you want the links to dial on demand, this command could be used: 2564.Pp 2565.Bd -literal -offset indent 2566 link * set mode auto 2567.Ed 2568.Pp 2569Links may be tied to specific names by removing the 2570.Dq set device 2571line above, and specifying the following after the 2572.Dq clone 2573command: 2574.Pp 2575.Bd -literal -offset indent 2576 link 1 set device /dev/cuaa0 2577 link 2 set device /dev/cuaa1 2578 link 3 set device /dev/cuaa2 2579.Ed 2580.Pp 2581Use the 2582.Dq help 2583command to see which commands require context (using the 2584.Dq link 2585command), which have optional 2586context and which should not have any context. 2587.Pp 2588When 2589.Nm 2590has negotiated 2591.Em MULTI-LINK 2592mode with the peer, it creates a local domain socket in the 2593.Pa /var/run 2594directory. 2595This socket is used to pass link information (including 2596the actual link file descriptor) between different 2597.Nm 2598invocations. 2599This facilitates 2600.Nm Ns No 's 2601ability to be run from a 2602.Xr getty 8 2603or directly from 2604.Pa /etc/gettydefs 2605(using the 2606.Sq pp= 2607capability), without needing to have initial control of the serial 2608line. 2609Once 2610.Nm 2611negotiates multi-link mode, it will pass its open link to any 2612already running process. 2613If there is no already running process, 2614.Nm 2615will act as the master, creating the socket and listening for new 2616connections. 2617.Sh PPP COMMAND LIST 2618This section lists the available commands and their effect. 2619They are usable either from an interactive 2620.Nm 2621session, from a configuration file or from a 2622.Xr pppctl 8 2623or 2624.Xr telnet 1 2625session. 2626.Bl -tag -width 2n 2627.It accept|deny|enable|disable Ar option.... 2628These directives tell 2629.Nm 2630how to negotiate the initial connection with the peer. 2631Each 2632.Dq option 2633has a default of either accept or deny and enable or disable. 2634.Dq Accept 2635means that the option will be ACK'd if the peer asks for it. 2636.Dq Deny 2637means that the option will be NAK'd if the peer asks for it. 2638.Dq Enable 2639means that the option will be requested by us. 2640.Dq Disable 2641means that the option will not be requested by us. 2642.Pp 2643.Dq Option 2644may be one of the following: 2645.Bl -tag -width 2n 2646.It acfcomp 2647Default: Enabled and Accepted. 2648ACFComp stands for Address and Control Field Compression. 2649Non LCP packets will usually have an address 2650field of 0xff (the All-Stations address) and a control field of 26510x03 (the Unnumbered Information command). 2652If this option is 2653negotiated, these two bytes are simply not sent, thus minimising 2654traffic. 2655.Pp 2656See 2657.Pa rfc1662 2658for details. 2659.It chap Ns Op \&05 2660Default: Disabled and Accepted. 2661CHAP stands for Challenge Handshake Authentication Protocol. 2662Only one of CHAP and PAP (below) may be negotiated. 2663With CHAP, the authenticator sends a "challenge" message to its peer. 2664The peer uses a one-way hash function to encrypt the 2665challenge and sends the result back. 2666The authenticator does the same, and compares the results. 2667The advantage of this mechanism is that no 2668passwords are sent across the connection. 2669A challenge is made when the connection is first made. 2670Subsequent challenges may occur. 2671If you want to have your peer authenticate itself, you must 2672.Dq enable chap . 2673in 2674.Pa /etc/ppp/ppp.conf , 2675and have an entry in 2676.Pa /etc/ppp/ppp.secret 2677for the peer. 2678.Pp 2679When using CHAP as the client, you need only specify 2680.Dq AuthName 2681and 2682.Dq AuthKey 2683in 2684.Pa /etc/ppp/ppp.conf . 2685CHAP is accepted by default. 2686Some 2687.Em PPP 2688implementations use "MS-CHAP" rather than MD5 when encrypting the 2689challenge. 2690MS-CHAP is a combination of MD4 and DES. 2691If 2692.Nm 2693was built on a machine with DES libraries available, it will respond 2694to MS-CHAP authentication requests, but will never request them. 2695.It deflate 2696Default: Enabled and Accepted. 2697This option decides if deflate 2698compression will be used by the Compression Control Protocol (CCP). 2699This is the same algorithm as used by the 2700.Xr gzip 1 2701program. 2702Note: There is a problem negotiating 2703.Ar deflate 2704capabilities with 2705.Xr pppd 8 2706- a 2707.Em PPP 2708implementation available under many operating systems. 2709.Nm pppd 2710(version 2.3.1) incorrectly attempts to negotiate 2711.Ar deflate 2712compression using type 2713.Em 24 2714as the CCP configuration type rather than type 2715.Em 26 2716as specified in 2717.Pa rfc1979 . 2718Type 2719.Ar 24 2720is actually specified as 2721.Dq PPP Magna-link Variable Resource Compression 2722in 2723.Pa rfc1975 ! 2724.Nm 2725is capable of negotiating with 2726.Nm pppd , 2727but only if 2728.Dq deflate24 2729is 2730.Ar enable Ns No d 2731and 2732.Ar accept Ns No ed . 2733.It deflate24 2734Default: Disabled and Denied. 2735This is a variance of the 2736.Ar deflate 2737option, allowing negotiation with the 2738.Xr pppd 8 2739program. 2740Refer to the 2741.Ar deflate 2742section above for details. 2743It is disabled by default as it violates 2744.Pa rfc1975 . 2745.It dns 2746Default: Disabled and Denied. 2747This option allows DNS negotiation. 2748.Pp 2749If 2750.Dq enable Ns No d, 2751.Nm 2752will request that the peer confirms the entries in 2753.Pa /etc/resolv.conf . 2754If the peer NAKs our request (suggesting new IP numbers), 2755.Pa /etc/resolv.conf 2756is updated and another request is sent to confirm the new entries. 2757.Pp 2758If 2759.Dq accept Ns No ed, 2760.Nm 2761will answer any DNS queries requested by the peer rather than rejecting 2762them. 2763The answer is taken from 2764.Pa /etc/resolv.conf 2765unless the 2766.Dq set dns 2767command is used as an override. 2768.It enddisc 2769Default: Enabled and Accepted. 2770This option allows control over whether we 2771negotiate an endpoint discriminator. 2772We only send our discriminator if 2773.Dq set enddisc 2774is used and 2775.Ar enddisc 2776is enabled. 2777We reject the peers discriminator if 2778.Ar enddisc 2779is denied. 2780.It LANMan|chap80lm 2781Default: Disabled and Accepted. 2782The use of this authentication protocol 2783is discouraged as it partially violates the authentication protocol by 2784implementing two different mechanisms (LANMan & NT) under the guise of 2785a single CHAP type (0x80). 2786.Dq LANMan 2787uses a simple DES encryption mechanism and is the least secure of the 2788CHAP alternatives (although is still more secure than PAP). 2789.Pp 2790Refer to the 2791.Dq MSChap 2792description below for more details. 2793.It lqr 2794Default: Disabled and Accepted. 2795This option decides if Link Quality Requests will be sent or accepted. 2796LQR is a protocol that allows 2797.Nm 2798to determine that the link is down without relying on the modems 2799carrier detect. 2800When LQR is enabled, 2801.Nm 2802sends the 2803.Em QUALPROTO 2804option (see 2805.Dq set lqrperiod 2806below) as part of the LCP request. 2807If the peer agrees, both sides will 2808exchange LQR packets at the agreed frequency, allowing detailed link 2809quality monitoring by enabling LQM logging. 2810If the peer doesn't agree, 2811.Nm 2812will send ECHO LQR requests instead. 2813These packets pass no information of interest, but they 2814.Em MUST 2815be replied to by the peer. 2816.Pp 2817Whether using LQR or ECHO LQR, 2818.Nm 2819will abruptly drop the connection if 5 unacknowledged packets have been 2820sent rather than sending a 6th. 2821A message is logged at the 2822.Em PHASE 2823level, and any appropriate 2824.Dq reconnect 2825values are honoured as if the peer were responsible for dropping the 2826connection. 2827.It mppe 2828Default: Enabled and Accepted. 2829This is Microsoft Point to Point Encryption scheme. 2830MPPE key size can be 283140-, 56- and 128-bits. 2832Refer to 2833.Dq set mppe 2834command. 2835.It MSChapV2|chap81 2836Default: Disabled and Accepted. 2837It is very similar to standard CHAP (type 0x05) 2838except that it issues challenges of a fixed 16 bytes in length and uses a 2839combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2840standard MD5 mechanism. 2841.It MSChap|chap80nt 2842Default: Disabled and Accepted. 2843The use of this authentication protocol 2844is discouraged as it partially violates the authentication protocol by 2845implementing two different mechanisms (LANMan & NT) under the guise of 2846a single CHAP type (0x80). 2847It is very similar to standard CHAP (type 0x05) 2848except that it issues challenges of a fixed 8 bytes in length and uses a 2849combination of MD4 and DES to encrypt the challenge rather than using the 2850standard MD5 mechanism. 2851CHAP type 0x80 for LANMan is also supported - see 2852.Dq enable LANMan 2853for details. 2854.Pp 2855Because both 2856.Dq LANMan 2857and 2858.Dq NT 2859use CHAP type 0x80, when acting as authenticator with both 2860.Dq enable Ns No d , 2861.Nm 2862will rechallenge the peer up to three times if it responds using the wrong 2863one of the two protocols. 2864This gives the peer a chance to attempt using both protocols. 2865.Pp 2866Conversely, when 2867.Nm 2868acts as the authenticatee with both protocols 2869.Dq accept Ns No ed , 2870the protocols are used alternately in response to challenges. 2871.Pp 2872Note: If only LANMan is enabled, 2873.Xr pppd 8 2874(version 2.3.5) misbehaves when acting as authenticatee. 2875It provides both 2876the NT and the LANMan answers, but also suggests that only the NT answer 2877should be used. 2878.It pap 2879Default: Disabled and Accepted. 2880PAP stands for Password Authentication Protocol. 2881Only one of PAP and CHAP (above) may be negotiated. 2882With PAP, the ID and Password are sent repeatedly to the peer until 2883authentication is acknowledged or the connection is terminated. 2884This is a rather poor security mechanism. 2885It is only performed when the connection is first established. 2886If you want to have your peer authenticate itself, you must 2887.Dq enable pap . 2888in 2889.Pa /etc/ppp/ppp.conf , 2890and have an entry in 2891.Pa /etc/ppp/ppp.secret 2892for the peer (although see the 2893.Dq passwdauth 2894and 2895.Dq set radius 2896options below). 2897.Pp 2898When using PAP as the client, you need only specify 2899.Dq AuthName 2900and 2901.Dq AuthKey 2902in 2903.Pa /etc/ppp/ppp.conf . 2904PAP is accepted by default. 2905.It pred1 2906Default: Enabled and Accepted. 2907This option decides if Predictor 1 2908compression will be used by the Compression Control Protocol (CCP). 2909.It protocomp 2910Default: Enabled and Accepted. 2911This option is used to negotiate 2912PFC (Protocol Field Compression), a mechanism where the protocol 2913field number is reduced to one octet rather than two. 2914.It shortseq 2915Default: Enabled and Accepted. 2916This option determines if 2917.Nm 2918will request and accept requests for short 2919(12 bit) 2920sequence numbers when negotiating multi-link mode. 2921This is only applicable if our MRRU is set (thus enabling multi-link). 2922.It vjcomp 2923Default: Enabled and Accepted. 2924This option determines if Van Jacobson header compression will be used. 2925.El 2926.Pp 2927The following options are not actually negotiated with the peer. 2928Therefore, accepting or denying them makes no sense. 2929.Bl -tag -width 2n 2930.It filter-decapsulation 2931Default: Disabled. 2932When this option is enabled, 2933.Nm 2934will examine UDP frames to see if they actually contain a 2935.Em PPP 2936frame as their payload. 2937If this is the case, all filters will operate on the payload rather 2938than the actual packet. 2939.Pp 2940This is useful if you want to send PPPoUDP traffic over a 2941.Em PPP 2942link, but want that link to do smart things with the real data rather than 2943the UDP wrapper. 2944.Pp 2945The UDP frame payload must not be compressed in any way, otherwise 2946.Nm 2947will not be able to interpret it. 2948It's therefore recommended that you 2949.Ic disable vj pred1 deflate 2950and 2951.Ic deny vj pred1 deflate 2952in the configuration for the 2953.Nm 2954invocation with the udp link. 2955.It force-scripts 2956Default: Disabled. 2957Forces execution of the configured chat scripts in 2958.Dv direct 2959and 2960.Dv dedicated 2961modes. 2962.It idcheck 2963Default: Enabled. 2964When 2965.Nm 2966exchanges low-level LCP, CCP and IPCP configuration traffic, the 2967.Em Identifier 2968field of any replies is expected to be the same as that of the request. 2969By default, 2970.Nm 2971drops any reply packets that do not contain the expected identifier 2972field, reporting the fact at the respective log level. 2973If 2974.Ar idcheck 2975is disabled, 2976.Nm 2977will ignore the identifier field. 2978.It iface-alias 2979Default: Enabled if 2980.Fl nat 2981is specified. 2982This option simply tells 2983.Nm 2984to add new interface addresses to the interface rather than replacing them. 2985The option can only be enabled if network address translation is enabled 2986.Pq Dq nat enable yes . 2987.Pp 2988With this option enabled, 2989.Nm 2990will pass traffic for old interface addresses through the NAT 2991ifdef({LOCALNAT},{engine,},{engine 2992(see 2993.Xr libalias 3 ) ,}) 2994resulting in the ability (in 2995.Fl auto 2996mode) to properly connect the process that caused the PPP link to 2997come up in the first place. 2998.Pp 2999Disabling NAT with 3000.Dq nat enable no 3001will also disable 3002.Sq iface-alias . 3003.It ipcp 3004Default: Enabled. 3005This option allows 3006.Nm 3007to attempt to negotiate IP control protocol capabilities and if 3008successful to exchange IP datagrams with the peer. 3009.It ipv6cp 3010Default: Enabled. 3011This option allows 3012.Nm 3013to attempt to negotiate IPv6 control protocol capabilities and if 3014successful to exchange IPv6 datagrams with the peer. 3015.It keep-session 3016Default: Disabled. 3017When 3018.Nm 3019runs as a Multi-link server, a different 3020.Nm 3021instance initially receives each connection. 3022After determining that 3023the link belongs to an already existing bundle (controlled by another 3024.Nm 3025invocation), 3026.Nm 3027will transfer the link to that process. 3028.Pp 3029If the link is a tty device or if this option is enabled, 3030.Nm 3031will not exit, but will change its process name to 3032.Dq session owner 3033and wait for the controlling 3034.Nm 3035to finish with the link and deliver a signal back to the idle process. 3036This prevents the confusion that results from 3037.Nm Ns No 's 3038parent considering the link resource available again. 3039.Pp 3040For tty devices that have entries in 3041.Pa /etc/ttys , 3042this is necessary to prevent another 3043.Xr getty 8 3044from being started, and for program links such as 3045.Xr sshd 8 , 3046it prevents 3047.Xr sshd 8 3048from exiting due to the death of its child. 3049As 3050.Nm 3051cannot determine its parents requirements (except for the tty case), this 3052option must be enabled manually depending on the circumstances. 3053.It loopback 3054Default: Enabled. 3055When 3056.Ar loopback 3057is enabled, 3058.Nm 3059will automatically loop back packets being sent 3060out with a destination address equal to that of the 3061.Em PPP 3062interface. 3063If disabled, 3064.Nm 3065will send the packet, probably resulting in an ICMP redirect from 3066the other end. 3067It is convenient to have this option enabled when 3068the interface is also the default route as it avoids the necessity 3069of a loopback route. 3070.It passwdauth 3071Default: Disabled. 3072Enabling this option will tell the PAP authentication 3073code to use the password database (see 3074.Xr passwd 5 ) 3075to authenticate the caller if they cannot be found in the 3076.Pa /etc/ppp/ppp.secret 3077file. 3078.Pa /etc/ppp/ppp.secret 3079is always checked first. 3080If you wish to use passwords from 3081.Xr passwd 5 , 3082but also to specify an IP number or label for a given client, use 3083.Dq \&* 3084as the client password in 3085.Pa /etc/ppp/ppp.secret . 3086.It proxy 3087Default: Disabled. 3088Enabling this option will tell 3089.Nm 3090to proxy ARP for the peer. 3091This means that 3092.Nm 3093will make an entry in the ARP table using 3094.Dv HISADDR 3095and the 3096.Dv MAC 3097address of the local network in which 3098.Dv HISADDR 3099appears. 3100This allows other machines connecteed to the LAN to talk to 3101the peer as if the peer itself was connected to the LAN. 3102The proxy entry cannot be made unless 3103.Dv HISADDR 3104is an address from a LAN. 3105.It proxyall 3106Default: Disabled. 3107Enabling this will tell 3108.Nm 3109to add proxy arp entries for every IP address in all class C or 3110smaller subnets routed via the tun interface. 3111.Pp 3112Proxy arp entries are only made for sticky routes that are added 3113using the 3114.Dq add 3115command. 3116No proxy arp entries are made for the interface address itself 3117(as created by the 3118.Dq set ifaddr 3119command). 3120.It sroutes 3121Default: Enabled. 3122When the 3123.Dq add 3124command is used with the 3125.Dv HISADDR , 3126.Dv MYADDR , 3127.Dv HISADDR6 3128or 3129.Dv MYADDR6 3130values, entries are stored in the 3131.Sq sticky route 3132list. 3133Each time these variables change, this list is re-applied to the routing table. 3134.Pp 3135Disabling this option will prevent the re-application of sticky routes, 3136although the 3137.Sq stick route 3138list will still be maintained. 3139.It Op tcp Ns Xo 3140.No mssfixup 3141.Xc 3142Default: Enabled. 3143This option tells 3144.Nm 3145to adjust TCP SYN packets so that the maximum receive segment 3146size is not greater than the amount allowed by the interface MTU. 3147.It throughput 3148Default: Enabled. 3149This option tells 3150.Nm 3151to gather throughput statistics. 3152Input and output is sampled over 3153a rolling 5 second window, and current, best and total figures are retained. 3154This data is output when the relevant 3155.Em PPP 3156layer shuts down, and is also available using the 3157.Dq show 3158command. 3159Throughput statistics are available at the 3160.Dq IPCP 3161and 3162.Dq physical 3163levels. 3164.It utmp 3165Default: Enabled. 3166Normally, when a user is authenticated using PAP or CHAP, and when 3167.Nm 3168is running in 3169.Fl direct 3170mode, an entry is made in the utmp and wtmp files for that user. 3171Disabling this option will tell 3172.Nm 3173not to make any utmp or wtmp entries. 3174This is usually only necessary if 3175you require the user to both login and authenticate themselves. 3176.El 3177.Pp 3178.It add Ns Xo 3179.Op !\& 3180.Ar dest Ns Op / Ns Ar nn 3181.Op Ar mask 3182.Op Ar gateway 3183.Xc 3184.Ar Dest 3185is the destination IP address. 3186The netmask is specified either as a number of bits with 3187.Ar /nn 3188or as an IP number using 3189.Ar mask . 3190.Ar 0 0 3191or simply 3192.Ar 0 3193with no mask refers to the default route. 3194It is also possible to use the literal name 3195.Sq default 3196instead of 3197.Ar 0 . 3198.Ar Gateway 3199is the next hop gateway to get to the given 3200.Ar dest 3201machine/network. 3202Refer to the 3203.Xr route 8 3204command for further details. 3205.Pp 3206It is possible to use the symbolic names 3207.Sq MYADDR , 3208.Sq HISADDR , 3209.Sq MYADDR6 3210or 3211.Sq HISADDR6 3212as the destination, and 3213.Sq HISADDR 3214or 3215.Sq HISADDR6 3216as the 3217.Ar gateway . 3218.Sq MYADDR 3219is replaced with the interface IP address, 3220.Sq HISADDR 3221is replaced with the interface IP destination (peer) address, 3222.Sq MYADDR6 3223is replaced with the interface IPv6 address, and 3224.Sq HISADDR6 3225is replaced with the interface IPv6 destination address, 3226.Pp 3227If the 3228.Ar add!\& 3229command is used 3230(note the trailing 3231.Dq !\& ) , 3232then if the route already exists, it will be updated as with the 3233.Sq route change 3234command (see 3235.Xr route 8 3236for further details). 3237.Pp 3238Routes that contain the 3239.Dq HISADDR , 3240.Dq MYADDR , 3241.Dq HISADDR6 , 3242.Dq MYADDR6 , 3243.Dq DNS0 , 3244or 3245.Dq DNS1 3246constants are considered 3247.Sq sticky . 3248They are stored in a list (use 3249.Dq show ncp 3250to see the list), and each time the value of one of these variables 3251changes, the appropriate routing table entries are updated. 3252This facility may be disabled using 3253.Dq disable sroutes . 3254.It allow Ar command Op Ar args 3255This command controls access to 3256.Nm 3257and its configuration files. 3258It is possible to allow user-level access, 3259depending on the configuration file label and on the mode that 3260.Nm 3261is being run in. 3262For example, you may wish to configure 3263.Nm 3264so that only user 3265.Sq fred 3266may access label 3267.Sq fredlabel 3268in 3269.Fl background 3270mode. 3271.Pp 3272User id 0 is immune to these commands. 3273.Bl -tag -width 2n 3274.It allow user Ns Xo 3275.Op s 3276.Ar logname Ns No ... 3277.Xc 3278By default, only user id 0 is allowed access to 3279.Nm . 3280If this command is used, all of the listed users are allowed access to 3281the section in which the 3282.Dq allow users 3283command is found. 3284The 3285.Sq default 3286section is always checked first (even though it is only ever automatically 3287loaded at startup). 3288.Dq allow users 3289commands are cumulative in a given section, but users allowed in any given 3290section override users allowed in the default section, so it's possible to 3291allow users access to everything except a given label by specifying default 3292users in the 3293.Sq default 3294section, and then specifying a new user list for that label. 3295.Pp 3296If user 3297.Sq * 3298is specified, access is allowed to all users. 3299.It allow mode Ns Xo 3300.Op s 3301.Ar mode Ns No ... 3302.Xc 3303By default, access using any 3304.Nm 3305mode is possible. 3306If this command is used, it restricts the access 3307.Ar modes 3308allowed to load the label under which this command is specified. 3309Again, as with the 3310.Dq allow users 3311command, each 3312.Dq allow modes 3313command overrides any previous settings, and the 3314.Sq default 3315section is always checked first. 3316.Pp 3317Possible modes are: 3318.Sq interactive , 3319.Sq auto , 3320.Sq direct , 3321.Sq dedicated , 3322.Sq ddial , 3323.Sq background 3324and 3325.Sq * . 3326.Pp 3327When running in multi-link mode, a section can be loaded if it allows 3328.Em any 3329of the currently existing line modes. 3330.El 3331.Pp 3332.It nat Ar command Op Ar args 3333This command allows the control of the network address translation (also 3334known as masquerading or IP aliasing) facilities that are built into 3335.Nm . 3336NAT is done on the external interface only, and is unlikely to make sense 3337if used with the 3338.Fl direct 3339flag. 3340.Pp 3341If nat is enabled on your system (it may be omitted at compile time), 3342the following commands are possible: 3343.Bl -tag -width 2n 3344.It nat enable yes|no 3345This command either switches network address translation on or turns it off. 3346The 3347.Fl nat 3348command line flag is synonymous with 3349.Dq nat enable yes . 3350.It nat addr Op Ar addr_local addr_alias 3351This command allows data for 3352.Ar addr_alias 3353to be redirected to 3354.Ar addr_local . 3355It is useful if you own a small number of real IP numbers that 3356you wish to map to specific machines behind your gateway. 3357.It nat deny_incoming yes|no 3358If set to yes, this command will refuse all incoming packets where an 3359aliasing link doesn't already exist. 3360ifdef({LOCALNAT},{},{Refer to the 3361.Sx CONCEPTUAL BACKGROUND 3362section of 3363.Xr libalias 3 3364for a description of what an 3365.Dq aliasing link 3366is. 3367})dnl 3368.Pp 3369It should be noted under what circumstances an aliasing link is 3370ifdef({LOCALNAT},{created.},{created by 3371.Xr libalias 3 .}) 3372It may be necessary to further protect your network from outside 3373connections using the 3374.Dq set filter 3375or 3376.Dq nat target 3377commands. 3378.It nat help|? 3379This command gives a summary of available nat commands. 3380.It nat log yes|no 3381This option causes various NAT statistics and information to 3382be logged to the file 3383.Pa /var/log/alias.log . 3384.It nat port Ar proto Ar targetIP Ns Xo 3385.No : Ns Ar targetPort Ns 3386.Oo 3387.No - Ns Ar targetPort 3388.Oc Ar aliasPort Ns 3389.Oo 3390.No - Ns Ar aliasPort 3391.Oc Oo Ar remoteIP : Ns 3392.Ar remotePort Ns 3393.Oo 3394.No - Ns Ar remotePort 3395.Oc Ns 3396.Oc 3397.Xc 3398This command causes incoming 3399.Ar proto 3400connections to 3401.Ar aliasPort 3402to be redirected to 3403.Ar targetPort 3404on 3405.Ar targetIP . 3406.Ar proto 3407is either 3408.Dq tcp 3409or 3410.Dq udp . 3411.Pp 3412A range of port numbers may be specified as shown above. 3413The ranges must be of the same size. 3414.Pp 3415If 3416.Ar remoteIP 3417is specified, only data coming from that IP number is redirected. 3418.Ar remotePort 3419must either be 3420.Dq 0 3421(indicating any source port) 3422or a range of ports the same size as the other ranges. 3423.Pp 3424This option is useful if you wish to run things like Internet phone on 3425machines behind your gateway, but is limited in that connections to only 3426one interior machine per source machine and target port are possible. 3427.It nat proto Ar proto localIP Oo 3428.Ar publicIP Op Ar remoteIP 3429.Oc 3430This command tells 3431.Nm 3432to redirect packets of protocol type 3433.Ar proto 3434(see 3435.Xr protocols 5 ) 3436to the internal address 3437.Ar localIP . 3438.Pp 3439If 3440.Ar publicIP 3441is specified, only packets destined for that address are matched, 3442otherwise the default alias address is used. 3443.Pp 3444If 3445.Ar remoteIP 3446is specified, only packets matching that source address are matched, 3447.Pp 3448This command is useful for redirecting tunnel endpoints to an internal machine, 3449for example: 3450.Pp 3451.Dl nat proto ipencap 10.0.0.1 3452.It "nat proxy cmd" Ar arg Ns No ... 3453This command tells 3454.Nm 3455to proxy certain connections, redirecting them to a given server. 3456ifdef({LOCALNAT},{},{Refer to the description of 3457.Fn PacketAliasProxyRule 3458in 3459.Xr libalias 3 3460for details of the available commands. 3461})dnl 3462.It nat punch_fw Op Ar base count 3463This command tells 3464.Nm 3465to punch holes in the firewall for FTP or IRC DCC connections. 3466This is done dynamically by installing termporary firewall rules which 3467allow a particular connection (and only that connection) to go through 3468the firewall. 3469The rules are removed once the corresponding connection terminates. 3470.Pp 3471A maximum of 3472.Ar count 3473rules starting from rule number 3474.Ar base 3475will be used for punching firewall holes. 3476The range will be cleared when the 3477.Dq nat punch_fw 3478command is run. 3479.Pp 3480If no arguments are given, firewall punching is disabled. 3481.It nat skinny_port Op Ar port 3482This command tells 3483.Nm 3484which TCP port is used by the Skinny Station protocol. 3485Skinny is used by 3486Cisco IP phones to communicate with Cisco Call Managers to setup voice 3487over IP calls. 3488The typical port used by Skinny is 2000. 3489.Pp 3490If no argument is given, skinny aliasing is disabled. 3491.It nat same_ports yes|no 3492When enabled, this command will tell the network address translation engine to 3493attempt to avoid changing the port number on outgoing packets. 3494This is useful 3495if you want to support protocols such as RPC and LPD which require 3496connections to come from a well known port. 3497.It nat target Op Ar address 3498Set the given target address or clear it if no address is given. 3499The target address is used 3500ifdef({LOCALNAT},{},{by libalias })dnl 3501to specify how to NAT incoming packets by default. 3502If a target address is not set or if 3503.Dq default 3504is given, packets are not altered and are allowed to route to the internal 3505network. 3506.Pp 3507The target address may be set to 3508.Dq MYADDR , 3509in which case 3510ifdef({LOCALNAT},{all packets will be redirected}, 3511{libalias will redirect all packets}) 3512to the interface address. 3513.It nat use_sockets yes|no 3514When enabled, this option tells the network address translation engine to 3515create a socket so that it can guarantee a correct incoming ftp data or 3516IRC connection. 3517.It nat unregistered_only yes|no 3518Only alter outgoing packets with an unregistered source address. 3519According to RFC 1918, unregistered source addresses 3520are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3521.El 3522.Pp 3523These commands are also discussed in the file 3524.Pa README.nat 3525which comes with the source distribution. 3526.Pp 3527.It Op !\& Ns Xo 3528.No bg Ar command 3529.Xc 3530The given 3531.Ar command 3532is executed in the background with the following words replaced: 3533.Bl -tag -width COMPILATIONDATE 3534.It Li AUTHNAME 3535This is replaced with the local 3536.Ar authname 3537value. 3538See the 3539.Dq set authname 3540command below. 3541.It Li COMPILATIONDATE 3542This is replaced with the date on which 3543.Nm 3544was compiled. 3545.It Li DNS0 & DNS1 3546These are replaced with the primary and secondary nameserver IP numbers. 3547If nameservers are negotiated by IPCP, the values of these macros will change. 3548.It Li ENDDISC 3549This is replaced with the local endpoint discriminator value. 3550See the 3551.Dq set enddisc 3552command below. 3553.It Li HISADDR 3554This is replaced with the peers IP number. 3555.It Li HISADDR6 3556This is replaced with the peers IPv6 number. 3557.It Li INTERFACE 3558This is replaced with the name of the interface that's in use. 3559.It Li IPOCTETSIN 3560This is replaced with the number of IP bytes received since the connection 3561was established. 3562.It Li IPOCTETSOUT 3563This is replaced with the number of IP bytes sent since the connection 3564was established. 3565.It Li IPPACKETSIN 3566This is replaced with the number of IP packets received since the connection 3567was established. 3568.It Li IPPACKETSOUT 3569This is replaced with the number of IP packets sent since the connection 3570was established. 3571.It Li IPV6OCTETSIN 3572This is replaced with the number of IPv6 bytes received since the connection 3573was established. 3574.It Li IPV6OCTETSOUT 3575This is replaced with the number of IPv6 bytes sent since the connection 3576was established. 3577.It Li IPV6PACKETSIN 3578This is replaced with the number of IPv6 packets received since the connection 3579was established. 3580.It Li IPV6PACKETSOUT 3581This is replaced with the number of IPv6 packets sent since the connection 3582was established. 3583.It Li LABEL 3584This is replaced with the last label name used. 3585A label may be specified on the 3586.Nm 3587command line, via the 3588.Dq load 3589or 3590.Dq dial 3591commands and in the 3592.Pa ppp.secret 3593file. 3594.It Li MYADDR 3595This is replaced with the IP number assigned to the local interface. 3596.It Li MYADDR6 3597This is replaced with the IPv6 number assigned to the local interface. 3598.It Li OCTETSIN 3599This is replaced with the number of bytes received since the connection 3600was established. 3601.It Li OCTETSOUT 3602This is replaced with the number of bytes sent since the connection 3603was established. 3604.It Li PACKETSIN 3605This is replaced with the number of packets received since the connection 3606was established. 3607.It Li PACKETSOUT 3608This is replaced with the number of packets sent since the connection 3609was established. 3610.It Li PEER_ENDDISC 3611This is replaced with the value of the peers endpoint discriminator. 3612.It Li PROCESSID 3613This is replaced with the current process id. 3614.It Li SOCKNAME 3615This is replaced with the name of the diagnostic socket. 3616.It Li UPTIME 3617This is replaced with the bundle uptime in HH:MM:SS format. 3618.It Li USER 3619This is replaced with the username that has been authenticated with PAP or 3620CHAP. 3621Normally, this variable is assigned only in -direct mode. 3622This value is available irrespective of whether utmp logging is enabled. 3623.It Li VERSION 3624This is replaced with the current version number of 3625.Nm . 3626.El 3627.Pp 3628These substitutions are also done by the 3629.Dq set proctitle , 3630.Dq ident 3631and 3632.Dq log 3633commands. 3634.Pp 3635If you wish to pause 3636.Nm 3637while the command executes, use the 3638.Dq shell 3639command instead. 3640.It clear physical|ipcp|ipv6 Op current|overall|peak... 3641Clear the specified throughput values at either the 3642.Dq physical , 3643.Dq ipcp 3644or 3645.Dq ipv6cp 3646level. 3647If 3648.Dq physical 3649is specified, context must be given (see the 3650.Dq link 3651command below). 3652If no second argument is given, all values are cleared. 3653.It clone Ar name Ns Xo 3654.Op \&, Ns Ar name Ns 3655.No ... 3656.Xc 3657Clone the specified link, creating one or more new links according to the 3658.Ar name 3659argument(s). 3660This command must be used from the 3661.Dq link 3662command below unless you've only got a single link (in which case that 3663link becomes the default). 3664Links may be removed using the 3665.Dq remove 3666command below. 3667.Pp 3668The default link name is 3669.Dq deflink . 3670.It close Op lcp|ccp Ns Op !\& 3671If no arguments are given, the relevant protocol layers will be brought 3672down and the link will be closed. 3673If 3674.Dq lcp 3675is specified, the LCP layer is brought down, but 3676.Nm 3677will not bring the link offline. 3678It is subsequently possible to use 3679.Dq term 3680(see below) 3681to talk to the peer machine if, for example, something like 3682.Dq slirp 3683is being used. 3684If 3685.Dq ccp 3686is specified, only the relevant compression layer is closed. 3687If the 3688.Dq !\& 3689is used, the compression layer will remain in the closed state, otherwise 3690it will re-enter the STOPPED state, waiting for the peer to initiate 3691further CCP negotiation. 3692In any event, this command does not disconnect the user from 3693.Nm 3694or exit 3695.Nm . 3696See the 3697.Dq quit 3698command below. 3699.It delete Ns Xo 3700.Op !\& 3701.Ar dest 3702.Xc 3703This command deletes the route with the given 3704.Ar dest 3705IP address. 3706If 3707.Ar dest 3708is specified as 3709.Sq ALL , 3710all non-direct entries in the routing table for the current interface, 3711and all 3712.Sq sticky route 3713entries are deleted. 3714If 3715.Ar dest 3716is specified as 3717.Sq default , 3718the default route is deleted. 3719.Pp 3720If the 3721.Ar delete!\& 3722command is used 3723(note the trailing 3724.Dq !\& ) , 3725.Nm 3726will not complain if the route does not already exist. 3727.It dial|call Op Ar label Ns Xo 3728.No ... 3729.Xc 3730This command is the equivalent of 3731.Dq load label 3732followed by 3733.Dq open , 3734and is provided for backwards compatibility. 3735.It down Op Ar lcp|ccp 3736Bring the relevant layer down ungracefully, as if the underlying layer 3737had become unavailable. 3738It's not considered polite to use this command on 3739a Finite State Machine that's in the OPEN state. 3740If no arguments are 3741supplied, the entire link is closed (or if no context is given, all links 3742are terminated). 3743If 3744.Sq lcp 3745is specified, the 3746.Em LCP 3747layer is terminated but the device is not brought offline and the link 3748is not closed. 3749If 3750.Sq ccp 3751is specified, only the relevant compression layer(s) are terminated. 3752.It help|? Op Ar command 3753Show a list of available commands. 3754If 3755.Ar command 3756is specified, show the usage string for that command. 3757.It ident Op Ar text Ns No ... 3758Identify the link to the peer using 3759.Ar text . 3760If 3761.Ar text 3762is empty, link identification is disabled. 3763It is possible to use any of the words described for the 3764.Ic bg 3765command above. 3766Refer to the 3767.Ic sendident 3768command for details of when 3769.Nm 3770identifies itself to the peer. 3771.It iface Ar command Op args 3772This command is used to control the interface used by 3773.Nm . 3774.Ar Command 3775may be one of the following: 3776.Bl -tag -width 2n 3777.It iface add Ns Xo 3778.Op !\& 3779.Ar addr Ns Op / Ns Ar bits 3780.Op Ar peer 3781.Xc 3782.It iface add Ns Xo 3783.Op !\& 3784.Ar addr 3785.Ar mask 3786.Ar peer 3787.Xc 3788Add the given 3789.Ar addr mask peer 3790combination to the interface. 3791Instead of specifying 3792.Ar mask , 3793.Ar /bits 3794can be used 3795(with no space between it and 3796.Ar addr ) . 3797If the given address already exists, the command fails unless the 3798.Dq !\& 3799is used - in which case the previous interface address entry is overwritten 3800with the new one, allowing a change of netmask or peer address. 3801.Pp 3802If only 3803.Ar addr 3804is specified, 3805.Ar bits 3806defaults to 3807.Dq 32 3808and 3809.Ar peer 3810defaults to 3811.Dq 255.255.255.255 . 3812This address (the broadcast address) is the only duplicate peer address that 3813.Nm 3814allows. 3815.It iface clear Op INET | INET6 3816If this command is used while 3817.Nm 3818is in the OPENED state or while in 3819.Fl auto 3820mode, all addresses except for the NCP negotiated address are deleted 3821from the interface. 3822If 3823.Nm 3824is not in the OPENED state and is not in 3825.Fl auto 3826mode, all interface addresses are deleted. 3827.Pp 3828If the INET or INET6 arguments are used, only addresses for that address 3829family are cleared. 3830.Pp 3831.It iface delete Ns Xo 3832.Op !\& Ns 3833.No |rm Ns Op !\& 3834.Ar addr 3835.Xc 3836This command deletes the given 3837.Ar addr 3838from the interface. 3839If the 3840.Dq !\& 3841is used, no error is given if the address isn't currently assigned to 3842the interface (and no deletion takes place). 3843.It iface show 3844Shows the current state and current addresses for the interface. 3845It is much the same as running 3846.Dq ifconfig INTERFACE . 3847.It iface help Op Ar sub-command 3848This command, when invoked without 3849.Ar sub-command , 3850will show a list of possible 3851.Dq iface 3852sub-commands and a brief synopsis for each. 3853When invoked with 3854.Ar sub-command , 3855only the synopsis for the given sub-command is shown. 3856.El 3857.It Op data Ns Xo 3858.No link 3859.Ar name Ns Op , Ns Ar name Ns 3860.No ... Ar command Op Ar args 3861.Xc 3862This command may prefix any other command if the user wishes to 3863specify which link the command should affect. 3864This is only applicable after multiple links have been created in Multi-link 3865mode using the 3866.Dq clone 3867command. 3868.Pp 3869.Ar Name 3870specifies the name of an existing link. 3871If 3872.Ar name 3873is a comma separated list, 3874.Ar command 3875is executed on each link. 3876If 3877.Ar name 3878is 3879.Dq * , 3880.Ar command 3881is executed on all links. 3882.It load Op Ar label Ns Xo 3883.No ... 3884.Xc 3885Load the given 3886.Ar label Ns No (s) 3887from the 3888.Pa ppp.conf 3889file. 3890If 3891.Ar label 3892is not given, the 3893.Ar default 3894label is used. 3895.Pp 3896Unless the 3897.Ar label 3898section uses the 3899.Dq set mode , 3900.Dq open 3901or 3902.Dq dial 3903commands, 3904.Nm 3905will not attempt to make an immediate connection. 3906.It log Ar word Ns No ... 3907Send the given word(s) to the log file with the prefix 3908.Dq LOG: . 3909Word substitutions are done as explained under the 3910.Dq !bg 3911command above. 3912.It open Op lcp|ccp|ipcp 3913This is the opposite of the 3914.Dq close 3915command. 3916All closed links are immediately brought up apart from second and subsequent 3917.Ar demand-dial 3918links - these will come up based on the 3919.Dq set autoload 3920command that has been used. 3921.Pp 3922If the 3923.Dq lcp 3924argument is used while the LCP layer is already open, LCP will be 3925renegotiated. 3926This allows various LCP options to be changed, after which 3927.Dq open lcp 3928can be used to put them into effect. 3929After renegotiating LCP, 3930any agreed authentication will also take place. 3931.Pp 3932If the 3933.Dq ccp 3934argument is used, the relevant compression layer is opened. 3935Again, if it is already open, it will be renegotiated. 3936.Pp 3937If the 3938.Dq ipcp 3939argument is used, the link will be brought up as normal, but if 3940IPCP is already open, it will be renegotiated and the network 3941interface will be reconfigured. 3942.Pp 3943It is probably not good practice to re-open the PPP state machines 3944like this as it's possible that the peer will not behave correctly. 3945It 3946.Em is 3947however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3948.It passwd Ar pass 3949Specify the password required for access to the full 3950.Nm 3951command set. 3952This password is required when connecting to the diagnostic port (see the 3953.Dq set server 3954command). 3955.Ar Pass 3956is specified on the 3957.Dq set server 3958command line. 3959The value of 3960.Ar pass 3961is not logged when 3962.Ar command 3963logging is active, instead, the literal string 3964.Sq ******** 3965is logged. 3966.It quit|bye Op all 3967If 3968.Dq quit 3969is executed from the controlling connection or from a command file, 3970ppp will exit after closing all connections. 3971Otherwise, if the user 3972is connected to a diagnostic socket, the connection is simply dropped. 3973.Pp 3974If the 3975.Ar all 3976argument is given, 3977.Nm 3978will exit despite the source of the command after closing all existing 3979connections. 3980.It remove|rm 3981This command removes the given link. 3982It is only really useful in multi-link mode. 3983A link must be in the 3984.Dv CLOSED 3985state before it is removed. 3986.It rename|mv Ar name 3987This command renames the given link to 3988.Ar name . 3989It will fail if 3990.Ar name 3991is already used by another link. 3992.Pp 3993The default link name is 3994.Sq deflink . 3995Renaming it to 3996.Sq modem , 3997.Sq cuaa0 3998or 3999.Sq USR 4000may make the log file more readable. 4001.It resolv Ar command 4002This command controls 4003.Nm Ns No 's 4004manipulation of the 4005.Xr resolv.conf 5 4006file. 4007When 4008.Nm 4009starts up, it loads the contents of this file into memory and retains this 4010image for future use. 4011.Ar command 4012is one of the following: 4013.Bl -tag -width readonly 4014.It Em readonly 4015Treat 4016.Pa /etc/resolv.conf 4017as read only. 4018If 4019.Dq dns 4020is enabled, 4021.Nm 4022will still attempt to negotiate nameservers with the peer, making the results 4023available via the 4024.Dv DNS0 4025and 4026.Dv DNS1 4027macros. 4028This is the opposite of the 4029.Dq resolv writable 4030command. 4031.It Em reload 4032Reload 4033.Pa /etc/resolv.conf 4034into memory. 4035This may be necessary if for example a DHCP client overwrote 4036.Pa /etc/resolv.conf . 4037.It Em restore 4038Replace 4039.Pa /etc/resolv.conf 4040with the version originally read at startup or with the last 4041.Dq resolv reload 4042command. 4043This is sometimes a useful command to put in the 4044.Pa /etc/ppp/ppp.linkdown 4045file. 4046.It Em rewrite 4047Rewrite the 4048.Pa /etc/resolv.conf 4049file. 4050This command will work even if the 4051.Dq resolv readonly 4052command has been used. 4053It may be useful as a command in the 4054.Pa /etc/ppp/ppp.linkup 4055file if you wish to defer updating 4056.Pa /etc/resolv.conf 4057until after other commands have finished. 4058.It Em writable 4059Allow 4060.Nm 4061to update 4062.Pa /etc/resolv.conf 4063if 4064.Dq dns 4065is enabled and 4066.Nm 4067successfully negotiates a DNS. 4068This is the opposite of the 4069.Dq resolv readonly 4070command. 4071.El 4072.It save 4073This option is not (yet) implemented. 4074.It sendident 4075This command tells 4076.Nm 4077to identify itself to the peer. 4078The link must be in LCP state or higher. 4079If no identity has been set (via the 4080.Ic ident 4081command), 4082.Ic sendident 4083will fail. 4084.Pp 4085When an identity has been set, 4086.Nm 4087will automatically identify itself when it sends or receives a configure 4088reject, when negotiation fails or when LCP reaches the opened state. 4089.Pp 4090Received identification packets are logged to the LCP log (see 4091.Ic set log 4092for details) and are never responded to. 4093.It set Ns Xo 4094.Op up 4095.Ar var value 4096.Xc 4097This option allows the setting of any of the following variables: 4098.Bl -tag -width 2n 4099.It set accmap Ar hex-value 4100ACCMap stands for Asynchronous Control Character Map. 4101This is always 4102negotiated with the peer, and defaults to a value of 00000000 in hex. 4103This protocol is required to defeat hardware that depends on passing 4104certain characters from end to end (such as XON/XOFF etc). 4105.Pp 4106For the XON/XOFF scenario, use 4107.Dq set accmap 000a0000 . 4108.It set Op auth Ns Xo 4109.No key Ar value 4110.Xc 4111This sets the authentication key (or password) used in client mode 4112PAP or CHAP negotiation to the given value. 4113It also specifies the 4114password to be used in the dial or login scripts in place of the 4115.Sq \eP 4116sequence, preventing the actual password from being logged. 4117If 4118.Ar command 4119or 4120.Ar chat 4121logging is in effect, 4122.Ar value 4123is logged as 4124.Sq ******** 4125for security reasons. 4126.Pp 4127If the first character of 4128.Ar value 4129is an exclamation mark 4130.Pq Dq !\& , 4131.Nm 4132treats the remainder of the string as a program that must be executed 4133to determine the 4134.Dq authname 4135and 4136.Dq authkey 4137values. 4138.Pp 4139If the 4140.Dq !\& 4141is doubled up 4142(to 4143.Dq !! ) , 4144it is treated as a single literal 4145.Dq !\& , 4146otherwise, ignoring the 4147.Dq !\& , 4148.Ar value 4149is parsed as a program to execute in the same was as the 4150.Dq !bg 4151command above, substituting special names in the same manner. 4152Once executed, 4153.Nm 4154will feed the program three lines of input, each terminated by a newline 4155character: 4156.Bl -bullet 4157.It 4158The host name as sent in the CHAP challenge. 4159.It 4160The challenge string as sent in the CHAP challenge. 4161.It 4162The locally defined 4163.Dq authname . 4164.El 4165.Pp 4166Two lines of output are expected: 4167.Bl -bullet 4168.It 4169The 4170.Dq authname 4171to be sent with the CHAP response. 4172.It 4173The 4174.Dq authkey , 4175which is encrypted with the challenge and request id, the answer being sent 4176in the CHAP response packet. 4177.El 4178.Pp 4179When configuring 4180.Nm 4181in this manner, it's expected that the host challenge is a series of ASCII 4182digits or characters. 4183An encryption device or Secure ID card is usually 4184required to calculate the secret appropriate for the given challenge. 4185.It set authname Ar id 4186This sets the authentication id used in client mode PAP or CHAP negotiation. 4187.Pp 4188If used in 4189.Fl direct 4190mode with CHAP enabled, 4191.Ar id 4192is used in the initial authentication challenge and should normally be set to 4193the local machine name. 4194.It set autoload Xo 4195.Ar min-percent max-percent period 4196.Xc 4197These settings apply only in multi-link mode and default to zero, zero and 4198five respectively. 4199When more than one 4200.Ar demand-dial 4201(also known as 4202.Fl auto ) 4203mode link is available, only the first link is made active when 4204.Nm 4205first reads data from the tun device. 4206The next 4207.Ar demand-dial 4208link will be opened only when the current bundle throughput is at least 4209.Ar max-percent 4210percent of the total bundle bandwidth for 4211.Ar period 4212seconds. 4213When the current bundle throughput decreases to 4214.Ar min-percent 4215percent or less of the total bundle bandwidth for 4216.Ar period 4217seconds, a 4218.Ar demand-dial 4219link will be brought down as long as it's not the last active link. 4220.Pp 4221Bundle throughput is measured as the maximum of inbound and outbound 4222traffic. 4223.Pp 4224The default values cause 4225.Ar demand-dial 4226links to simply come up one at a time. 4227.Pp 4228Certain devices cannot determine their physical bandwidth, so it 4229is sometimes necessary to use the 4230.Dq set bandwidth 4231command (described below) to make 4232.Dq set autoload 4233work correctly. 4234.It set bandwidth Ar value 4235This command sets the connection bandwidth in bits per second. 4236.Ar value 4237must be greater than zero. 4238It is currently only used by the 4239.Dq set autoload 4240command above. 4241.It set callback Ar option Ns No ... 4242If no arguments are given, callback is disabled, otherwise, 4243.Nm 4244will request (or in 4245.Fl direct 4246mode, will accept) one of the given 4247.Ar option Ns No s . 4248In client mode, if an 4249.Ar option 4250is NAK'd 4251.Nm 4252will request a different 4253.Ar option , 4254until no options remain at which point 4255.Nm 4256will terminate negotiations (unless 4257.Dq none 4258is one of the specified 4259.Ar option ) . 4260In server mode, 4261.Nm 4262will accept any of the given protocols - but the client 4263.Em must 4264request one of them. 4265If you wish callback to be optional, you must {include} 4266.Ar none 4267as an option. 4268.Pp 4269The 4270.Ar option Ns No s 4271are as follows (in this order of preference): 4272.Pp 4273.Bl -tag -width Ds 4274.It auth 4275The callee is expected to decide the callback number based on 4276authentication. 4277If 4278.Nm 4279is the callee, the number should be specified as the fifth field of 4280the peers entry in 4281.Pa /etc/ppp/ppp.secret . 4282.It cbcp 4283Microsoft's callback control protocol is used. 4284See 4285.Dq set cbcp 4286below. 4287.Pp 4288If you wish to negotiate 4289.Ar cbcp 4290in client mode but also wish to allow the server to request no callback at 4291CBCP negotiation time, you must specify both 4292.Ar cbcp 4293and 4294.Ar none 4295as callback options. 4296.It E.164 *| Ns Xo 4297.Ar number Ns Op , Ns Ar number Ns 4298.No ... 4299.Xc 4300The caller specifies the 4301.Ar number . 4302If 4303.Nm 4304is the callee, 4305.Ar number 4306should be either a comma separated list of allowable numbers or a 4307.Dq \&* , 4308meaning any number is permitted. 4309If 4310.Nm 4311is the caller, only a single number should be specified. 4312.Pp 4313Note, this option is very unsafe when used with a 4314.Dq \&* 4315as a malicious caller can tell 4316.Nm 4317to call any (possibly international) number without first authenticating 4318themselves. 4319.It none 4320If the peer does not wish to do callback at all, 4321.Nm 4322will accept the fact and continue without callback rather than terminating 4323the connection. 4324This is required (in addition to one or more other callback 4325options) if you wish callback to be optional. 4326.El 4327.Pp 4328.It set cbcp Oo 4329.No *| Ns Ar number Ns Oo 4330.No , Ns Ar number Ns ...\& Oc 4331.Op Ar delay Op Ar retry 4332.Oc 4333If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4334is disabled - ie, configuring CBCP in the 4335.Dq set callback 4336command will result in 4337.Nm 4338requesting no callback in the CBCP phase. 4339Otherwise, 4340.Nm 4341attempts to use the given phone 4342.Ar number Ns No (s). 4343.Pp 4344In server mode 4345.Pq Fl direct , 4346.Nm 4347will insist that the client uses one of these numbers, unless 4348.Dq \&* 4349is used in which case the client is expected to specify the number. 4350.Pp 4351In client mode, 4352.Nm 4353will attempt to use one of the given numbers (whichever it finds to 4354be agreeable with the peer), or if 4355.Dq \&* 4356is specified, 4357.Nm 4358will expect the peer to specify the number. 4359.It set cd Oo 4360.No off| Ns Ar seconds Ns Op !\& 4361.Oc 4362Normally, 4363.Nm 4364checks for the existence of carrier depending on the type of device 4365that has been opened: 4366.Bl -tag -width XXX -offset XXX 4367.It Terminal Devices 4368Carrier is checked one second after the login script is complete. 4369If it's not set, 4370.Nm 4371assumes that this is because the device doesn't support carrier (which 4372is true for most 4373.Dq laplink 4374NULL-modem cables), logs the fact and stops checking 4375for carrier. 4376.Pp 4377As ptys don't support the TIOCMGET ioctl, the tty device will switch all 4378carrier detection off when it detects that the device is a pty. 4379.It ISDN (i4b) Devices 4380Carrier is checked once per second for 6 seconds. 4381If it's not set after 4382the sixth second, the connection attempt is considered to have failed and 4383the device is closed. 4384Carrier is always required for i4b devices. 4385.It PPPoE (netgraph) Devices 4386Carrier is checked once per second for 5 seconds. 4387If it's not set after 4388the fifth second, the connection attempt is considered to have failed and 4389the device is closed. 4390Carrier is always required for PPPoE devices. 4391.El 4392.Pp 4393All other device types don't support carrier. 4394Setting a carrier value will 4395result in a warning when the device is opened. 4396.Pp 4397Some modems take more than one second after connecting to assert the carrier 4398signal. 4399If this delay isn't increased, this will result in 4400.Nm Ns No 's 4401inability to detect when the link is dropped, as 4402.Nm 4403assumes that the device isn't asserting carrier. 4404.Pp 4405The 4406.Dq set cd 4407command overrides the default carrier behaviour. 4408.Ar seconds 4409specifies the maximum number of seconds that 4410.Nm 4411should wait after the dial script has finished before deciding if 4412carrier is available or not. 4413.Pp 4414If 4415.Dq off 4416is specified, 4417.Nm 4418will not check for carrier on the device, otherwise 4419.Nm 4420will not proceed to the login script until either carrier is detected 4421or until 4422.Ar seconds 4423has elapsed, at which point 4424.Nm 4425assumes that the device will not set carrier. 4426.Pp 4427If no arguments are given, carrier settings will go back to their default 4428values. 4429.Pp 4430If 4431.Ar seconds 4432is followed immediately by an exclamation mark 4433.Pq Dq !\& , 4434.Nm 4435will 4436.Em require 4437carrier. 4438If carrier is not detected after 4439.Ar seconds 4440seconds, the link will be disconnected. 4441.It set choked Op Ar timeout 4442This sets the number of seconds that 4443.Nm 4444will keep a choked output queue before dropping all pending output packets. 4445If 4446.Ar timeout 4447is less than or equal to zero or if 4448.Ar timeout 4449isn't specified, it is set to the default value of 4450.Em 120 seconds . 4451.Pp 4452A choked output queue occurs when 4453.Nm 4454has read a certain number of packets from the local network for transmission, 4455but cannot send the data due to link failure (the peer is busy etc.). 4456.Nm 4457will not read packets indefinitely. 4458Instead, it reads up to 4459.Em 30 4460packets (or 4461.Em 30 No + 4462.Em nlinks No * 4463.Em 2 4464packets in multi-link mode), then stops reading the network interface 4465until either 4466.Ar timeout 4467seconds have passed or at least one packet has been sent. 4468.Pp 4469If 4470.Ar timeout 4471seconds pass, all pending output packets are dropped. 4472.It set ctsrts|crtscts on|off 4473This sets hardware flow control. 4474Hardware flow control is 4475.Ar on 4476by default. 4477.It set deflate Ar out-winsize Op Ar in-winsize 4478This sets the DEFLATE algorithms default outgoing and incoming window 4479sizes. 4480Both 4481.Ar out-winsize 4482and 4483.Ar in-winsize 4484must be values between 4485.Em 8 4486and 4487.Em 15 . 4488If 4489.Ar in-winsize 4490is specified, 4491.Nm 4492will insist that this window size is used and will not accept any other 4493values from the peer. 4494.It set dns Op Ar primary Op Ar secondary 4495This command specifies DNS overrides for the 4496.Dq accept dns 4497command. 4498Refer to the 4499.Dq accept 4500command description above for details. 4501This command does not affect the IP numbers requested using 4502.Dq enable dns . 4503.It set device|line Xo 4504.Ar value Ns No ... 4505.Xc 4506This sets the device(s) to which 4507.Nm 4508will talk to the given 4509.Dq value . 4510.Pp 4511All ISDN and serial device names are expected to begin with 4512.Pa /dev/ . 4513ISDN devices are usually called 4514.Pa i4brbchX 4515and serial devices are usually called 4516.Pa cuaXX . 4517.Pp 4518If 4519.Dq value 4520does not begin with 4521.Pa /dev/ , 4522it must either begin with an exclamation mark 4523.Pq Dq !\& , 4524be of the format 4525.No PPPoE: Ns Ar iface Ns Xo 4526.Op \&: Ns Ar provider Ns 4527.Xc 4528(on 4529.Xr netgraph 4 4530enabled systems), or be of the format 4531.Sm off 4532.Ar host : port Op /tcp|udp . 4533.Sm on 4534.Pp 4535If it begins with an exclamation mark, the rest of the device name is 4536treated as a program name, and that program is executed when the device 4537is opened. 4538Standard input, output and error are fed back to 4539.Nm 4540and are read and written as if they were a regular device. 4541.Pp 4542If a 4543.No PPPoE: Ns Ar iface Ns Xo 4544.Op \&: Ns Ar provider Ns 4545.Xc 4546specification is given, 4547.Nm 4548will attempt to create a 4549.Em PPP 4550over Ethernet connection using the given 4551.Ar iface 4552interface by using 4553.Xr netgraph 4 . 4554If 4555.Xr netgraph 4 4556is not available, 4557.Nm 4558will attempt to load it using 4559.Xr kldload 2 . 4560If this fails, an external program must be used such as the 4561.Xr pppoed 8 4562program available under 4563.Ox . 4564The given 4565.Ar provider 4566is passed as the service name in the PPPoE Discovery Initiation (PADI) 4567packet. 4568If no provider is given, an empty value will be used. 4569.Pp 4570When a PPPoE connection is established, 4571.Nm 4572will place the name of the Access Concentrator in the environment variable 4573.Ev ACNAME . 4574.Pp 4575Refer to 4576.Xr netgraph 4 4577and 4578.Xr ng_pppoe 4 4579for further details. 4580.Pp 4581If a 4582.Ar host Ns No : Ns Ar port Ns Oo 4583.No /tcp|udp 4584.Oc 4585specification is given, 4586.Nm 4587will attempt to connect to the given 4588.Ar host 4589on the given 4590.Ar port . 4591If a 4592.Dq /tcp 4593or 4594.Dq /udp 4595suffix is not provided, the default is 4596.Dq /tcp . 4597Refer to the section on 4598.Em PPP OVER TCP and UDP 4599above for further details. 4600.Pp 4601If multiple 4602.Dq values 4603are specified, 4604.Nm 4605will attempt to open each one in turn until it succeeds or runs out of 4606devices. 4607.It set dial Ar chat-script 4608This specifies the chat script that will be used to dial the other 4609side. 4610See also the 4611.Dq set login 4612command below. 4613Refer to 4614.Xr chat 8 4615and to the example configuration files for details of the chat script 4616format. 4617It is possible to specify some special 4618.Sq values 4619in your chat script as follows: 4620.Bl -tag -width 2n 4621.It Li \ec 4622When used as the last character in a 4623.Sq send 4624string, this indicates that a newline should not be appended. 4625.It Li \ed 4626When the chat script encounters this sequence, it delays two seconds. 4627.It Li \ep 4628When the chat script encounters this sequence, it delays for one quarter of 4629a second. 4630.It Li \en 4631This is replaced with a newline character. 4632.It Li \er 4633This is replaced with a carriage return character. 4634.It Li \es 4635This is replaced with a space character. 4636.It Li \et 4637This is replaced with a tab character. 4638.It Li \eT 4639This is replaced by the current phone number (see 4640.Dq set phone 4641below). 4642.It Li \eP 4643This is replaced by the current 4644.Ar authkey 4645value (see 4646.Dq set authkey 4647above). 4648.It Li \eU 4649This is replaced by the current 4650.Ar authname 4651value (see 4652.Dq set authname 4653above). 4654.El 4655.Pp 4656Note that two parsers will examine these escape sequences, so in order to 4657have the 4658.Sq chat parser 4659see the escape character, it is necessary to escape it from the 4660.Sq command parser . 4661This means that in practice you should use two escapes, for example: 4662.Bd -literal -offset indent 4663set dial "... ATDT\\\\T CONNECT" 4664.Ed 4665.Pp 4666It is also possible to execute external commands from the chat script. 4667To do this, the first character of the expect or send string is an 4668exclamation mark 4669.Pq Dq !\& . 4670If a literal exclamation mark is required, double it up to 4671.Dq !!\& 4672and it will be treated as a single literal 4673.Dq !\& . 4674When the command is executed, standard input and standard output are 4675directed to the open device (see the 4676.Dq set device 4677command), and standard error is read by 4678.Nm 4679and substituted as the expect or send string. 4680If 4681.Nm 4682is running in interactive mode, file descriptor 3 is attached to 4683.Pa /dev/tty . 4684.Pp 4685For example (wrapped for readability): 4686.Bd -literal -offset indent 4687set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4688word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4689\\"!/bin/echo in\\" HELLO" 4690.Ed 4691.Pp 4692would result in the following chat sequence (output using the 4693.Sq set log local chat 4694command before dialing): 4695.Bd -literal -offset indent 4696Dial attempt 1 of 1 4697dial OK! 4698Chat: Expecting: 4699Chat: Sending: 4700Chat: Expecting: login:--login: 4701Chat: Wait for (5): login: 4702Chat: Sending: ppp 4703Chat: Expecting: word: 4704Chat: Wait for (5): word: 4705Chat: Sending: ppp 4706Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4707Chat: Exec: sh -c "echo -n label: >&2" 4708Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4709Chat: Exec: /bin/echo in 4710Chat: Sending: 4711Chat: Expecting: HELLO 4712Chat: Wait for (5): HELLO 4713login OK! 4714.Ed 4715.Pp 4716Note (again) the use of the escape character, allowing many levels of 4717nesting. 4718Here, there are four parsers at work. 4719The first parses the original line, reading it as three arguments. 4720The second parses the third argument, reading it as 11 arguments. 4721At this point, it is 4722important that the 4723.Dq \&- 4724signs are escaped, otherwise this parser will see them as constituting 4725an expect-send-expect sequence. 4726When the 4727.Dq !\& 4728character is seen, the execution parser reads the first command as three 4729arguments, and then 4730.Xr sh 1 4731itself expands the argument after the 4732.Fl c . 4733As we wish to send the output back to the modem, in the first example 4734we redirect our output to file descriptor 2 (stderr) so that 4735.Nm 4736itself sends and logs it, and in the second example, we just output to stdout, 4737which is attached directly to the modem. 4738.Pp 4739This, of course means that it is possible to execute an entirely external 4740.Dq chat 4741command rather than using the internal one. 4742See 4743.Xr chat 8 4744for a good alternative. 4745.Pp 4746The external command that is executed is subjected to the same special 4747word expansions as the 4748.Dq !bg 4749command. 4750.It set enddisc Op label|IP|MAC|magic|psn value 4751This command sets our local endpoint discriminator. 4752If set prior to LCP negotiation, and if no 4753.Dq disable enddisc 4754command has been used, 4755.Nm 4756will send the information to the peer using the LCP endpoint discriminator 4757option. 4758The following discriminators may be set: 4759.Bl -tag -width indent 4760.It Li label 4761The current label is used. 4762.It Li IP 4763Our local IP number is used. 4764As LCP is negotiated prior to IPCP, it is 4765possible that the IPCP layer will subsequently change this value. 4766If 4767it does, the endpoint discriminator stays at the old value unless manually 4768reset. 4769.It Li MAC 4770This is similar to the 4771.Ar IP 4772option above, except that the MAC address associated with the local IP 4773number is used. 4774If the local IP number is not resident on any Ethernet 4775interface, the command will fail. 4776.Pp 4777As the local IP number defaults to whatever the machine host name is, 4778.Dq set enddisc mac 4779is usually done prior to any 4780.Dq set ifaddr 4781commands. 4782.It Li magic 4783A 20 digit random number is used. 4784Care should be taken when using magic numbers as restarting 4785.Nm 4786or creating a link using a different 4787.Nm 4788invocation will also use a different magic number and will therefore not 4789be recognised by the peer as belonging to the same bundle. 4790This makes it unsuitable for 4791.Fl direct 4792connections. 4793.It Li psn Ar value 4794The given 4795.Ar value 4796is used. 4797.Ar Value 4798should be set to an absolute public switched network number with the 4799country code first. 4800.El 4801.Pp 4802If no arguments are given, the endpoint discriminator is reset. 4803.It set escape Ar value... 4804This option is similar to the 4805.Dq set accmap 4806option above. 4807It allows the user to specify a set of characters that will be 4808.Sq escaped 4809as they travel across the link. 4810.It set filter dial|alive|in|out Ar rule-no Xo 4811.No permit|deny|clear| Ns Ar rule-no 4812.Op !\& 4813.Oo Op host 4814.Ar src_addr Ns Op / Ns Ar width 4815.Op Ar dst_addr Ns Op / Ns Ar width 4816.Oc [ Ns Ar proto 4817.Op src lt|eq|gt Ar port 4818.Op dst lt|eq|gt Ar port 4819.Op estab 4820.Op syn 4821.Op finrst 4822.Op timeout Ar secs ] 4823.Xc 4824.Nm 4825supports four filter sets. 4826The 4827.Em alive 4828filter specifies packets that keep the connection alive - resetting the 4829idle timer. 4830The 4831.Em dial 4832filter specifies packets that cause 4833.Nm 4834to dial when in 4835.Fl auto 4836mode. 4837The 4838.Em in 4839filter specifies packets that are allowed to travel 4840into the machine and the 4841.Em out 4842filter specifies packets that are allowed out of the machine. 4843.Pp 4844Filtering is done prior to any IP alterations that might be done by the 4845NAT engine on outgoing packets and after any IP alterations that might 4846be done by the NAT engine on incoming packets. 4847By default all empty filter sets allow all packets to pass. 4848Rules are processed in order according to 4849.Ar rule-no 4850(unless skipped by specifying a rule number as the 4851.Ar action ) . 4852Up to 40 rules may be given for each set. 4853If a packet doesn't match 4854any of the rules in a given set, it is discarded. 4855In the case of 4856.Em in 4857and 4858.Em out 4859filters, this means that the packet is dropped. 4860In the case of 4861.Em alive 4862filters it means that the packet will not reset the idle timer (even if 4863the 4864.Ar in Ns No / Ns Ar out 4865filter has a 4866.Dq timeout 4867value) and in the case of 4868.Em dial 4869filters it means that the packet will not trigger a dial. 4870A packet failing to trigger a dial will be dropped rather than queued. 4871Refer to the 4872section on 4873.Sx PACKET FILTERING 4874above for further details. 4875.It set hangup Ar chat-script 4876This specifies the chat script that will be used to reset the device 4877before it is closed. 4878It should not normally be necessary, but can 4879be used for devices that fail to reset themselves properly on close. 4880.It set help|? Op Ar command 4881This command gives a summary of available set commands, or if 4882.Ar command 4883is specified, the command usage is shown. 4884.It set ifaddr Oo Ar myaddr Ns 4885.Op / Ns Ar \&nn 4886.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4887.Oo Ar netmask 4888.Op Ar triggeraddr 4889.Oc Oc 4890.Oc 4891This command specifies the IP addresses that will be used during 4892IPCP negotiation. 4893Addresses are specified using the format 4894.Pp 4895.Dl a.b.c.d/nn 4896.Pp 4897Where 4898.Dq a.b.c.d 4899is the preferred IP, but 4900.Ar nn 4901specifies how many bits of the address we will insist on. 4902If 4903.No / Ns Ar nn 4904is omitted, it defaults to 4905.Dq /32 4906unless the IP address is 0.0.0.0 in which case it defaults to 4907.Dq /0 . 4908.Pp 4909If you wish to assign a dynamic IP number to the peer, 4910.Ar hisaddr 4911may also be specified as a range of IP numbers in the format 4912.Bd -ragged -offset indent 4913.Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Xo 4914.Oc Ns Oo , Ns Ar \&IP Ns 4915.Op \&- Ns Ar \&IP Ns 4916.Oc Ns ... 4917.Xc 4918.Ed 4919.Pp 4920for example: 4921.Pp 4922.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4923.Pp 4924will only negotiate 4925.Dq 10.0.0.1 4926as the local IP number, but may assign any of the given 10 IP 4927numbers to the peer. 4928If the peer requests one of these numbers, 4929and that number is not already in use, 4930.Nm 4931will grant the peers request. 4932This is useful if the peer wants 4933to re-establish a link using the same IP number as was previously 4934allocated (thus maintaining any existing tcp or udp connections). 4935.Pp 4936If the peer requests an IP number that's either outside 4937of this range or is already in use, 4938.Nm 4939will suggest a random unused IP number from the range. 4940.Pp 4941If 4942.Ar triggeraddr 4943is specified, it is used in place of 4944.Ar myaddr 4945in the initial IPCP negotiation. 4946However, only an address in the 4947.Ar myaddr 4948range will be accepted. 4949This is useful when negotiating with some 4950.Dv PPP 4951implementations that will not assign an IP number unless their peer 4952requests 4953.Dq 0.0.0.0 . 4954.Pp 4955It should be noted that in 4956.Fl auto 4957mode, 4958.Nm 4959will configure the interface immediately upon reading the 4960.Dq set ifaddr 4961line in the config file. 4962In any other mode, these values are just 4963used for IPCP negotiations, and the interface isn't configured 4964until the IPCP layer is up. 4965.Pp 4966Note that the 4967.Ar HISADDR 4968argument may be overridden by the third field in the 4969.Pa ppp.secret 4970file once the client has authenticated itself 4971(if PAP or CHAP are 4972.Dq enabled ) . 4973Refer to the 4974.Sx AUTHENTICATING INCOMING CONNECTIONS 4975section for details. 4976.Pp 4977In all cases, if the interface is already configured, 4978.Nm 4979will try to maintain the interface IP numbers so that any existing 4980bound sockets will remain valid. 4981.It set ifqueue Ar packets 4982Set the maximum number of packets that 4983.Nm 4984will read from the tunnel interface while data cannot be sent to any of 4985the available links. 4986This queue limit is necessary to flow control outgoing data as the tunnel 4987interface is likely to be far faster than the combined links available to 4988.Nm . 4989.Pp 4990If 4991.Ar packets 4992is set to a value less than the number of links, 4993.Nm 4994will read up to that value regardless. 4995This prevents any possible latency problems. 4996.Pp 4997The default value for 4998.Ar packets 4999is 5000.Dq 30 . 5001.It set ccpretry|ccpretries Oo Ar timeout 5002.Op Ar reqtries Op Ar trmtries 5003.Oc 5004.It set chapretry|chapretries Oo Ar timeout 5005.Op Ar reqtries 5006.Oc 5007.It set ipcpretry|ipcpretries Oo Ar timeout 5008.Op Ar reqtries Op Ar trmtries 5009.Oc 5010.It set ipv6cpretry|ipv6cpretries Oo Ar timeout 5011.Op Ar reqtries Op Ar trmtries 5012.Oc 5013.It set lcpretry|lcpretries Oo Ar timeout 5014.Op Ar reqtries Op Ar trmtries 5015.Oc 5016.It set papretry|papretries Oo Ar timeout 5017.Op Ar reqtries 5018.Oc 5019These commands set the number of seconds that 5020.Nm 5021will wait before resending Finite State Machine (FSM) Request packets. 5022The default 5023.Ar timeout 5024for all FSMs is 3 seconds (which should suffice in most cases). 5025.Pp 5026If 5027.Ar reqtries 5028is specified, it tells 5029.Nm 5030how many configuration request attempts it should make while receiving 5031no reply from the peer before giving up. 5032The default is 5 attempts for 5033CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 5034.Pp 5035If 5036.Ar trmtries 5037is specified, it tells 5038.Nm 5039how many terminate requests should be sent before giving up waiting for the 5040peers response. 5041The default is 3 attempts. 5042Authentication protocols are 5043not terminated and it is therefore invalid to specify 5044.Ar trmtries 5045for PAP or CHAP. 5046.Pp 5047In order to avoid negotiations with the peer that will never converge, 5048.Nm 5049will only send at most 3 times the configured number of 5050.Ar reqtries 5051in any given negotiation session before giving up and closing that layer. 5052.It set log Xo 5053.Op local 5054.Op +|- Ns 5055.Ar value Ns No ... 5056.Xc 5057This command allows the adjustment of the current log level. 5058Refer to the Logging Facility section for further details. 5059.It set login Ar chat-script 5060This 5061.Ar chat-script 5062compliments the dial-script. 5063If both are specified, the login 5064script will be executed after the dial script. 5065Escape sequences available in the dial script are also available here. 5066.It set logout Ar chat-script 5067This specifies the chat script that will be used to logout 5068before the hangup script is called. 5069It should not normally be necessary. 5070.It set lqrperiod Ar frequency 5071This command sets the 5072.Ar frequency 5073in seconds at which 5074.Em LQR 5075or 5076.Em ECHO LQR 5077packets are sent. 5078The default is 30 seconds. 5079You must also use the 5080.Dq enable lqr 5081command if you wish to send LQR requests to the peer. 5082.It set mode Ar interactive|auto|ddial|background 5083This command allows you to change the 5084.Sq mode 5085of the specified link. 5086This is normally only useful in multi-link mode, 5087but may also be used in uni-link mode. 5088.Pp 5089It is not possible to change a link that is 5090.Sq direct 5091or 5092.Sq dedicated . 5093.Pp 5094Note: If you issue the command 5095.Dq set mode auto , 5096and have network address translation enabled, it may be useful to 5097.Dq enable iface-alias 5098afterwards. 5099This will allow 5100.Nm 5101to do the necessary address translations to enable the process that 5102triggers the connection to connect once the link is up despite the 5103peer assigning us a new (dynamic) IP address. 5104.It set mppe Op 40|56|128|* Op stateless|stateful|* 5105This option selects the encryption parameters used when negotiation 5106MPPE. 5107MPPE can be disabled entirely with the 5108.Dq disable mppe 5109command. 5110If no arguments are given, 5111.Nm 5112will attempt to negotiate a stateful link with a 128 bit key, but 5113will agree to whatever the peer requests (including no encryption 5114at all). 5115.Pp 5116If any arguments are given, 5117.Nm 5118will 5119.Em insist 5120on using MPPE and will close the link if it's rejected by the peer (Note; 5121this behaviour can be overridden by a configured RADIUS server). 5122.Pp 5123The first argument specifies the number of bits that 5124.Nm 5125should insist on during negotiations and the second specifies whether 5126.Nm 5127should insist on stateful or stateless mode. 5128In stateless mode, the 5129encryption dictionary is re-initialised with every packet according to 5130an encryption key that is changed with every packet. 5131In stateful mode, 5132the encryption dictionary is re-initialised every 256 packets or after 5133the loss of any data and the key is changed every 256 packets. 5134Stateless mode is less efficient but is better for unreliable transport 5135layers. 5136.It set mrru Op Ar value 5137Setting this option enables Multi-link PPP negotiations, also known as 5138Multi-link Protocol or MP. 5139There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5140If no argument is given, multi-link mode is disabled. 5141.It set mru Xo 5142.Op max Ns Op imum 5143.Op Ar value 5144.Xc 5145The default MRU (Maximum Receive Unit) is 1500. 5146If it is increased, the other side *may* increase its MTU. 5147In theory there is no point in decreasing the MRU to below the default as the 5148.Em PPP 5149protocol says implementations *must* be able to accept packets of at 5150least 1500 octets. 5151.Pp 5152If the 5153.Dq maximum 5154keyword is used, 5155.Nm 5156will refuse to negotiate a higher value. 5157The maximum MRU can be set to 2048 at most. 5158Setting a maximum of less than 1500 violates the 5159.Em PPP 5160rfc, but may sometimes be necessary. 5161For example, 5162.Em PPPoE 5163imposes a maximum of 1492 due to hardware limitations. 5164.Pp 5165If no argument is given, 1500 is assumed. 5166A value must be given when 5167.Dq maximum 5168is specified. 5169.It set mtu Xo 5170.Op max Ns Op imum 5171.Op Ar value 5172.Xc 5173The default MTU is 1500. 5174At negotiation time, 5175.Nm 5176will accept whatever MRU the peer requests (assuming it's 5177not less than 296 bytes or greater than the assigned maximum). 5178If the MTU is set, 5179.Nm 5180will not accept MRU values less than 5181.Ar value . 5182When negotiations are complete, the MTU is used when writing to the 5183interface, even if the peer requested a higher value MRU. 5184This can be useful for 5185limiting your packet size (giving better bandwidth sharing at the expense 5186of more header data). 5187.Pp 5188If the 5189.Dq maximum 5190keyword is used, 5191.Nm 5192will refuse to negotiate a higher value. 5193The maximum MTU can be set to 2048 at most. 5194Note, it is necessary to use the 5195.Dq maximum 5196keyword to limit the MTU when using PPPoE. 5197.Pp 5198If no 5199.Ar value 5200is given, 1500, or whatever the peer asks for is used. 5201A value must be given when 5202.Dq maximum 5203is specified. 5204.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5205This option allows the setting of the Microsoft NetBIOS name server 5206values to be returned at the peers request. 5207If no values are given, 5208.Nm 5209will reject any such requests. 5210.It set openmode active|passive Op Ar delay 5211By default, 5212.Ar openmode 5213is always 5214.Ar active 5215with a one second 5216.Ar delay . 5217That is, 5218.Nm 5219will always initiate LCP/IPCP/CCP negotiation one second after the line 5220comes up. 5221If you want to wait for the peer to initiate negotiations, you 5222can use the value 5223.Ar passive . 5224If you want to initiate negotiations immediately or after more than one 5225second, the appropriate 5226.Ar delay 5227may be specified here in seconds. 5228.It set parity odd|even|none|mark 5229This allows the line parity to be set. 5230The default value is 5231.Ar none . 5232.It set phone Ar telno Ns Xo 5233.Oo \&| Ns Ar backupnumber 5234.Oc Ns ... Ns Oo : Ns Ar nextnumber 5235.Oc Ns ... 5236.Xc 5237This allows the specification of the phone number to be used in 5238place of the \\\\T string in the dial and login chat scripts. 5239Multiple phone numbers may be given separated either by a pipe 5240.Pq Dq \&| 5241or a colon 5242.Pq Dq \&: . 5243.Pp 5244Numbers after the pipe are only dialed if the dial or login 5245script for the previous number failed. 5246.Pp 5247Numbers after the colon are tried sequentially, irrespective of 5248the reason the line was dropped. 5249.Pp 5250If multiple numbers are given, 5251.Nm 5252will dial them according to these rules until a connection is made, retrying 5253the maximum number of times specified by 5254.Dq set redial 5255below. 5256In 5257.Fl background 5258mode, each number is attempted at most once. 5259.It set Op proc Ns Xo 5260.No title Op Ar value 5261.Xc 5262The current process title as displayed by 5263.Xr ps 1 5264is changed according to 5265.Ar value . 5266If 5267.Ar value 5268is not specified, the original process title is restored. 5269All the 5270word replacements done by the shell commands (see the 5271.Dq bg 5272command above) are done here too. 5273.Pp 5274Note, if USER is required in the process title, the 5275.Dq set proctitle 5276command must appear in 5277.Pa ppp.linkup , 5278as it is not known when the commands in 5279.Pa ppp.conf 5280are executed. 5281.It set radius Op Ar config-file 5282This command enables RADIUS support (if it's compiled in). 5283.Ar config-file 5284refers to the radius client configuration file as described in 5285.Xr radius.conf 5 . 5286If PAP, CHAP, MSCHAP or MSCHAPv2 are 5287.Dq enable Ns No d , 5288.Nm 5289behaves as a 5290.Em \&N Ns No etwork 5291.Em \&A Ns No ccess 5292.Em \&S Ns No erver 5293and uses the configured RADIUS server to authenticate rather than 5294authenticating from the 5295.Pa ppp.secret 5296file or from the passwd database. 5297.Pp 5298If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled, 5299.Dq set radius 5300will do nothing. 5301.Pp 5302.Nm 5303uses the following attributes from the RADIUS reply: 5304.Bl -tag -width XXX -offset XXX 5305.It RAD_FRAMED_IP_ADDRESS 5306The peer IP address is set to the given value. 5307.It RAD_FRAMED_IP_NETMASK 5308The tun interface netmask is set to the given value. 5309.It RAD_FRAMED_MTU 5310If the given MTU is less than the peers MRU as agreed during LCP 5311negotiation, *and* it is less that any configured MTU (see the 5312.Dq set mru 5313command), the tun interface MTU is set to the given value. 5314.It RAD_FRAMED_COMPRESSION 5315If the received compression type is 5316.Dq 1 , 5317.Nm 5318will request VJ compression during IPCP negotiations despite any 5319.Dq disable vj 5320configuration command. 5321.It RAD_FILTER_ID 5322If this attribute is supplied, 5323.Nm 5324will attempt to use it as an additional label to load from the 5325.Pa ppp.linkup 5326and 5327.Pa ppp.linkdown 5328files. 5329The load will be attempted before (and in addition to) the normal 5330label search. 5331If the label doesn't exist, no action is taken and 5332.Nm 5333proceeds to the normal load using the current label. 5334.It RAD_FRAMED_ROUTE 5335The received string is expected to be in the format 5336.Ar dest Ns Op / Ns Ar bits 5337.Ar gw 5338.Op Ar metrics . 5339Any specified metrics are ignored. 5340.Dv MYADDR 5341and 5342.Dv HISADDR 5343are understood as valid values for 5344.Ar dest 5345and 5346.Ar gw , 5347.Dq default 5348can be used for 5349.Ar dest 5350to sepcify the default route, and 5351.Dq 0.0.0.0 5352is understood to be the same as 5353.Dq default 5354for 5355.Ar dest 5356and 5357.Dv HISADDR 5358for 5359.Ar gw . 5360.Pp 5361For example, a returned value of 5362.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5363would result in a routing table entry to the 1.2.3.0/24 network via 5364.Dv HISADDR 5365and a returned value of 5366.Dq 0.0.0.0 0.0.0.0 5367or 5368.Dq default HISADDR 5369would result in a default route to 5370.Dv HISADDR . 5371.Pp 5372All RADIUS routes are applied after any sticky routes are applied, making 5373RADIUS routes override configured routes. 5374This also applies for RADIUS routes that don't {include} the 5375.Dv MYADDR 5376or 5377.Dv HISADDR 5378keywords. 5379.Pp 5380.It RAD_FRAMED_IPV6_PREFIX 5381If this attribute is supplied, the value is substituted for IPV6PREFIX 5382in a command. 5383You may pass it to such as DHCPv6 for delegating an 5384IPv6 prefix to a peer. 5385.It RAD_FRAMED_IPV6_ROUTE 5386The received string is expected to be in the format 5387.Ar dest Ns Op / Ns Ar bits 5388.Ar gw 5389.Op Ar metrics . 5390Any specified metrics are ignored. 5391.Dv MYADDR6 5392and 5393.Dv HISADDR6 5394are understood as valid values for 5395.Ar dest 5396and 5397.Ar gw , 5398.Dq default 5399can be used for 5400.Ar dest 5401to sepcify the default route, and 5402.Dq :: 5403is understood to be the same as 5404.Dq default 5405for 5406.Ar dest 5407and 5408.Dv HISADDR6 5409for 5410.Ar gw . 5411.Pp 5412For example, a returned value of 5413.Dq 3ffe:505:abcd::/48 :: 5414would result in a routing table entry to the 3ffe:505:abcd::/48 network via 5415.Dv HISADDR6 5416and a returned value of 5417.Dq :: :: 5418or 5419.Dq default HISADDR6 5420would result in a default route to 5421.Dv HISADDR6 . 5422.Pp 5423All RADIUS IPv6 routes are applied after any sticky routes are 5424applied, making RADIUS IPv6 routes override configured routes. 5425This 5426also applies for RADIUS IPv6 routes that don't {include} the 5427.Dv MYADDR6 5428or 5429.Dv HISADDR6 5430keywords. 5431.Pp 5432.It RAD_SESSION_TIMEOUT 5433If supplied, the client connection is closed after the given number of 5434seconds. 5435.It RAD_REPLY_MESSAGE 5436If supplied, this message is passed back to the peer as the authentication 5437SUCCESS text. 5438.It RAD_MICROSOFT_MS_CHAP_ERROR 5439If this 5440.Dv RAD_VENDOR_MICROSOFT 5441vendor specific attribute is supplied, it is passed back to the peer as the 5442authentication FAILURE text. 5443.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5444If this 5445.Dv RAD_VENDOR_MICROSOFT 5446vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5447being used, it is passed back to the peer as the authentication SUCCESS text. 5448.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY 5449If this 5450.Dv RAD_VENDOR_MICROSOFT 5451vendor specific attribute is supplied and has a value of 2 (Required), 5452.Nm 5453will insist that MPPE encryption is used (even if no 5454.Dq set mppe 5455configuration command has been given with arguments). 5456If it is supplied with a value of 1 (Allowed), encryption is made optional 5457(despite any 5458.Dq set mppe 5459configuration commands with arguments). 5460.It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES 5461If this 5462.Dv RAD_VENDOR_MICROSOFT 5463vendor specific attribute is supplied, bits 1 and 2 are examined. 5464If either or both are set, 40 bit and/or 128 bit (respectively) encryption 5465options are set, overriding any given first argument to the 5466.Dq set mppe 5467command. 5468Note, it is not currently possible for the RADIUS server to specify 56 bit 5469encryption. 5470.It RAD_MICROSOFT_MS_MPPE_RECV_KEY 5471If this 5472.Dv RAD_VENDOR_MICROSOFT 5473vendor specific attribute is supplied, it's value is used as the master 5474key for decryption of incoming data. 5475When clients are authenticated using 5476MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is 5477to function. 5478.It RAD_MICROSOFT_MS_MPPE_SEND_KEY 5479If this 5480.Dv RAD_VENDOR_MICROSOFT 5481vendor specific attribute is supplied, it's value is used as the master 5482key for encryption of outgoing data. 5483When clients are authenticated using 5484MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is 5485to function. 5486.El 5487.Pp 5488Values received from the RADIUS server may be viewed using 5489.Dq show bundle . 5490.It set rad_alive Ar timeout 5491When RADIUS is configured, setting 5492.Dq rad_alive 5493to a non-zero 5494.Ar timeout 5495value will tell 5496.Nm 5497to sent RADIUS accounting information to the RADIUS server every 5498.Ar timeout 5499seconds. 5500.It set reconnect Ar timeout ntries 5501Should the line drop unexpectedly (due to loss of CD or LQR 5502failure), a connection will be re-established after the given 5503.Ar timeout . 5504The line will be re-connected at most 5505.Ar ntries 5506times. 5507.Ar Ntries 5508defaults to zero. 5509A value of 5510.Ar random 5511for 5512.Ar timeout 5513will result in a variable pause, somewhere between 1 and 30 seconds. 5514.It set recvpipe Op Ar value 5515This sets the routing table RECVPIPE value. 5516The optimum value is just over twice the MTU value. 5517If 5518.Ar value 5519is unspecified or zero, the default kernel controlled value is used. 5520.It set redial Ar secs Ns Xo 5521.Oo + Ns Ar inc Ns 5522.Op - Ns Ar max Ns 5523.Oc Ns Op . Ns Ar next 5524.Op Ar attempts 5525.Xc 5526.Nm 5527can be instructed to attempt to redial 5528.Ar attempts 5529times. 5530If more than one phone number is specified (see 5531.Dq set phone 5532above), a pause of 5533.Ar next 5534is taken before dialing each number. 5535A pause of 5536.Ar secs 5537is taken before starting at the first number again. 5538A literal value of 5539.Dq Li random 5540may be used here in place of 5541.Ar secs 5542and 5543.Ar next , 5544causing a random delay of between 1 and 30 seconds. 5545.Pp 5546If 5547.Ar inc 5548is specified, its value is added onto 5549.Ar secs 5550each time 5551.Nm 5552tries a new number. 5553.Ar secs 5554will only be incremented at most 5555.Ar max 5556times. 5557.Ar max 5558defaults to 10. 5559.Pp 5560Note, the 5561.Ar secs 5562delay will be effective, even after 5563.Ar attempts 5564has been exceeded, so an immediate manual dial may appear to have 5565done nothing. 5566If an immediate dial is required, a 5567.Dq !\& 5568should immediately follow the 5569.Dq open 5570keyword. 5571See the 5572.Dq open 5573description above for further details. 5574.It set sendpipe Op Ar value 5575This sets the routing table SENDPIPE value. 5576The optimum value is just over twice the MTU value. 5577If 5578.Ar value 5579is unspecified or zero, the default kernel controlled value is used. 5580.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5581.Ar LocalName Ns No |none|open|closed 5582.Op password Op Ar mask 5583.Xc 5584This command tells 5585.Nm 5586to listen on the given socket or 5587.Sq diagnostic port 5588for incoming command connections. 5589.Pp 5590The word 5591.Dq none 5592instructs 5593.Nm 5594to close any existing socket and clear the socket configuration. 5595The word 5596.Dq open 5597instructs 5598.Nm 5599to attempt to re-open the port. 5600The word 5601.Dq closed 5602instructs 5603.Nm 5604to close the open port. 5605.Pp 5606If you wish to specify a local domain socket, 5607.Ar LocalName 5608must be specified as an absolute file name, otherwise it is assumed 5609to be the name or number of a TCP port. 5610You may specify the octal umask to be used with a local domain socket. 5611Refer to 5612.Xr umask 2 5613for umask details. 5614Refer to 5615.Xr services 5 5616for details of how to translate TCP port names. 5617.Pp 5618You must also specify the password that must be entered by the client 5619(using the 5620.Dq passwd 5621variable above) when connecting to this socket. 5622If the password is 5623specified as an empty string, no password is required for connecting clients. 5624.Pp 5625When specifying a local domain socket, the first 5626.Dq %d 5627sequence found in the socket name will be replaced with the current 5628interface unit number. 5629This is useful when you wish to use the same 5630profile for more than one connection. 5631.Pp 5632In a similar manner TCP sockets may be prefixed with the 5633.Dq + 5634character, in which case the current interface unit number is added to 5635the port number. 5636.Pp 5637When using 5638.Nm 5639with a server socket, the 5640.Xr pppctl 8 5641command is the preferred mechanism of communications. 5642Currently, 5643.Xr telnet 1 5644can also be used, but link encryption may be implemented in the future, so 5645.Xr telnet 1 5646should be avoided. 5647.Pp 5648Note; 5649.Dv SIGUSR1 5650and 5651.Dv SIGUSR2 5652interact with the diagnostic socket. 5653.It set speed Ar value 5654This sets the speed of the serial device. 5655If speed is specified as 5656.Dq sync , 5657.Nm 5658treats the device as a synchronous device. 5659.Pp 5660Certain device types will know whether they should be specified as 5661synchronous or asynchronous. 5662These devices will override incorrect 5663settings and log a warning to this effect. 5664.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5665If this option is set, 5666.Nm 5667will time out after the given FSM (Finite State Machine) has been in 5668the stopped state for the given number of 5669.Dq seconds . 5670This option may be useful if the peer sends a terminate request, 5671but never actually closes the connection despite our sending a terminate 5672acknowledgement. 5673This is also useful if you wish to 5674.Dq set openmode passive 5675and time out if the peer doesn't send a Configure Request within the 5676given time. 5677Use 5678.Dq set log +lcp +ccp 5679to make 5680.Nm 5681log the appropriate state transitions. 5682.Pp 5683The default value is zero, where 5684.Nm 5685doesn't time out in the stopped state. 5686.Pp 5687This value should not be set to less than the openmode delay (see 5688.Dq set openmode 5689above). 5690.It set timeout Ar idleseconds Op Ar mintimeout 5691This command allows the setting of the idle timer. 5692Refer to the section titled 5693.Sx SETTING THE IDLE TIMER 5694for further details. 5695.Pp 5696If 5697.Ar mintimeout 5698is specified, 5699.Nm 5700will never idle out before the link has been up for at least that number 5701of seconds. 5702.It set urgent Xo 5703.Op tcp|udp|none 5704.Oo Op +|- Ns 5705.Ar port 5706.Oc No ... 5707.Xc 5708This command controls the ports that 5709.Nm 5710prioritizes when transmitting data. 5711The default priority TCP ports 5712are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5713543 (klogin) and 544 (kshell). 5714There are no priority UDP ports by default. 5715See 5716.Xr services 5 5717for details. 5718.Pp 5719If neither 5720.Dq tcp 5721or 5722.Dq udp 5723are specified, 5724.Dq tcp 5725is assumed. 5726.Pp 5727If no 5728.Ar port Ns No s 5729are given, the priority port lists are cleared (although if 5730.Dq tcp 5731or 5732.Dq udp 5733is specified, only that list is cleared). 5734If the first 5735.Ar port 5736argument is prefixed with a plus 5737.Pq Dq \&+ 5738or a minus 5739.Pq Dq \&- , 5740the current list is adjusted, otherwise the list is reassigned. 5741.Ar port Ns No s 5742prefixed with a plus or not prefixed at all are added to the list and 5743.Ar port Ns No s 5744prefixed with a minus are removed from the list. 5745.Pp 5746If 5747.Dq none 5748is specified, all priority port lists are disabled and even 5749.Dv IPTOS_LOWDELAY 5750packets are not prioritised. 5751.It set vj slotcomp on|off 5752This command tells 5753.Nm 5754whether it should attempt to negotiate VJ slot compression. 5755By default, slot compression is turned 5756.Ar on . 5757.It set vj slots Ar nslots 5758This command sets the initial number of slots that 5759.Nm 5760will try to negotiate with the peer when VJ compression is enabled (see the 5761.Sq enable 5762command above). 5763It defaults to a value of 16. 5764.Ar Nslots 5765must be between 5766.Ar 4 5767and 5768.Ar 16 5769inclusive. 5770.El 5771.Pp 5772.It shell|! Op Ar command 5773If 5774.Ar command 5775is not specified a shell is invoked according to the 5776.Dv SHELL 5777environment variable. 5778Otherwise, the given 5779.Ar command 5780is executed. 5781Word replacement is done in the same way as for the 5782.Dq !bg 5783command as described above. 5784.Pp 5785Use of the !\& character 5786requires a following space as with any of the other commands. 5787You should note that this command is executed in the foreground; 5788.Nm 5789will not continue running until this process has exited. 5790Use the 5791.Dv bg 5792command if you wish processing to happen in the background. 5793.It show Ar var 5794This command allows the user to examine the following: 5795.Bl -tag -width 2n 5796.It show bundle 5797Show the current bundle settings. 5798.It show ccp 5799Show the current CCP compression statistics. 5800.It show compress 5801Show the current VJ compression statistics. 5802.It show escape 5803Show the current escape characters. 5804.It show filter Op Ar name 5805List the current rules for the given filter. 5806If 5807.Ar name 5808is not specified, all filters are shown. 5809.It show hdlc 5810Show the current HDLC statistics. 5811.It show help|? 5812Give a summary of available show commands. 5813.It show iface 5814Show the current interface information 5815(the same as 5816.Dq iface show ) . 5817.It show ipcp 5818Show the current IPCP statistics. 5819.It show layers 5820Show the protocol layers currently in use. 5821.It show lcp 5822Show the current LCP statistics. 5823.It show Op data Ns Xo 5824.No link 5825.Xc 5826Show high level link information. 5827.It show links 5828Show a list of available logical links. 5829.It show log 5830Show the current log values. 5831.It show mem 5832Show current memory statistics. 5833.It show ncp 5834Show the current NCP statistics. 5835.It show physical 5836Show low level link information. 5837.It show mp 5838Show Multi-link information. 5839.It show proto 5840Show current protocol totals. 5841.It show route 5842Show the current routing tables. 5843.It show stopped 5844Show the current stopped timeouts. 5845.It show timer 5846Show the active alarm timers. 5847.It show version 5848Show the current version number of 5849.Nm . 5850.El 5851.Pp 5852.It term 5853Go into terminal mode. 5854Characters typed at the keyboard are sent to the device. 5855Characters read from the device are displayed on the screen. 5856When a remote 5857.Em PPP 5858peer is detected, 5859.Nm 5860automatically enables Packet Mode and goes back into command mode. 5861.El 5862.Sh MORE DETAILS 5863.Bl -bullet 5864.It 5865Read the example configuration files. 5866They are a good source of information. 5867.It 5868Use 5869.Dq help , 5870.Dq nat \&? , 5871.Dq enable \&? , 5872.Dq set ?\& 5873and 5874.Dq show ?\& 5875to get online information about what's available. 5876.It 5877The following URLs contain useful information: 5878.Bl -bullet -compact 5879.It 5880http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/faq/ppp.html 5881.It 5882http://www.FreeBSD.org/doc/handbook/userppp.html 5883.El 5884.Pp 5885.El 5886.Sh FILES 5887.Nm 5888refers to four files: 5889.Pa ppp.conf , 5890.Pa ppp.linkup , 5891.Pa ppp.linkdown 5892and 5893.Pa ppp.secret . 5894These files are placed in the 5895.Pa /etc/ppp 5896directory. 5897.Bl -tag -width 2n 5898.It Pa /etc/ppp/ppp.conf 5899System default configuration file. 5900.It Pa /etc/ppp/ppp.secret 5901An authorisation file for each system. 5902.It Pa /etc/ppp/ppp.linkup 5903A file to check when 5904.Nm 5905establishes a network level connection. 5906.It Pa /etc/ppp/ppp.linkdown 5907A file to check when 5908.Nm 5909closes a network level connection. 5910.It Pa /var/log/ppp.log 5911Logging and debugging information file. 5912Note, this name is specified in 5913.Pa /etc/syslog.conf . 5914See 5915.Xr syslog.conf 5 5916for further details. 5917.It Pa /var/spool/lock/LCK..* 5918tty port locking file. 5919Refer to 5920.Xr uucplock 3 5921for further details. 5922.It Pa /var/run/tunN.pid 5923The process id (pid) of the 5924.Nm 5925program connected to the tunN device, where 5926.Sq N 5927is the number of the device. 5928.It Pa /var/run/ttyXX.if 5929The tun interface used by this port. 5930Again, this file is only created in 5931.Fl background , 5932.Fl auto 5933and 5934.Fl ddial 5935modes. 5936.It Pa /etc/services 5937Get port number if port number is using service name. 5938.It Pa /var/run/ppp-authname-class-value 5939In multi-link mode, local domain sockets are created using the peer 5940authentication name 5941.Pq Sq authname , 5942the peer endpoint discriminator class 5943.Pq Sq class 5944and the peer endpoint discriminator value 5945.Pq Sq value . 5946As the endpoint discriminator value may be a binary value, it is turned 5947to HEX to determine the actual file name. 5948.Pp 5949This socket is used to pass links between different instances of 5950.Nm . 5951.El 5952.Sh SEE ALSO 5953.Xr at 1 , 5954.Xr ftp 1 , 5955.Xr gzip 1 , 5956.Xr hostname 1 , 5957.Xr login 1 , 5958.Xr tcpdump 1 , 5959.Xr telnet 1 , 5960.Xr kldload 2 , 5961ifdef({LOCALNAT},{},{.Xr libalias 3 , 5962})dnl 5963ifdef({LOCALRAD},{},{.Xr libradius 3 , 5964})dnl 5965.Xr syslog 3 , 5966.Xr uucplock 3 , 5967.Xr netgraph 4 , 5968.Xr ng_pppoe 4 , 5969.Xr crontab 5 , 5970.Xr group 5 , 5971.Xr passwd 5 , 5972.Xr protocols 5 , 5973.Xr radius.conf 5 , 5974.Xr resolv.conf 5 , 5975.Xr syslog.conf 5 , 5976.Xr adduser 8 , 5977.Xr chat 8 , 5978.Xr getty 8 , 5979.Xr inetd 8 , 5980.Xr init 8 , 5981.Xr isdn 8 , 5982.Xr named 8 , 5983.Xr ping 8 , 5984.Xr pppctl 8 , 5985.Xr pppd 8 , 5986.Xr pppoed 8 , 5987.Xr route 8 , 5988.Xr sshd 8 , 5989.Xr syslogd 8 , 5990.Xr traceroute 8 , 5991.Xr vipw 8 5992.Sh HISTORY 5993This program was originally written by 5994.An Toshiharu OHNO Aq tony-o@iij.ad.jp , 5995and was submitted to 5996.Fx 2.0.5 5997by 5998.An Atsushi Murai Aq amurai@spec.co.jp . 5999.Pp 6000It was substantially modified during 1997 by 6001.An Brian Somers Aq brian@Awfulhak.org , 6002and was ported to 6003.Ox 6004in November that year 6005(just after the 2.2 release). 6006.Pp 6007Most of the code was rewritten by 6008.An Brian Somers 6009in early 1998 when multi-link ppp support was added. 6010