ppp.8 revision 97061
1changequote({,})dnl 2changecom(,)dnl 3.\" 4.\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $FreeBSD: head/usr.sbin/ppp/ppp.8.m4 97061 2002-05-21 10:54:07Z brian $ 29.\" 30.Dd September 20, 1995 31.Dt PPP 8 32.Os 33.Sh NAME 34.Nm ppp 35.Nd Point to Point Protocol (a.k.a. user-ppp) 36.Sh SYNOPSIS 37.Nm 38.Op Fl Va mode 39.Op Fl nat 40.Op Fl quiet 41.Op Fl unit Ns Ar N 42.Op Ar system ... 43.Sh DESCRIPTION 44This is a user process 45.Em PPP 46software package. 47Normally, 48.Em PPP 49is implemented as a part of the kernel (e.g., as managed by 50.Xr pppd 8 ) 51and it's thus somewhat hard to debug and/or modify its behaviour. 52However, in this implementation 53.Em PPP 54is done as a user process with the help of the 55tunnel device driver (tun). 56.Pp 57The 58.Fl nat 59flag does the equivalent of a 60.Dq nat enable yes , 61enabling 62.Nm Ns No 's 63network address translation features. 64This allows 65.Nm 66to act as a NAT or masquerading engine for all machines on an internal 67LAN. 68ifdef({LOCALNAT},{},{Refer to 69.Xr libalias 3 70for details on the technical side of the NAT engine. 71})dnl 72Refer to the 73.Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 74section of this manual page for details on how to configure NAT in 75.Nm . 76.Pp 77The 78.Fl quiet 79flag tells 80.Nm 81to be silent at startup rather than displaying the mode and interface 82to standard output. 83.Pp 84The 85.Fl unit 86flag tells 87.Nm 88to only attempt to open 89.Pa /dev/tun Ns Ar N . 90Normally, 91.Nm 92will start with a value of 0 for 93.Ar N , 94and keep trying to open a tunnel device by incrementing the value of 95.Ar N 96by one each time until it succeeds. 97If it fails three times in a row 98because the device file is missing, it gives up. 99.Pp 100The following 101.Va mode Ns No s 102are understood by 103.Nm : 104.Bl -tag -width XXX -offset XXX 105.It Fl auto 106.Nm 107opens the tun interface, configures it then goes into the background. 108The link isn't brought up until outgoing data is detected on the tun 109interface at which point 110.Nm 111attempts to bring up the link. 112Packets received (including the first one) while 113.Nm 114is trying to bring the link up will remain queued for a default of 1152 minutes. 116See the 117.Dq set choked 118command below. 119.Pp 120In 121.Fl auto 122mode, at least one 123.Dq system 124must be given on the command line (see below) and a 125.Dq set ifaddr 126must be done in the system profile that specifies a peer IP address to 127use when configuring the interface. 128Something like 129.Dq 10.0.0.1/0 130is usually appropriate. 131See the 132.Dq pmdemand 133system in 134.Pa /usr/share/examples/ppp/ppp.conf.sample 135for an example. 136.It Fl background 137Here, 138.Nm 139attempts to establish a connection with the peer immediately. 140If it succeeds, 141.Nm 142goes into the background and the parent process returns an exit code 143of 0. 144If it fails, 145.Nm 146exits with a non-zero result. 147.It Fl foreground 148In foreground mode, 149.Nm 150attempts to establish a connection with the peer immediately, but never 151becomes a daemon. 152The link is created in background mode. 153This is useful if you wish to control 154.Nm Ns No 's 155invocation from another process. 156.It Fl direct 157This is used for receiving incoming connections. 158.Nm 159ignores the 160.Dq set device 161line and uses descriptor 0 as the link. 162.Pp 163If callback is configured, 164.Nm 165will use the 166.Dq set device 167information when dialing back. 168.It Fl dedicated 169This option is designed for machines connected with a dedicated 170wire. 171.Nm 172will always keep the device open and will never use any configured 173chat scripts. 174.It Fl ddial 175This mode is equivalent to 176.Fl auto 177mode except that 178.Nm 179will bring the link back up any time it's dropped for any reason. 180.It Fl interactive 181This is a no-op, and gives the same behaviour as if none of the above 182modes have been specified. 183.Nm 184loads any sections specified on the command line then provides an 185interactive prompt. 186.El 187.Pp 188One or more configuration entries or systems 189(as specified in 190.Pa /etc/ppp/ppp.conf ) 191may also be specified on the command line. 192.Nm 193will read the 194.Dq default 195system from 196.Pa /etc/ppp/ppp.conf 197at startup, followed by each of the systems specified on the command line. 198.Sh Major Features 199.Bl -diag 200.It Provides an interactive user interface. 201Using its command mode, the user can 202easily enter commands to establish the connection with the remote end, check 203the status of connection and close the connection. 204All functions can also be optionally password protected for security. 205.It Supports both manual and automatic dialing. 206Interactive mode has a 207.Dq term 208command which enables you to talk to the device directly. 209When you are connected to the remote peer and it starts to talk 210.Em PPP , 211.Nm 212detects it and switches to packet mode automatically. 213Once you have 214determined the proper sequence for connecting with the remote host, you 215can write a chat script to {define} the necessary dialing and login 216procedure for later convenience. 217.It Supports on-demand dialup capability. 218By using 219.Fl auto 220mode, 221.Nm 222will act as a daemon and wait for a packet to be sent over the 223.Em PPP 224link. 225When this happens, the daemon automatically dials and establishes the 226connection. 227In almost the same manner 228.Fl ddial 229mode (direct-dial mode) also automatically dials and establishes the 230connection. 231However, it differs in that it will dial the remote site 232any time it detects the link is down, even if there are no packets to be 233sent. 234This mode is useful for full-time connections where we worry less 235about line charges and more about being connected full time. 236A third 237.Fl dedicated 238mode is also available. 239This mode is targeted at a dedicated link between two machines. 240.Nm 241will never voluntarily quit from dedicated mode - you must send it the 242.Dq quit all 243command via its diagnostic socket. 244A 245.Dv SIGHUP 246will force an LCP renegotiation, and a 247.Dv SIGTERM 248will force it to exit. 249.It Supports client callback. 250.Nm 251can use either the standard LCP callback protocol or the Microsoft 252CallBack Control Protocol (ftp://ftp.microsoft.com/developr/rfc/cbcp.txt). 253.It Supports NAT or packet aliasing. 254Packet aliasing (a.k.a. IP masquerading) allows computers on a 255private, unregistered network to access the Internet. 256The 257.Em PPP 258host acts as a masquerading gateway. 259IP addresses as well as TCP and 260UDP port numbers are NAT'd for outgoing packets and de-NAT'd for 261returning packets. 262.It Supports background PPP connections. 263In background mode, if 264.Nm 265successfully establishes the connection, it will become a daemon. 266Otherwise, it will exit with an error. 267This allows the setup of 268scripts that wish to execute certain commands only if the connection 269is successfully established. 270.It Supports server-side PPP connections. 271In direct mode, 272.Nm 273acts as server which accepts incoming 274.Em PPP 275connections on stdin/stdout. 276.It "Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication. 277With PAP or CHAP, it is possible to skip the Unix style 278.Xr login 1 279procedure, and use the 280.Em PPP 281protocol for authentication instead. 282If the peer requests Microsoft CHAP authentication and 283.Nm 284is compiled with DES support, an appropriate MD4/DES response will be 285made. 286.It Supports RADIUS (rfc 2138 & 2548) authentication. 287An extension to PAP and CHAP, 288.Em \&R Ns No emote 289.Em \&A Ns No ccess 290.Em \&D Ns No ial 291.Em \&I Ns No n 292.Em \&U Ns No ser 293.Em \&S Ns No ervice 294allows authentication information to be stored in a central or 295distributed database along with various per-user framed connection 296characteristics. 297ifdef({LOCALRAD},{},{If 298.Xr libradius 3 299is available at compile time, 300.Nm 301will use it to make 302.Em RADIUS 303requests when configured to do so. 304})dnl 305.It Supports Proxy Arp. 306.Nm 307can be configured to make one or more proxy arp entries on behalf of 308the peer. 309This allows routing from the peer to the LAN without 310configuring each machine on that LAN. 311.It Supports packet filtering. 312User can {define} four kinds of filters: the 313.Em in 314filter for incoming packets, the 315.Em out 316filter for outgoing packets, the 317.Em dial 318filter to {define} a dialing trigger packet and the 319.Em alive 320filter for keeping a connection alive with the trigger packet. 321.It Tunnel driver supports bpf. 322The user can use 323.Xr tcpdump 1 324to check the packet flow over the 325.Em PPP 326link. 327.It Supports PPP over TCP and PPP over UDP. 328If a device name is specified as 329.Em host Ns No : Ns Em port Ns 330.Xo 331.Op / Ns tcp|udp , 332.Xc 333.Nm 334will open a TCP or UDP connection for transporting data rather than using a 335conventional serial device. 336UDP connections force 337.Nm 338into synchronous mode. 339.It Supports PPP over ISDN. 340If 341.Nm 342is given a raw B-channel i4b device to open as a link, it's able to talk 343to the 344.Xr isdnd 8 345daemon to establish an ISDN connection. 346.It Supports PPP over Ethernet (rfc 2516). 347If 348.Nm 349is given a device specification of the format 350.No PPPoE: Ns Ar iface Ns Xo 351.Op \&: Ns Ar provider Ns 352.Xc 353and if 354.Xr netgraph 4 355is available, 356.Nm 357will attempt talk 358.Em PPP 359over Ethernet to 360.Ar provider 361using the 362.Ar iface 363network interface. 364.Pp 365On systems that do not support 366.Xr netgraph 4 , 367an external program such as 368.Xr pppoe 8 369may be used. 370.It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression." 371.Nm 372supports not only VJ-compression but also Predictor-1 and DEFLATE compression. 373Normally, a modem has built-in compression (e.g., v42.bis) and the system 374may receive higher data rates from it as a result of such compression. 375While this is generally a good thing in most other situations, this 376higher speed data imposes a penalty on the system by increasing the 377number of serial interrupts the system has to process in talking to the 378modem and also increases latency. 379Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses 380.Em all 381network traffic flowing through the link, thus reducing overheads to a 382minimum. 383.It Supports Microsoft's IPCP extensions (rfc 1877). 384Name Server Addresses and NetBIOS Name Server Addresses can be negotiated 385with clients using the Microsoft 386.Em PPP 387stack (i.e., Win95, WinNT) 388.It Supports Multi-link PPP (rfc 1990) 389It is possible to configure 390.Nm 391to open more than one physical connection to the peer, combining the 392bandwidth of all links for better throughput. 393.It Supports MPPE (draft-ietf-pppext-mppe) 394MPPE is Microsoft Point to Point Encryption scheme. 395It is possible to configure 396.Nm 397to participate in Microsoft's Windows VPN. 398For now, 399.Nm 400can only get encryption keys from CHAP 81 authentication. 401.Nm 402must be compiled with DES for MPPE to operate. 403.It Supports IPV6CP (rfc 2023). 404An IPv6 connection can be made in addition to or instead of the normal 405IPv4 connection. 406.El 407.Sh PERMISSIONS 408.Nm 409is installed as user 410.Dv root 411and group 412.Dv network , 413with permissions 414.Dv 04554 . 415By default, 416.Nm 417will not run if the invoking user id is not zero. 418This may be overridden by using the 419.Dq allow users 420command in 421.Pa /etc/ppp/ppp.conf . 422When running as a normal user, 423.Nm 424switches to user id 0 in order to alter the system routing table, set up 425system lock files and read the ppp configuration files. 426All external commands (executed via the "shell" or "!bg" commands) are executed 427as the user id that invoked 428.Nm . 429Refer to the 430.Sq ID0 431logging facility if you're interested in what exactly is done as user id 432zero. 433.Sh GETTING STARTED 434When you first run 435.Nm 436you may need to deal with some initial configuration details. 437.Bl -bullet 438.It 439Your kernel must {include} a tunnel device (the GENERIC kernel includes 440one by default). 441If it doesn't, or if you require more than one tun 442interface, you'll need to rebuild your kernel with the following line in 443your kernel configuration file: 444.Pp 445.Dl pseudo-device tun N 446.Pp 447where 448.Ar N 449is the maximum number of 450.Em PPP 451connections you wish to support. 452.It 453Check your 454.Pa /dev 455directory for the tunnel device entries 456.Pa /dev/tunN , 457where 458.Sq N 459represents the number of the tun device, starting at zero. 460If they don't exist, you can create them by running "sh ./MAKEDEV tunN". 461This will create tun devices 0 through 462.Ar N . 463.It 464Make sure that your system has a group named 465.Dq network 466in the 467.Pa /etc/group 468file and that the group contains the names of all users expected to use 469.Nm . 470Refer to the 471.Xr group 5 472manual page for details. 473Each of these users must also be given access using the 474.Dq allow users 475command in 476.Pa /etc/ppp/ppp.conf . 477.It 478Create a log file. 479.Nm 480uses 481.Xr syslog 3 482to log information. 483A common log file name is 484.Pa /var/log/ppp.log . 485To make output go to this file, put the following lines in the 486.Pa /etc/syslog.conf 487file: 488.Bd -literal -offset indent 489!ppp 490*.*<TAB>/var/log/ppp.log 491.Ed 492.Pp 493It is possible to have more than one 494.Em PPP 495log file by creating a link to the 496.Nm 497executable: 498.Pp 499.Dl # cd /usr/sbin 500.Dl # ln ppp ppp0 501.Pp 502and using 503.Bd -literal -offset indent 504!ppp0 505*.*<TAB>/var/log/ppp0.log 506.Ed 507.Pp 508in 509.Pa /etc/syslog.conf . 510Don't forget to send a 511.Dv HUP 512signal to 513.Xr syslogd 8 514after altering 515.Pa /etc/syslog.conf . 516.It 517Although not strictly relevant to 518.Nm Ns No 's 519operation, you should configure your resolver so that it works correctly. 520This can be done by configuring a local DNS 521(using 522.Xr named 8 ) 523or by adding the correct 524.Sq nameserver 525lines to the file 526.Pa /etc/resolv.conf . 527Refer to the 528.Xr resolv.conf 5 529manual page for details. 530.Pp 531Alternatively, if the peer supports it, 532.Nm 533can be configured to ask the peer for the nameserver address(es) and to 534update 535.Pa /etc/resolv.conf 536automatically. 537Refer to the 538.Dq enable dns 539and 540.Dq resolv 541commands below for details. 542.El 543.Sh MANUAL DIALING 544In the following examples, we assume that your machine name is 545.Dv awfulhak . 546when you invoke 547.Nm 548(see 549.Sx PERMISSIONS 550above) with no arguments, you are presented with a prompt: 551.Bd -literal -offset indent 552ppp ON awfulhak> 553.Ed 554.Pp 555The 556.Sq ON 557part of your prompt should always be in upper case. 558If it is in lower case, it means that you must supply a password using the 559.Dq passwd 560command. 561This only ever happens if you connect to a running version of 562.Nm 563and have not authenticated yourself using the correct password. 564.Pp 565You can start by specifying the device name and speed: 566.Bd -literal -offset indent 567ppp ON awfulhak> set device /dev/cuaa0 568ppp ON awfulhak> set speed 38400 569.Ed 570.Pp 571Normally, hardware flow control (CTS/RTS) is used. 572However, under 573certain circumstances (as may happen when you are connected directly 574to certain PPP-capable terminal servers), this may result in 575.Nm 576hanging as soon as it tries to write data to your communications link 577as it is waiting for the CTS (clear to send) signal - which will never 578come. 579Thus, if you have a direct line and can't seem to make a 580connection, try turning CTS/RTS off with 581.Dq set ctsrts off . 582If you need to do this, check the 583.Dq set accmap 584description below too - you'll probably need to 585.Dq set accmap 000a0000 . 586.Pp 587Usually, parity is set to 588.Dq none , 589and this is 590.Nm Ns No 's 591default. 592Parity is a rather archaic error checking mechanism that is no 593longer used because modern modems do their own error checking, and most 594link-layer protocols (that's what 595.Nm 596is) use much more reliable checking mechanisms. 597Parity has a relatively 598huge overhead (a 12.5% increase in traffic) and as a result, it is always 599disabled 600(set to 601.Dq none ) 602when 603.Dv PPP 604is opened. 605However, some ISPs (Internet Service Providers) may use 606specific parity settings at connection time (before 607.Dv PPP 608is opened). 609Notably, Compuserve insist on even parity when logging in: 610.Bd -literal -offset indent 611ppp ON awfulhak> set parity even 612.Ed 613.Pp 614You can now see what your current device settings look like: 615.Bd -literal -offset indent 616ppp ON awfulhak> show physical 617Name: deflink 618 State: closed 619 Device: N/A 620 Link Type: interactive 621 Connect Count: 0 622 Queued Packets: 0 623 Phone Number: N/A 624 625Defaults: 626 Device List: /dev/cuaa0 627 Characteristics: 38400bps, cs8, even parity, CTS/RTS on 628 629Connect time: 0 secs 6300 octets in, 0 octets out 631Overall 0 bytes/sec 632ppp ON awfulhak> 633.Ed 634.Pp 635The term command can now be used to talk directly to the device: 636.Bd -literal -offset indent 637ppp ON awfulhak> term 638at 639OK 640atdt123456 641CONNECT 642login: myispusername 643Password: myisppassword 644Protocol: ppp 645.Ed 646.Pp 647When the peer starts to talk in 648.Em PPP , 649.Nm 650detects this automatically and returns to command mode. 651.Bd -literal -offset indent 652ppp ON awfulhak> # No link has been established 653Ppp ON awfulhak> # We've connected & finished LCP 654PPp ON awfulhak> # We've authenticated 655PPP ON awfulhak> # We've agreed IP numbers 656.Ed 657.Pp 658If it does not, it's probable that the peer is waiting for your end to 659start negotiating. 660To force 661.Nm 662to start sending 663.Em PPP 664configuration packets to the peer, use the 665.Dq ~p 666command to drop out of terminal mode and enter packet mode. 667.Pp 668If you never even receive a login prompt, it is quite likely that the 669peer wants to use PAP or CHAP authentication instead of using Unix-style 670login/password authentication. 671To set things up properly, drop back to 672the prompt and set your authentication name and key, then reconnect: 673.Bd -literal -offset indent 674~. 675ppp ON awfulhak> set authname myispusername 676ppp ON awfulhak> set authkey myisppassword 677ppp ON awfulhak> term 678at 679OK 680atdt123456 681CONNECT 682.Ed 683.Pp 684You may need to tell ppp to initiate negotiations with the peer here too: 685.Bd -literal -offset indent 686~p 687ppp ON awfulhak> # No link has been established 688Ppp ON awfulhak> # We've connected & finished LCP 689PPp ON awfulhak> # We've authenticated 690PPP ON awfulhak> # We've agreed IP numbers 691.Ed 692.Pp 693You are now connected! 694Note that 695.Sq PPP 696in the prompt has changed to capital letters to indicate that you have 697a peer connection. 698If only some of the three Ps go uppercase, wait until 699either everything is uppercase or lowercase. 700If they revert to lowercase, it means that 701.Nm 702couldn't successfully negotiate with the peer. 703A good first step for troubleshooting at this point would be to 704.Bd -literal -offset indent 705ppp ON awfulhak> set log local phase lcp ipcp 706.Ed 707.Pp 708and try again. 709Refer to the 710.Dq set log 711command description below for further details. 712If things fail at this point, 713it is quite important that you turn logging on and try again. 714It is also 715important that you note any prompt changes and report them to anyone trying 716to help you. 717.Pp 718When the link is established, the show command can be used to see how 719things are going: 720.Bd -literal -offset indent 721PPP ON awfulhak> show physical 722* Modem related information is shown here * 723PPP ON awfulhak> show ccp 724* CCP (compression) related information is shown here * 725PPP ON awfulhak> show lcp 726* LCP (line control) related information is shown here * 727PPP ON awfulhak> show ipcp 728* IPCP (IP) related information is shown here * 729PPP ON awfulhak> show ipv6cp 730* IPV6CP (IPv6) related information is shown here * 731PPP ON awfulhak> show link 732* Link (high level) related information is shown here * 733PPP ON awfulhak> show bundle 734* Logical (high level) connection related information is shown here * 735.Ed 736.Pp 737At this point, your machine has a host route to the peer. 738This means 739that you can only make a connection with the host on the other side 740of the link. 741If you want to add a default route entry (telling your 742machine to send all packets without another routing entry to the other 743side of the 744.Em PPP 745link), enter the following command: 746.Bd -literal -offset indent 747PPP ON awfulhak> add default HISADDR 748.Ed 749.Pp 750The string 751.Sq HISADDR 752represents the IP address of the connected peer. 753If the 754.Dq add 755command fails due to an existing route, you can overwrite the existing 756route using 757.Bd -literal -offset indent 758PPP ON awfulhak> add! default HISADDR 759.Ed 760.Pp 761This command can also be executed before actually making the connection. 762If a new IP address is negotiated at connection time, 763.Nm 764will update your default route accordingly. 765.Pp 766You can now use your network applications (ping, telnet, ftp etc.) 767in other windows or terminals on your machine. 768If you wish to reuse the current terminal, you can put 769.Nm 770into the background using your standard shell suspend and background 771commands (usually 772.Dq ^Z 773followed by 774.Dq bg ) . 775.Pp 776Refer to the 777.Sx PPP COMMAND LIST 778section for details on all available commands. 779.Sh AUTOMATIC DIALING 780To use automatic dialing, you must prepare some Dial and Login chat scripts. 781See the example definitions in 782.Pa /usr/share/examples/ppp/ppp.conf.sample 783(the format of 784.Pa /etc/ppp/ppp.conf 785is pretty simple). 786Each line contains one comment, inclusion, label or command: 787.Bl -bullet 788.It 789A line starting with a 790.Pq Dq # 791character is treated as a comment line. 792Leading whitespace are ignored when identifying comment lines. 793.It 794An inclusion is a line beginning with the word 795.Sq {!include} . 796It must have one argument - the file to {include}. 797You may wish to 798.Dq {!include} ~/.ppp.conf 799for compatibility with older versions of 800.Nm . 801.It 802A label name starts in the first column and is followed by 803a colon 804.Pq Dq \&: . 805.It 806A command line must contain a space or tab in the first column. 807.El 808.Pp 809The 810.Pa /etc/ppp/ppp.conf 811file should consist of at least a 812.Dq default 813section. 814This section is always executed. 815It should also contain 816one or more sections, named according to their purpose, for example, 817.Dq MyISP 818would represent your ISP, and 819.Dq ppp-in 820would represent an incoming 821.Nm 822configuration. 823You can now specify the destination label name when you invoke 824.Nm . 825Commands associated with the 826.Dq default 827label are executed, followed by those associated with the destination 828label provided. 829When 830.Nm 831is started with no arguments, the 832.Dq default 833section is still executed. 834The load command can be used to manually load a section from the 835.Pa /etc/ppp/ppp.conf 836file: 837.Bd -literal -offset indent 838ppp ON awfulhak> load MyISP 839.Ed 840.Pp 841Note, no action is taken by 842.Nm 843after a section is loaded, whether it's the result of passing a label on 844the command line or using the 845.Dq load 846command. 847Only the commands specified for that label in the configuration 848file are executed. 849However, when invoking 850.Nm 851with the 852.Fl background , 853.Fl ddial , 854or 855.Fl dedicated 856switches, the link mode tells 857.Nm 858to establish a connection. 859Refer to the 860.Dq set mode 861command below for further details. 862.Pp 863Once the connection is made, the 864.Sq ppp 865portion of the prompt will change to 866.Sq PPP : 867.Bd -literal -offset indent 868# ppp MyISP 869\&... 870ppp ON awfulhak> dial 871Ppp ON awfulhak> 872PPp ON awfulhak> 873PPP ON awfulhak> 874.Ed 875.Pp 876The Ppp prompt indicates that 877.Nm 878has entered the authentication phase. 879The PPp prompt indicates that 880.Nm 881has entered the network phase. 882The PPP prompt indicates that 883.Nm 884has successfully negotiated a network layer protocol and is in 885a usable state. 886.Pp 887If the 888.Pa /etc/ppp/ppp.linkup 889file is available, its contents are executed 890when the 891.Em PPP 892connection is established. 893See the provided 894.Dq pmdemand 895example in 896.Pa /usr/share/examples/ppp/ppp.conf.sample 897which runs a script in the background after the connection is established 898(refer to the 899.Dq shell 900and 901.Dq bg 902commands below for a description of possible substitution strings). 903Similarly, when a connection is closed, the contents of the 904.Pa /etc/ppp/ppp.linkdown 905file are executed. 906Both of these files have the same format as 907.Pa /etc/ppp/ppp.conf . 908.Pp 909In previous versions of 910.Nm , 911it was necessary to re-add routes such as the default route in the 912.Pa ppp.linkup 913file. 914.Nm 915supports 916.Sq sticky routes , 917where all routes that contain the 918.Dv HISADDR , 919.Dv MYADDR , 920.Dv HISADDR6 921or 922.Dv MYADDR6 923literals will automatically be updated when the values of these variables 924change. 925.Sh BACKGROUND DIALING 926If you want to establish a connection using 927.Nm 928non-interactively (such as from a 929.Xr crontab 5 930entry or an 931.Xr at 1 932job) you should use the 933.Fl background 934option. 935When 936.Fl background 937is specified, 938.Nm 939attempts to establish the connection immediately. 940If multiple phone 941numbers are specified, each phone number will be tried once. 942If the attempt fails, 943.Nm 944exits immediately with a non-zero exit code. 945If it succeeds, then 946.Nm 947becomes a daemon, and returns an exit status of zero to its caller. 948The daemon exits automatically if the connection is dropped by the 949remote system, or it receives a 950.Dv TERM 951signal. 952.Sh DIAL ON DEMAND 953Demand dialing is enabled with the 954.Fl auto 955or 956.Fl ddial 957options. 958You must also specify the destination label in 959.Pa /etc/ppp/ppp.conf 960to use. 961It must contain the 962.Dq set ifaddr 963command to {define} the remote peers IP address. 964(refer to 965.Pa /usr/share/examples/ppp/ppp.conf.sample ) 966.Bd -literal -offset indent 967# ppp -auto pmdemand 968.Ed 969.Pp 970When 971.Fl auto 972or 973.Fl ddial 974is specified, 975.Nm 976runs as a daemon but you can still configure or examine its 977configuration by using the 978.Dq set server 979command in 980.Pa /etc/ppp/ppp.conf , 981(for example, 982.Dq Li "set server +3000 mypasswd" ) 983and connecting to the diagnostic port as follows: 984.Bd -literal -offset indent 985# pppctl 3000 (assuming tun0) 986Password: 987PPP ON awfulhak> show who 988tcp (127.0.0.1:1028) * 989.Ed 990.Pp 991The 992.Dq show who 993command lists users that are currently connected to 994.Nm 995itself. 996If the diagnostic socket is closed or changed to a different 997socket, all connections are immediately dropped. 998.Pp 999In 1000.Fl auto 1001mode, when an outgoing packet is detected, 1002.Nm 1003will perform the dialing action (chat script) and try to connect 1004with the peer. 1005In 1006.Fl ddial 1007mode, the dialing action is performed any time the line is found 1008to be down. 1009If the connect fails, the default behaviour is to wait 30 seconds 1010and then attempt to connect when another outgoing packet is detected. 1011This behaviour can be changed using the 1012.Dq set redial 1013command: 1014.Pp 1015.No set redial Ar secs Ns Xo 1016.Oo + Ns Ar inc Ns 1017.Op - Ns Ar max Ns 1018.Oc Ns Op . Ns Ar next 1019.Op Ar attempts 1020.Xc 1021.Pp 1022.Bl -tag -width attempts -compact 1023.It Ar secs 1024is the number of seconds to wait before attempting 1025to connect again. 1026If the argument is the literal string 1027.Sq Li random , 1028the delay period is a random value between 1 and 30 seconds inclusive. 1029.It Ar inc 1030is the number of seconds that 1031.Ar secs 1032should be incremented each time a new dial attempt is made. 1033The timeout reverts to 1034.Ar secs 1035only after a successful connection is established. 1036The default value for 1037.Ar inc 1038is zero. 1039.It Ar max 1040is the maximum number of times 1041.Nm 1042should increment 1043.Ar secs . 1044The default value for 1045.Ar max 1046is 10. 1047.It Ar next 1048is the number of seconds to wait before attempting 1049to dial the next number in a list of numbers (see the 1050.Dq set phone 1051command). 1052The default is 3 seconds. 1053Again, if the argument is the literal string 1054.Sq Li random , 1055the delay period is a random value between 1 and 30 seconds. 1056.It Ar attempts 1057is the maximum number of times to try to connect for each outgoing packet 1058that triggers a dial. 1059The previous value is unchanged if this parameter is omitted. 1060If a value of zero is specified for 1061.Ar attempts , 1062.Nm 1063will keep trying until a connection is made. 1064.El 1065.Pp 1066So, for example: 1067.Bd -literal -offset indent 1068set redial 10.3 4 1069.Ed 1070.Pp 1071will attempt to connect 4 times for each outgoing packet that causes 1072a dial attempt with a 3 second delay between each number and a 10 second 1073delay after all numbers have been tried. 1074If multiple phone numbers 1075are specified, the total number of attempts is still 4 (it does not 1076attempt each number 4 times). 1077.Pp 1078Alternatively, 1079.Pp 1080.Bd -literal -offset indent 1081set redial 10+10-5.3 20 1082.Ed 1083.Pp 1084tells 1085.Nm 1086to attempt to connect 20 times. 1087After the first attempt, 1088.Nm 1089pauses for 10 seconds. 1090After the next attempt it pauses for 20 seconds 1091and so on until after the sixth attempt it pauses for 1 minute. 1092The next 14 pauses will also have a duration of one minute. 1093If 1094.Nm 1095connects, disconnects and fails to connect again, the timeout starts again 1096at 10 seconds. 1097.Pp 1098Modifying the dial delay is very useful when running 1099.Nm 1100in 1101.Fl auto 1102mode on both ends of the link. 1103If each end has the same timeout, 1104both ends wind up calling each other at the same time if the link 1105drops and both ends have packets queued. 1106At some locations, the serial link may not be reliable, and carrier 1107may be lost at inappropriate times. 1108It is possible to have 1109.Nm 1110redial should carrier be unexpectedly lost during a session. 1111.Bd -literal -offset indent 1112set reconnect timeout ntries 1113.Ed 1114.Pp 1115This command tells 1116.Nm 1117to re-establish the connection 1118.Ar ntries 1119times on loss of carrier with a pause of 1120.Ar timeout 1121seconds before each try. 1122For example, 1123.Bd -literal -offset indent 1124set reconnect 3 5 1125.Ed 1126.Pp 1127tells 1128.Nm 1129that on an unexpected loss of carrier, it should wait 1130.Ar 3 1131seconds before attempting to reconnect. 1132This may happen up to 1133.Ar 5 1134times before 1135.Nm 1136gives up. 1137The default value of ntries is zero (no reconnect). 1138Care should be taken with this option. 1139If the local timeout is slightly 1140longer than the remote timeout, the reconnect feature will always be 1141triggered (up to the given number of times) after the remote side 1142times out and hangs up. 1143NOTE: In this context, losing too many LQRs constitutes a loss of 1144carrier and will trigger a reconnect. 1145If the 1146.Fl background 1147flag is specified, all phone numbers are dialed at most once until 1148a connection is made. 1149The next number redial period specified with the 1150.Dq set redial 1151command is honoured, as is the reconnect tries value. 1152If your redial 1153value is less than the number of phone numbers specified, not all 1154the specified numbers will be tried. 1155To terminate the program, type 1156.Bd -literal -offset indent 1157PPP ON awfulhak> close 1158ppp ON awfulhak> quit all 1159.Ed 1160.Pp 1161A simple 1162.Dq quit 1163command will terminate the 1164.Xr pppctl 8 1165or 1166.Xr telnet 1 1167connection but not the 1168.Nm 1169program itself. 1170You must use 1171.Dq quit all 1172to terminate 1173.Nm 1174as well. 1175.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1) 1176To handle an incoming 1177.Em PPP 1178connection request, follow these steps: 1179.Bl -enum 1180.It 1181Make sure the modem and (optionally) 1182.Pa /etc/rc.serial 1183is configured correctly. 1184.Bl -bullet -compact 1185.It 1186Use Hardware Handshake (CTS/RTS) for flow control. 1187.It 1188Modem should be set to NO echo back (ATE0) and NO results string (ATQ1). 1189.El 1190.Pp 1191.It 1192Edit 1193.Pa /etc/ttys 1194to enable a 1195.Xr getty 8 1196on the port where the modem is attached. 1197For example: 1198.Pp 1199.Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure 1200.Pp 1201Don't forget to send a 1202.Dv HUP 1203signal to the 1204.Xr init 8 1205process to start the 1206.Xr getty 8 : 1207.Pp 1208.Dl # kill -HUP 1 1209.Pp 1210It is usually also necessary to train your modem to the same DTR speed 1211as the getty: 1212.Bd -literal -offset indent 1213# ppp 1214ppp ON awfulhak> set device /dev/cuaa1 1215ppp ON awfulhak> set speed 38400 1216ppp ON awfulhak> term 1217deflink: Entering terminal mode on /dev/cuaa1 1218Type `~?' for help 1219at 1220OK 1221at 1222OK 1223atz 1224OK 1225at 1226OK 1227~. 1228ppp ON awfulhak> quit 1229.Ed 1230.It 1231Create a 1232.Pa /usr/local/bin/ppplogin 1233file with the following contents: 1234.Bd -literal -offset indent 1235#! /bin/sh 1236exec /usr/sbin/ppp -direct incoming 1237.Ed 1238.Pp 1239Direct mode 1240.Pq Fl direct 1241lets 1242.Nm 1243work with stdin and stdout. 1244You can also use 1245.Xr pppctl 8 1246to connect to a configured diagnostic port, in the same manner as with 1247client-side 1248.Nm . 1249.Pp 1250Here, the 1251.Ar incoming 1252section must be set up in 1253.Pa /etc/ppp/ppp.conf . 1254.Pp 1255Make sure that the 1256.Ar incoming 1257section contains the 1258.Dq allow users 1259command as appropriate. 1260.It 1261Prepare an account for the incoming user. 1262.Bd -literal 1263ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin 1264.Ed 1265.Pp 1266Refer to the manual entries for 1267.Xr adduser 8 1268and 1269.Xr vipw 8 1270for details. 1271.It 1272Support for IPCP Domain Name Server and NetBIOS Name Server negotiation 1273can be enabled using the 1274.Dq accept dns 1275and 1276.Dq set nbns 1277commands. 1278Refer to their descriptions below. 1279.El 1280.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2) 1281This method differs in that we use 1282.Nm 1283to authenticate the connection rather than 1284.Xr login 1 : 1285.Bl -enum 1286.It 1287Configure your default section in 1288.Pa /etc/gettytab 1289with automatic ppp recognition by specifying the 1290.Dq pp 1291capability: 1292.Bd -literal 1293default:\\ 1294 :pp=/usr/local/bin/ppplogin:\\ 1295 ..... 1296.Ed 1297.It 1298Configure your serial device(s), enable a 1299.Xr getty 8 1300and create 1301.Pa /usr/local/bin/ppplogin 1302as in the first three steps for method 1 above. 1303.It 1304Add either 1305.Dq enable chap 1306or 1307.Dq enable pap 1308(or both) 1309to 1310.Pa /etc/ppp/ppp.conf 1311under the 1312.Sq incoming 1313label (or whatever label 1314.Pa ppplogin 1315uses). 1316.It 1317Create an entry in 1318.Pa /etc/ppp/ppp.secret 1319for each incoming user: 1320.Bd -literal 1321Pfred<TAB>xxxx 1322Pgeorge<TAB>yyyy 1323.Ed 1324.El 1325.Pp 1326Now, as soon as 1327.Xr getty 8 1328detects a ppp connection (by recognising the HDLC frame headers), it runs 1329.Dq /usr/local/bin/ppplogin . 1330.Pp 1331It is 1332.Em VITAL 1333that either PAP or CHAP are enabled as above. 1334If they are not, you are 1335allowing anybody to establish ppp session with your machine 1336.Em without 1337a password, opening yourself up to all sorts of potential attacks. 1338.Sh AUTHENTICATING INCOMING CONNECTIONS 1339Normally, the receiver of a connection requires that the peer 1340authenticates itself. 1341This may be done using 1342.Xr login 1 , 1343but alternatively, you can use PAP or CHAP. 1344CHAP is the more secure of the two, but some clients may not support it. 1345Once you decide which you wish to use, add the command 1346.Sq enable chap 1347or 1348.Sq enable pap 1349to the relevant section of 1350.Pa ppp.conf . 1351.Pp 1352You must then configure the 1353.Pa /etc/ppp/ppp.secret 1354file. 1355This file contains one line per possible client, each line 1356containing up to five fields: 1357.Pp 1358.Ar name Ar key Oo 1359.Ar hisaddr Op Ar label Op Ar callback-number 1360.Oc 1361.Pp 1362The 1363.Ar name 1364and 1365.Ar key 1366specify the client username and password. 1367If 1368.Ar key 1369is 1370.Dq \&* 1371and PAP is being used, 1372.Nm 1373will look up the password database 1374.Pq Xr passwd 5 1375when authenticating. 1376If the client does not offer a suitable response based on any 1377.Ar name Ns No / Ns Ar key 1378combination in 1379.Pa ppp.secret , 1380authentication fails. 1381.Pp 1382If authentication is successful, 1383.Ar hisaddr 1384(if specified) 1385is used when negotiating IP numbers. 1386See the 1387.Dq set ifaddr 1388command for details. 1389.Pp 1390If authentication is successful and 1391.Ar label 1392is specified, the current system label is changed to match the given 1393.Ar label . 1394This will change the subsequent parsing of the 1395.Pa ppp.linkup 1396and 1397.Pa ppp.linkdown 1398files. 1399.Pp 1400If authentication is successful and 1401.Ar callback-number 1402is specified and 1403.Dq set callback 1404has been used in 1405.Pa ppp.conf , 1406the client will be called back on the given number. 1407If CBCP is being used, 1408.Ar callback-number 1409may also contain a list of numbers or a 1410.Dq \&* , 1411as if passed to the 1412.Dq set cbcp 1413command. 1414The value will be used in 1415.Nm Ns No 's 1416subsequent CBCP phase. 1417.Sh PPP OVER TCP and UDP (a.k.a Tunnelling) 1418Instead of running 1419.Nm 1420over a serial link, it is possible to 1421use a TCP connection instead by specifying the host, port and protocol as the 1422device: 1423.Pp 1424.Dl set device ui-gate:6669/tcp 1425.Pp 1426Instead of opening a serial device, 1427.Nm 1428will open a TCP connection to the given machine on the given 1429socket. 1430It should be noted however that 1431.Nm 1432doesn't use the telnet protocol and will be unable to negotiate 1433with a telnet server. 1434You should set up a port for receiving this 1435.Em PPP 1436connection on the receiving machine (ui-gate). 1437This is done by first updating 1438.Pa /etc/services 1439to name the service: 1440.Pp 1441.Dl ppp-in 6669/tcp # Incoming PPP connections over TCP 1442.Pp 1443and updating 1444.Pa /etc/inetd.conf 1445to tell 1446.Xr inetd 8 1447how to deal with incoming connections on that port: 1448.Pp 1449.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in 1450.Pp 1451Don't forget to send a 1452.Dv HUP 1453signal to 1454.Xr inetd 8 1455after you've updated 1456.Pa /etc/inetd.conf . 1457Here, we use a label named 1458.Dq ppp-in . 1459The entry in 1460.Pa /etc/ppp/ppp.conf 1461on ui-gate (the receiver) should contain the following: 1462.Bd -literal -offset indent 1463ppp-in: 1464 set timeout 0 1465 set ifaddr 10.0.4.1 10.0.4.2 1466.Ed 1467.Pp 1468and the entry in 1469.Pa /etc/ppp/ppp.linkup 1470should contain: 1471.Bd -literal -offset indent 1472ppp-in: 1473 add 10.0.1.0/24 HISADDR 1474.Ed 1475.Pp 1476It is necessary to put the 1477.Dq add 1478command in 1479.Pa ppp.linkup 1480to ensure that the route is only added after 1481.Nm 1482has negotiated and assigned addresses to its interface. 1483.Pp 1484You may also want to enable PAP or CHAP for security. 1485To enable PAP, add the following line: 1486.Bd -literal -offset indent 1487 enable PAP 1488.Ed 1489.Pp 1490You'll also need to create the following entry in 1491.Pa /etc/ppp/ppp.secret : 1492.Bd -literal -offset indent 1493MyAuthName MyAuthPasswd 1494.Ed 1495.Pp 1496If 1497.Ar MyAuthPasswd 1498is a 1499.Dq * , 1500the password is looked up in the 1501.Xr passwd 5 1502database. 1503.Pp 1504The entry in 1505.Pa /etc/ppp/ppp.conf 1506on awfulhak (the initiator) should contain the following: 1507.Bd -literal -offset indent 1508ui-gate: 1509 set escape 0xff 1510 set device ui-gate:ppp-in/tcp 1511 set dial 1512 set timeout 30 1513 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun 1514 set ifaddr 10.0.4.2 10.0.4.1 1515.Ed 1516.Pp 1517with the route setup in 1518.Pa /etc/ppp/ppp.linkup : 1519.Bd -literal -offset indent 1520ui-gate: 1521 add 10.0.2.0/24 HISADDR 1522.Ed 1523.Pp 1524Again, if you're enabling PAP, you'll also need this in the 1525.Pa /etc/ppp/ppp.conf 1526profile: 1527.Bd -literal -offset indent 1528 set authname MyAuthName 1529 set authkey MyAuthKey 1530.Ed 1531.Pp 1532We're assigning the address of 10.0.4.1 to ui-gate, and the address 153310.0.4.2 to awfulhak. 1534To open the connection, just type 1535.Pp 1536.Dl awfulhak # ppp -background ui-gate 1537.Pp 1538The result will be an additional "route" on awfulhak to the 153910.0.2.0/24 network via the TCP connection, and an additional 1540"route" on ui-gate to the 10.0.1.0/24 network. 1541The networks are effectively bridged - the underlying TCP 1542connection may be across a public network (such as the 1543Internet), and the 1544.Em PPP 1545traffic is conceptually encapsulated 1546(although not packet by packet) inside the TCP stream between 1547the two gateways. 1548.Pp 1549The major disadvantage of this mechanism is that there are two 1550"guaranteed delivery" mechanisms in place - the underlying TCP 1551stream and whatever protocol is used over the 1552.Em PPP 1553link - probably TCP again. 1554If packets are lost, both levels will 1555get in each others way trying to negotiate sending of the missing 1556packet. 1557.Pp 1558To avoid this overhead, it is also possible to do all this using 1559UDP instead of TCP as the transport by simply changing the protocol 1560from "tcp" to "udp". 1561When using UDP as a transport, 1562.Nm 1563will operate in synchronous mode. 1564This is another gain as the incoming 1565data does not have to be rearranged into packets. 1566.Pp 1567Care should be taken when adding a default route through a tunneled 1568setup like this. 1569It is quite common for the default route 1570(added in 1571.Pa /etc/ppp/ppp.linkup ) 1572to end up routing the link's TCP connection through the tunnel, 1573effectively garrotting the connection. 1574To avoid this, make sure you add a static route for the benefit of 1575the link: 1576.Bd -literal -offset indent 1577ui-gate: 1578 set escape 0xff 1579 set device ui-gate:ppp-in/tcp 1580 add ui-gate x.x.x.x 1581 ..... 1582.Ed 1583.Pp 1584where 1585.Dq x.x.x.x 1586is the IP number that your route to 1587.Dq ui-gate 1588would normally use. 1589.Pp 1590When routing your connection accross a public network such as the Internet, 1591it is preferable to encrypt the data. 1592This can be done with the help of the MPPE protocol, although currently this 1593means that you will not be able to also compress the traffic as MPPE is 1594implemented as a compression layer (thank Microsoft for this). 1595To enable MPPE encryption, add the following lines to 1596.Pa /etc/ppp/ppp.conf 1597on the server: 1598.Bd -literal -offset indent 1599 enable MSCHAPv2 1600 disable deflate pred1 1601 deny deflate pred1 1602.Ed 1603.Pp 1604ensuring that you've put the requisite entry in 1605.Pa /etc/ppp/ppp.secret 1606(MSCHAPv2 is challenge based, so 1607.Xr passwd 5 1608cannot be used) 1609.Pp 1610MSCHAPv2 and MPPE are accepted by default, so the client end should work 1611without any additional changes (although ensure you have 1612.Dq set authname 1613and 1614.Dq set authkey 1615in your profile). 1616.Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING) 1617The 1618.Fl nat 1619command line option enables network address translation (a.k.a. packet 1620aliasing). 1621This allows the 1622.Nm 1623host to act as a masquerading gateway for other computers over 1624a local area network. 1625Outgoing IP packets are NAT'd so that they appear to come from the 1626.Nm 1627host, and incoming packets are de-NAT'd so that they are routed 1628to the correct machine on the local area network. 1629NAT allows computers on private, unregistered subnets to have Internet 1630access, although they are invisible from the outside world. 1631In general, correct 1632.Nm 1633operation should first be verified with network address translation disabled. 1634Then, the 1635.Fl nat 1636option should be switched on, and network applications (web browser, 1637.Xr telnet 1 , 1638.Xr ftp 1 , 1639.Xr ping 8 , 1640.Xr traceroute 8 ) 1641should be checked on the 1642.Nm 1643host. 1644Finally, the same or similar applications should be checked on other 1645computers in the LAN. 1646If network applications work correctly on the 1647.Nm 1648host, but not on other machines in the LAN, then the masquerading 1649software is working properly, but the host is either not forwarding 1650or possibly receiving IP packets. 1651Check that IP forwarding is enabled in 1652.Pa /etc/rc.conf 1653and that other machines have designated the 1654.Nm 1655host as the gateway for the LAN. 1656.Sh PACKET FILTERING 1657This implementation supports packet filtering. 1658There are four kinds of 1659filters: the 1660.Em in 1661filter, the 1662.Em out 1663filter, the 1664.Em dial 1665filter and the 1666.Em alive 1667filter. 1668Here are the basics: 1669.Bl -bullet 1670.It 1671A filter definition has the following syntax: 1672.Pp 1673set filter 1674.Ar name 1675.Ar rule-no 1676.Ar action 1677.Op !\& 1678.Oo 1679.Op host 1680.Ar src_addr Ns Op / Ns Ar width 1681.Op Ar dst_addr Ns Op / Ns Ar width 1682.Oc 1683.Ar [ proto Op src Ar cmp port 1684.Op dst Ar cmp port 1685.Op estab 1686.Op syn 1687.Op finrst 1688.Op timeout Ar secs ] 1689.Bl -enum 1690.It 1691.Ar Name 1692should be one of 1693.Sq in , 1694.Sq out , 1695.Sq dial 1696or 1697.Sq alive . 1698.It 1699.Ar Rule-no 1700is a numeric value between 1701.Sq 0 1702and 1703.Sq 39 1704specifying the rule number. 1705Rules are specified in numeric order according to 1706.Ar rule-no , 1707but only if rule 1708.Sq 0 1709is defined. 1710.It 1711.Ar Action 1712may be specified as 1713.Sq permit 1714or 1715.Sq deny , 1716in which case, if a given packet matches the rule, the associated action 1717is taken immediately. 1718.Ar Action 1719can also be specified as 1720.Sq clear 1721to clear the action associated with that particular rule, or as a new 1722rule number greater than the current rule. 1723In this case, if a given 1724packet matches the current rule, the packet will next be matched against 1725the new rule number (rather than the next rule number). 1726.Pp 1727The 1728.Ar action 1729may optionally be followed with an exclamation mark 1730.Pq Dq !\& , 1731telling 1732.Nm 1733to reverse the sense of the following match. 1734.It 1735.Op Ar src_addr Ns Op / Ns Ar width 1736and 1737.Op Ar dst_addr Ns Op / Ns Ar width 1738are the source and destination IP number specifications. 1739If 1740.Op / Ns Ar width 1741is specified, it gives the number of relevant netmask bits, 1742allowing the specification of an address range. 1743.Pp 1744Either 1745.Ar src_addr 1746or 1747.Ar dst_addr 1748may be given the values 1749.Dv MYADDR , 1750.Dv HISADDR , 1751.Dv MYADDR6 1752or 1753.Dv HISADDR6 1754(refer to the description of the 1755.Dq bg 1756command for a description of these values). 1757When these values are used, 1758the filters will be updated any time the values change. 1759This is similar to the behaviour of the 1760.Dq add 1761command below. 1762.It 1763.Ar Proto 1764may be any protocol from 1765.Xr protocols 5 . 1766.It 1767.Ar Cmp 1768is one of 1769.Sq \< , 1770.Sq \&eq 1771or 1772.Sq \> , 1773meaning less-than, equal and greater-than respectively. 1774.Ar Port 1775can be specified as a numeric port or by service name from 1776.Pa /etc/services . 1777.It 1778The 1779.Sq estab , 1780.Sq syn , 1781and 1782.Sq finrst 1783flags are only allowed when 1784.Ar proto 1785is set to 1786.Sq tcp , 1787and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively. 1788.It 1789The timeout value adjusts the current idle timeout to at least 1790.Ar secs 1791seconds. 1792If a timeout is given in the alive filter as well as in the in/out 1793filter, the in/out value is used. 1794If no timeout is given, the default timeout (set using 1795.Ic set timeout 1796and defaulting to 180 seconds) is used. 1797.El 1798.Pp 1799.It 1800Each filter can hold up to 40 rules, starting from rule 0. 1801The entire rule set is not effective until rule 0 is defined, 1802i.e., the default is to allow everything through. 1803.It 1804If no rule in a defined set of rules matches a packet, that packet will 1805be discarded (blocked). 1806If there are no rules in a given filter, the packet will be permitted. 1807.It 1808It's possible to filter based on the payload of UDP frames where those 1809frames contain a 1810.Em PROTO_IP 1811.Em PPP 1812frame header. 1813See the 1814.Ar filter-decapsulation 1815option below for further details. 1816.It 1817Use 1818.Dq set filter Ar name No -1 1819to flush all rules. 1820.El 1821.Pp 1822See 1823.Pa /usr/share/examples/ppp/ppp.conf.sample . 1824.Sh SETTING THE IDLE TIMER 1825To check/set the idle timer, use the 1826.Dq show bundle 1827and 1828.Dq set timeout 1829commands: 1830.Bd -literal -offset indent 1831ppp ON awfulhak> set timeout 600 1832.Ed 1833.Pp 1834The timeout period is measured in seconds, the default value for which 1835is 180 seconds 1836(or 3 min). 1837To disable the idle timer function, use the command 1838.Bd -literal -offset indent 1839ppp ON awfulhak> set timeout 0 1840.Ed 1841.Pp 1842In 1843.Fl ddial 1844and 1845.Fl dedicated 1846modes, the idle timeout is ignored. 1847In 1848.Fl auto 1849mode, when the idle timeout causes the 1850.Em PPP 1851session to be 1852closed, the 1853.Nm 1854program itself remains running. 1855Another trigger packet will cause it to attempt to re-establish the link. 1856.Sh PREDICTOR-1 and DEFLATE COMPRESSION 1857.Nm 1858supports both Predictor type 1 and deflate compression. 1859By default, 1860.Nm 1861will attempt to use (or be willing to accept) both compression protocols 1862when the peer agrees 1863(or requests them). 1864The deflate protocol is preferred by 1865.Nm . 1866Refer to the 1867.Dq disable 1868and 1869.Dq deny 1870commands if you wish to disable this functionality. 1871.Pp 1872It is possible to use a different compression algorithm in each direction 1873by using only one of 1874.Dq disable deflate 1875and 1876.Dq deny deflate 1877(assuming that the peer supports both algorithms). 1878.Pp 1879By default, when negotiating DEFLATE, 1880.Nm 1881will use a window size of 15. 1882Refer to the 1883.Dq set deflate 1884command if you wish to change this behaviour. 1885.Pp 1886A special algorithm called DEFLATE24 is also available, and is disabled 1887and denied by default. 1888This is exactly the same as DEFLATE except that 1889it uses CCP ID 24 to negotiate. 1890This allows 1891.Nm 1892to successfully negotiate DEFLATE with 1893.Nm pppd 1894version 2.3.*. 1895.Sh CONTROLLING IP ADDRESS 1896For IPv4, 1897.Nm 1898uses IPCP to negotiate IP addresses. 1899Each side of the connection 1900specifies the IP address that it's willing to use, and if the requested 1901IP address is acceptable then 1902.Nm 1903returns an ACK to the requester. 1904Otherwise, 1905.Nm 1906returns NAK to suggest that the peer use a different IP address. 1907When 1908both sides of the connection agree to accept the received request (and 1909send an ACK), IPCP is set to the open state and a network level connection 1910is established. 1911To control this IPCP behaviour, this implementation has the 1912.Dq set ifaddr 1913command for defining the local and remote IP address: 1914.Bd -ragged -offset indent 1915.No set ifaddr Oo Ar src_addr Ns 1916.Op / Ns Ar \&nn 1917.Oo Ar dst_addr Ns Op / Ns Ar \&nn 1918.Oo Ar netmask 1919.Op Ar trigger_addr 1920.Oc 1921.Oc 1922.Oc 1923.Ed 1924.Pp 1925where, 1926.Sq src_addr 1927is the IP address that the local side is willing to use, 1928.Sq dst_addr 1929is the IP address which the remote side should use and 1930.Sq netmask 1931is the netmask that should be used. 1932.Sq Src_addr 1933defaults to the current 1934.Xr hostname 1 , 1935.Sq dst_addr 1936defaults to 0.0.0.0, and 1937.Sq netmask 1938defaults to whatever mask is appropriate for 1939.Sq src_addr . 1940It is only possible to make 1941.Sq netmask 1942smaller than the default. 1943The usual value is 255.255.255.255, as 1944most kernels ignore the netmask of a POINTOPOINT interface. 1945.Pp 1946Some incorrect 1947.Em PPP 1948implementations require that the peer negotiates a specific IP 1949address instead of 1950.Sq src_addr . 1951If this is the case, 1952.Sq trigger_addr 1953may be used to specify this IP number. 1954This will not affect the 1955routing table unless the other side agrees with this proposed number. 1956.Bd -literal -offset indent 1957set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0 1958.Ed 1959.Pp 1960The above specification means: 1961.Pp 1962.Bl -bullet -compact 1963.It 1964I will first suggest that my IP address should be 0.0.0.0, but I 1965will only accept an address of 192.244.177.38. 1966.It 1967I strongly insist that the peer uses 192.244.177.2 as his own 1968address and won't permit the use of any IP address but 192.244.177.2. 1969When the peer requests another IP address, I will always suggest that 1970it uses 192.244.177.2. 1971.It 1972The routing table entry will have a netmask of 0xffffffff. 1973.El 1974.Pp 1975This is all fine when each side has a pre-determined IP address, however 1976it is often the case that one side is acting as a server which controls 1977all IP addresses and the other side should go along with it. 1978In order to allow more flexible behaviour, the 1979.Dq set ifaddr 1980command allows the user to specify IP addresses more loosely: 1981.Pp 1982.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 1983.Pp 1984A number followed by a slash 1985.Pq Dq / 1986represents the number of bits significant in the IP address. 1987The above example means: 1988.Pp 1989.Bl -bullet -compact 1990.It 1991I'd like to use 192.244.177.38 as my address if it is possible, but I'll 1992also accept any IP address between 192.244.177.0 and 192.244.177.255. 1993.It 1994I'd like to make him use 192.244.177.2 as his own address, but I'll also 1995permit him to use any IP address between 192.244.176.0 and 1996192.244.191.255. 1997.It 1998As you may have already noticed, 192.244.177.2 is equivalent to saying 1999192.244.177.2/32. 2000.It 2001As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no 2002preferred IP address and will obey the remote peers selection. 2003When using zero, no routing table entries will be made until a connection 2004is established. 2005.It 2006192.244.177.2/0 means that I'll accept/permit any IP address but I'll 2007suggest that 192.244.177.2 be used first. 2008.El 2009.Pp 2010When negotiating IPv6 addresses, no control is given to the user. 2011IPV6CP negotiation is fully automatic. 2012.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER 2013The following steps should be taken when connecting to your ISP: 2014.Bl -enum 2015.It 2016Describe your providers phone number(s) in the dial script using the 2017.Dq set phone 2018command. 2019This command allows you to set multiple phone numbers for 2020dialing and redialing separated by either a pipe 2021.Pq Dq \&| 2022or a colon 2023.Pq Dq \&: : 2024.Bd -ragged -offset indent 2025.No set phone Ar telno Ns Xo 2026.Oo \&| Ns Ar backupnumber 2027.Oc Ns ... Ns Oo : Ns Ar nextnumber 2028.Oc Ns ... 2029.Xc 2030.Ed 2031.Pp 2032Numbers after the first in a pipe-separated list are only used if the 2033previous number was used in a failed dial or login script. 2034Numbers 2035separated by a colon are used sequentially, irrespective of what happened 2036as a result of using the previous number. 2037For example: 2038.Bd -literal -offset indent 2039set phone "1234567|2345678:3456789|4567890" 2040.Ed 2041.Pp 2042Here, the 1234567 number is attempted. 2043If the dial or login script fails, 2044the 2345678 number is used next time, but *only* if the dial or login script 2045fails. 2046On the dial after this, the 3456789 number is used. 2047The 4567890 2048number is only used if the dial or login script using the 3456789 fails. 2049If the login script of the 2345678 number fails, the next number is still the 20503456789 number. 2051As many pipes and colons can be used as are necessary 2052(although a given site would usually prefer to use either the pipe or the 2053colon, but not both). 2054The next number redial timeout is used between all numbers. 2055When the end of the list is reached, the normal redial period is 2056used before starting at the beginning again. 2057The selected phone number is substituted for the \\\\T string in the 2058.Dq set dial 2059command (see below). 2060.It 2061Set up your redial requirements using 2062.Dq set redial . 2063For example, if you have a bad telephone line or your provider is 2064usually engaged (not so common these days), you may want to specify 2065the following: 2066.Bd -literal -offset indent 2067set redial 10 4 2068.Ed 2069.Pp 2070This says that up to 4 phone calls should be attempted with a pause of 10 2071seconds before dialing the first number again. 2072.It 2073Describe your login procedure using the 2074.Dq set dial 2075and 2076.Dq set login 2077commands. 2078The 2079.Dq set dial 2080command is used to talk to your modem and establish a link with your 2081ISP, for example: 2082.Bd -literal -offset indent 2083set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e 2084 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT" 2085.Ed 2086.Pp 2087This modem "chat" string means: 2088.Bl -bullet 2089.It 2090Abort if the string "BUSY" or "NO CARRIER" are received. 2091.It 2092Set the timeout to 4 seconds. 2093.It 2094Expect nothing. 2095.It 2096Send ATZ. 2097.It 2098Expect OK. 2099If that's not received within the 4 second timeout, send ATZ 2100and expect OK. 2101.It 2102Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from 2103above. 2104.It 2105Set the timeout to 60. 2106.It 2107Wait for the CONNECT string. 2108.El 2109.Pp 2110Once the connection is established, the login script is executed. 2111This script is written in the same style as the dial script, but care should 2112be taken to avoid having your password logged: 2113.Bd -literal -offset indent 2114set authkey MySecret 2115set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e 2116 word: \\\\P ocol: PPP HELLO" 2117.Ed 2118.Pp 2119This login "chat" string means: 2120.Bl -bullet 2121.It 2122Set the timeout to 15 seconds. 2123.It 2124Expect "login:". 2125If it's not received, send a carriage return and expect 2126"login:" again. 2127.It 2128Send "awfulhak" 2129.It 2130Expect "word:" (the tail end of a "Password:" prompt). 2131.It 2132Send whatever our current 2133.Ar authkey 2134value is set to. 2135.It 2136Expect "ocol:" (the tail end of a "Protocol:" prompt). 2137.It 2138Send "PPP". 2139.It 2140Expect "HELLO". 2141.El 2142.Pp 2143The 2144.Dq set authkey 2145command is logged specially. 2146When 2147.Ar command 2148or 2149.Ar chat 2150logging is enabled, the actual password is not logged; 2151.Sq ******** 2152is logged instead. 2153.Pp 2154Login scripts vary greatly between ISPs. 2155If you're setting one up for the first time, 2156.Em ENABLE CHAT LOGGING 2157so that you can see if your script is behaving as you expect. 2158.It 2159Use 2160.Dq set device 2161and 2162.Dq set speed 2163to specify your serial line and speed, for example: 2164.Bd -literal -offset indent 2165set device /dev/cuaa0 2166set speed 115200 2167.Ed 2168.Pp 2169Cuaa0 is the first serial port on 2170.Fx . 2171If you're running 2172.Nm 2173on 2174.Ox , 2175cua00 is the first. 2176A speed of 115200 should be specified 2177if you have a modem capable of bit rates of 28800 or more. 2178In general, the serial speed should be about four times the modem speed. 2179.It 2180Use the 2181.Dq set ifaddr 2182command to {define} the IP address. 2183.Bl -bullet 2184.It 2185If you know what IP address your provider uses, then use it as the remote 2186address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below). 2187.It 2188If your provider has assigned a particular IP address to you, then use 2189it as your address (src_addr). 2190.It 2191If your provider assigns your address dynamically, choose a suitably 2192unobtrusive and unspecific IP number as your address. 219310.0.0.1/0 would be appropriate. 2194The bit after the / specifies how many bits of the 2195address you consider to be important, so if you wanted to insist on 2196something in the class C network 1.2.3.0, you could specify 1.2.3.1/24. 2197.It 2198If you find that your ISP accepts the first IP number that you suggest, 2199specify third and forth arguments of 2200.Dq 0.0.0.0 . 2201This will force your ISP to assign a number. 2202(The third argument will 2203be ignored as it is less restrictive than the default mask for your 2204.Sq src_addr ) . 2205.El 2206.Pp 2207An example for a connection where you don't know your IP number or your 2208ISPs IP number would be: 2209.Bd -literal -offset indent 2210set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2211.Ed 2212.Pp 2213.It 2214In most cases, your ISP will also be your default router. 2215If this is the case, add the line 2216.Bd -literal -offset indent 2217add default HISADDR 2218.Ed 2219.Pp 2220to 2221.Pa /etc/ppp/ppp.conf 2222(or to 2223.Pa /etc/ppp/ppp.linkup 2224for setups that don't use 2225.Fl auto 2226mode). 2227.Pp 2228This tells 2229.Nm 2230to add a default route to whatever the peer address is 2231(10.0.0.2 in this example). 2232This route is 2233.Sq sticky , 2234meaning that should the value of 2235.Dv HISADDR 2236change, the route will be updated accordingly. 2237.It 2238If your provider requests that you use PAP/CHAP authentication methods, add 2239the next lines to your 2240.Pa /etc/ppp/ppp.conf 2241file: 2242.Bd -literal -offset indent 2243set authname MyName 2244set authkey MyPassword 2245.Ed 2246.Pp 2247Both are accepted by default, so 2248.Nm 2249will provide whatever your ISP requires. 2250.Pp 2251It should be noted that a login script is rarely (if ever) required 2252when PAP or CHAP are in use. 2253.It 2254Ask your ISP to authenticate your nameserver address(es) with the line 2255.Bd -literal -offset indent 2256enable dns 2257.Ed 2258.Pp 2259Do 2260.Em NOT 2261do this if you are running a local DNS unless you also either use 2262.Dq resolv readonly 2263or have 2264.Dq resolv restore 2265in 2266.Pa /etc/ppp/ppp.linkdown , 2267as 2268.Nm 2269will simply circumvent its use by entering some nameserver lines in 2270.Pa /etc/resolv.conf . 2271.El 2272.Pp 2273Please refer to 2274.Pa /usr/share/examples/ppp/ppp.conf.sample 2275and 2276.Pa /usr/share/examples/ppp/ppp.linkup.sample 2277for some real examples. 2278The pmdemand label should be appropriate for most ISPs. 2279.Sh LOGGING FACILITY 2280.Nm 2281is able to generate the following log info either via 2282.Xr syslog 3 2283or directly to the screen: 2284.Pp 2285.Bl -tag -width XXXXXXXXX -offset XXX -compact 2286.It Li All 2287Enable all logging facilities. 2288This generates a lot of log. 2289The most common use of 'all' is as a basis, where you remove some facilities 2290after enabling 'all' ('debug' and 'timer' are usually best disabled.) 2291.It Li Async 2292Dump async level packet in hex. 2293.It Li CBCP 2294Generate CBCP (CallBack Control Protocol) logs. 2295.It Li CCP 2296Generate a CCP packet trace. 2297.It Li Chat 2298Generate 2299.Sq dial , 2300.Sq login , 2301.Sq logout 2302and 2303.Sq hangup 2304chat script trace logs. 2305.It Li Command 2306Log commands executed either from the command line or any of the configuration 2307files. 2308.It Li Connect 2309Log Chat lines containing the string "CONNECT". 2310.It Li Debug 2311Log debug information. 2312.It Li DNS 2313Log DNS QUERY packets. 2314.It Li Filter 2315Log packets permitted by the dial filter and denied by any filter. 2316.It Li HDLC 2317Dump HDLC packet in hex. 2318.It Li ID0 2319Log all function calls specifically made as user id 0. 2320.It Li IPCP 2321Generate an IPCP packet trace. 2322.It Li LCP 2323Generate an LCP packet trace. 2324.It Li LQM 2325Generate LQR reports. 2326.It Li Phase 2327Phase transition log output. 2328.It Li Physical 2329Dump physical level packet in hex. 2330.It Li Sync 2331Dump sync level packet in hex. 2332.It Li TCP/IP 2333Dump all TCP/IP packets. 2334.It Li Timer 2335Log timer manipulation. 2336.It Li TUN 2337Include the tun device on each log line. 2338.It Li Warning 2339Output to the terminal device. 2340If there is currently no terminal, 2341output is sent to the log file using syslogs 2342.Dv LOG_WARNING . 2343.It Li Error 2344Output to both the terminal device 2345and the log file using syslogs 2346.Dv LOG_ERROR . 2347.It Li Alert 2348Output to the log file using 2349.Dv LOG_ALERT . 2350.El 2351.Pp 2352The 2353.Dq set log 2354command allows you to set the logging output level. 2355Multiple levels can be specified on a single command line. 2356The default is equivalent to 2357.Dq set log Phase . 2358.Pp 2359It is also possible to log directly to the screen. 2360The syntax is the same except that the word 2361.Dq local 2362should immediately follow 2363.Dq set log . 2364The default is 2365.Dq set log local 2366(i.e., only the un-maskable warning, error and alert output). 2367.Pp 2368If The first argument to 2369.Dq set log Op local 2370begins with a 2371.Sq + 2372or a 2373.Sq - 2374character, the current log levels are 2375not cleared, for example: 2376.Bd -literal -offset indent 2377PPP ON awfulhak> set log phase 2378PPP ON awfulhak> show log 2379Log: Phase Warning Error Alert 2380Local: Warning Error Alert 2381PPP ON awfulhak> set log +tcp/ip -warning 2382PPP ON awfulhak> set log local +command 2383PPP ON awfulhak> show log 2384Log: Phase TCP/IP Warning Error Alert 2385Local: Command Warning Error Alert 2386.Ed 2387.Pp 2388Log messages of level Warning, Error and Alert are not controllable 2389using 2390.Dq set log Op local . 2391.Pp 2392The 2393.Ar Warning 2394level is special in that it will not be logged if it can be displayed 2395locally. 2396.Sh SIGNAL HANDLING 2397.Nm 2398deals with the following signals: 2399.Bl -tag -width "USR2" 2400.It INT 2401Receipt of this signal causes the termination of the current connection 2402(if any). 2403This will cause 2404.Nm 2405to exit unless it is in 2406.Fl auto 2407or 2408.Fl ddial 2409mode. 2410.It HUP, TERM & QUIT 2411These signals tell 2412.Nm 2413to exit. 2414.It USR1 2415This signal, tells 2416.Nm 2417to re-open any existing server socket, dropping all existing diagnostic 2418connections. 2419Sockets that couldn't previously be opened will be retried. 2420.It USR2 2421This signal, tells 2422.Nm 2423to close any existing server socket, dropping all existing diagnostic 2424connections. 2425.Dv SIGUSR1 2426can still be used to re-open the socket. 2427.El 2428.Sh MULTI-LINK PPP 2429If you wish to use more than one physical link to connect to a 2430.Em PPP 2431peer, that peer must also understand the 2432.Em MULTI-LINK PPP 2433protocol. 2434Refer to RFC 1990 for specification details. 2435.Pp 2436The peer is identified using a combination of his 2437.Dq endpoint discriminator 2438and his 2439.Dq authentication id . 2440Either or both of these may be specified. 2441It is recommended that 2442at least one is specified, otherwise there is no way of ensuring that 2443all links are actually connected to the same peer program, and some 2444confusing lock-ups may result. 2445Locally, these identification variables are specified using the 2446.Dq set enddisc 2447and 2448.Dq set authname 2449commands. 2450The 2451.Sq authname 2452(and 2453.Sq authkey ) 2454must be agreed in advance with the peer. 2455.Pp 2456Multi-link capabilities are enabled using the 2457.Dq set mrru 2458command (set maximum reconstructed receive unit). 2459Once multi-link is enabled, 2460.Nm 2461will attempt to negotiate a multi-link connection with the peer. 2462.Pp 2463By default, only one 2464.Sq link 2465is available 2466(called 2467.Sq deflink ) . 2468To create more links, the 2469.Dq clone 2470command is used. 2471This command will clone existing links, where all 2472characteristics are the same except: 2473.Bl -enum 2474.It 2475The new link has its own name as specified on the 2476.Dq clone 2477command line. 2478.It 2479The new link is an 2480.Sq interactive 2481link. 2482Its mode may subsequently be changed using the 2483.Dq set mode 2484command. 2485.It 2486The new link is in a 2487.Sq closed 2488state. 2489.El 2490.Pp 2491A summary of all available links can be seen using the 2492.Dq show links 2493command. 2494.Pp 2495Once a new link has been created, command usage varies. 2496All link specific commands must be prefixed with the 2497.Dq link Ar name 2498command, specifying on which link the command is to be applied. 2499When only a single link is available, 2500.Nm 2501is smart enough not to require the 2502.Dq link Ar name 2503prefix. 2504.Pp 2505Some commands can still be used without specifying a link - resulting 2506in an operation at the 2507.Sq bundle 2508level. 2509For example, once two or more links are available, the command 2510.Dq show ccp 2511will show CCP configuration and statistics at the multi-link level, and 2512.Dq link deflink show ccp 2513will show the same information at the 2514.Dq deflink 2515link level. 2516.Pp 2517Armed with this information, the following configuration might be used: 2518.Pp 2519.Bd -literal -offset indent 2520mp: 2521 set timeout 0 2522 set log phase chat 2523 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 2524 set phone "123456789" 2525 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e 2526 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT" 2527 set login 2528 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 2529 set authname ppp 2530 set authkey ppppassword 2531 2532 set mrru 1500 2533 clone 1,2,3 # Create 3 new links - duplicates of the default 2534 link deflink remove # Delete the default link (called ``deflink'') 2535.Ed 2536.Pp 2537Note how all cloning is done at the end of the configuration. 2538Usually, the link will be configured first, then cloned. 2539If you wish all links 2540to be up all the time, you can add the following line to the end of your 2541configuration. 2542.Pp 2543.Bd -literal -offset indent 2544 link 1,2,3 set mode ddial 2545.Ed 2546.Pp 2547If you want the links to dial on demand, this command could be used: 2548.Pp 2549.Bd -literal -offset indent 2550 link * set mode auto 2551.Ed 2552.Pp 2553Links may be tied to specific names by removing the 2554.Dq set device 2555line above, and specifying the following after the 2556.Dq clone 2557command: 2558.Pp 2559.Bd -literal -offset indent 2560 link 1 set device /dev/cuaa0 2561 link 2 set device /dev/cuaa1 2562 link 3 set device /dev/cuaa2 2563.Ed 2564.Pp 2565Use the 2566.Dq help 2567command to see which commands require context (using the 2568.Dq link 2569command), which have optional 2570context and which should not have any context. 2571.Pp 2572When 2573.Nm 2574has negotiated 2575.Em MULTI-LINK 2576mode with the peer, it creates a local domain socket in the 2577.Pa /var/run 2578directory. 2579This socket is used to pass link information (including 2580the actual link file descriptor) between different 2581.Nm 2582invocations. 2583This facilitates 2584.Nm Ns No 's 2585ability to be run from a 2586.Xr getty 8 2587or directly from 2588.Pa /etc/gettydefs 2589(using the 2590.Sq pp= 2591capability), without needing to have initial control of the serial 2592line. 2593Once 2594.Nm 2595negotiates multi-link mode, it will pass its open link to any 2596already running process. 2597If there is no already running process, 2598.Nm 2599will act as the master, creating the socket and listening for new 2600connections. 2601.Sh PPP COMMAND LIST 2602This section lists the available commands and their effect. 2603They are usable either from an interactive 2604.Nm 2605session, from a configuration file or from a 2606.Xr pppctl 8 2607or 2608.Xr telnet 1 2609session. 2610.Bl -tag -width 2n 2611.It accept|deny|enable|disable Ar option.... 2612These directives tell 2613.Nm 2614how to negotiate the initial connection with the peer. 2615Each 2616.Dq option 2617has a default of either accept or deny and enable or disable. 2618.Dq Accept 2619means that the option will be ACK'd if the peer asks for it. 2620.Dq Deny 2621means that the option will be NAK'd if the peer asks for it. 2622.Dq Enable 2623means that the option will be requested by us. 2624.Dq Disable 2625means that the option will not be requested by us. 2626.Pp 2627.Dq Option 2628may be one of the following: 2629.Bl -tag -width 2n 2630.It acfcomp 2631Default: Enabled and Accepted. 2632ACFComp stands for Address and Control Field Compression. 2633Non LCP packets will usually have an address 2634field of 0xff (the All-Stations address) and a control field of 26350x03 (the Unnumbered Information command). 2636If this option is 2637negotiated, these two bytes are simply not sent, thus minimising 2638traffic. 2639.Pp 2640See 2641.Pa rfc1662 2642for details. 2643.It chap Ns Op \&05 2644Default: Disabled and Accepted. 2645CHAP stands for Challenge Handshake Authentication Protocol. 2646Only one of CHAP and PAP (below) may be negotiated. 2647With CHAP, the authenticator sends a "challenge" message to its peer. 2648The peer uses a one-way hash function to encrypt the 2649challenge and sends the result back. 2650The authenticator does the same, and compares the results. 2651The advantage of this mechanism is that no 2652passwords are sent across the connection. 2653A challenge is made when the connection is first made. 2654Subsequent challenges may occur. 2655If you want to have your peer authenticate itself, you must 2656.Dq enable chap . 2657in 2658.Pa /etc/ppp/ppp.conf , 2659and have an entry in 2660.Pa /etc/ppp/ppp.secret 2661for the peer. 2662.Pp 2663When using CHAP as the client, you need only specify 2664.Dq AuthName 2665and 2666.Dq AuthKey 2667in 2668.Pa /etc/ppp/ppp.conf . 2669CHAP is accepted by default. 2670Some 2671.Em PPP 2672implementations use "MS-CHAP" rather than MD5 when encrypting the 2673challenge. 2674MS-CHAP is a combination of MD4 and DES. 2675If 2676.Nm 2677was built on a machine with DES libraries available, it will respond 2678to MS-CHAP authentication requests, but will never request them. 2679.It deflate 2680Default: Enabled and Accepted. 2681This option decides if deflate 2682compression will be used by the Compression Control Protocol (CCP). 2683This is the same algorithm as used by the 2684.Xr gzip 1 2685program. 2686Note: There is a problem negotiating 2687.Ar deflate 2688capabilities with 2689.Xr pppd 8 2690- a 2691.Em PPP 2692implementation available under many operating systems. 2693.Nm pppd 2694(version 2.3.1) incorrectly attempts to negotiate 2695.Ar deflate 2696compression using type 2697.Em 24 2698as the CCP configuration type rather than type 2699.Em 26 2700as specified in 2701.Pa rfc1979 . 2702Type 2703.Ar 24 2704is actually specified as 2705.Dq PPP Magna-link Variable Resource Compression 2706in 2707.Pa rfc1975 Ns ! 2708.Nm 2709is capable of negotiating with 2710.Nm pppd , 2711but only if 2712.Dq deflate24 2713is 2714.Ar enable Ns No d 2715and 2716.Ar accept Ns No ed . 2717.It deflate24 2718Default: Disabled and Denied. 2719This is a variance of the 2720.Ar deflate 2721option, allowing negotiation with the 2722.Xr pppd 8 2723program. 2724Refer to the 2725.Ar deflate 2726section above for details. 2727It is disabled by default as it violates 2728.Pa rfc1975 . 2729.It dns 2730Default: Disabled and Denied. 2731This option allows DNS negotiation. 2732.Pp 2733If 2734.Dq enable Ns No d, 2735.Nm 2736will request that the peer confirms the entries in 2737.Pa /etc/resolv.conf . 2738If the peer NAKs our request (suggesting new IP numbers), 2739.Pa /etc/resolv.conf 2740is updated and another request is sent to confirm the new entries. 2741.Pp 2742If 2743.Dq accept Ns No ed, 2744.Nm 2745will answer any DNS queries requested by the peer rather than rejecting 2746them. 2747The answer is taken from 2748.Pa /etc/resolv.conf 2749unless the 2750.Dq set dns 2751command is used as an override. 2752.It enddisc 2753Default: Enabled and Accepted. 2754This option allows control over whether we 2755negotiate an endpoint discriminator. 2756We only send our discriminator if 2757.Dq set enddisc 2758is used and 2759.Ar enddisc 2760is enabled. 2761We reject the peers discriminator if 2762.Ar enddisc 2763is denied. 2764.It LANMan|chap80lm 2765Default: Disabled and Accepted. 2766The use of this authentication protocol 2767is discouraged as it partially violates the authentication protocol by 2768implementing two different mechanisms (LANMan & NT) under the guise of 2769a single CHAP type (0x80). 2770.Dq LANMan 2771uses a simple DES encryption mechanism and is the least secure of the 2772CHAP alternatives (although is still more secure than PAP). 2773.Pp 2774Refer to the 2775.Dq MSChap 2776description below for more details. 2777.It lqr 2778Default: Disabled and Accepted. 2779This option decides if Link Quality Requests will be sent or accepted. 2780LQR is a protocol that allows 2781.Nm 2782to determine that the link is down without relying on the modems 2783carrier detect. 2784When LQR is enabled, 2785.Nm 2786sends the 2787.Em QUALPROTO 2788option (see 2789.Dq set lqrperiod 2790below) as part of the LCP request. 2791If the peer agrees, both sides will 2792exchange LQR packets at the agreed frequency, allowing detailed link 2793quality monitoring by enabling LQM logging. 2794If the peer doesn't agree, 2795.Nm 2796will send ECHO LQR requests instead. 2797These packets pass no information of interest, but they 2798.Em MUST 2799be replied to by the peer. 2800.Pp 2801Whether using LQR or ECHO LQR, 2802.Nm 2803will abruptly drop the connection if 5 unacknowledged packets have been 2804sent rather than sending a 6th. 2805A message is logged at the 2806.Em PHASE 2807level, and any appropriate 2808.Dq reconnect 2809values are honoured as if the peer were responsible for dropping the 2810connection. 2811.It mppe 2812Default: Enabled and Accepted. 2813This is Microsoft Point to Point Encryption scheme. 2814MPPE key size can be 281540-, 56- and 128-bits. 2816Refer to 2817.Dq set mppe 2818command. 2819.It MSChapV2|chap81 2820Default: Disabled and Accepted. 2821It is very similar to standard CHAP (type 0x05) 2822except that it issues challenges of a fixed 16 bytes in length and uses a 2823combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the 2824standard MD5 mechanism. 2825.It MSChap|chap80nt 2826Default: Disabled and Accepted. 2827The use of this authentication protocol 2828is discouraged as it partially violates the authentication protocol by 2829implementing two different mechanisms (LANMan & NT) under the guise of 2830a single CHAP type (0x80). 2831It is very similar to standard CHAP (type 0x05) 2832except that it issues challenges of a fixed 8 bytes in length and uses a 2833combination of MD4 and DES to encrypt the challenge rather than using the 2834standard MD5 mechanism. 2835CHAP type 0x80 for LANMan is also supported - see 2836.Dq enable LANMan 2837for details. 2838.Pp 2839Because both 2840.Dq LANMan 2841and 2842.Dq NT 2843use CHAP type 0x80, when acting as authenticator with both 2844.Dq enable Ns No d , 2845.Nm 2846will rechallenge the peer up to three times if it responds using the wrong 2847one of the two protocols. 2848This gives the peer a chance to attempt using both protocols. 2849.Pp 2850Conversely, when 2851.Nm 2852acts as the authenticatee with both protocols 2853.Dq accept Ns No ed , 2854the protocols are used alternately in response to challenges. 2855.Pp 2856Note: If only LANMan is enabled, 2857.Xr pppd 8 2858(version 2.3.5) misbehaves when acting as authenticatee. 2859It provides both 2860the NT and the LANMan answers, but also suggests that only the NT answer 2861should be used. 2862.It pap 2863Default: Disabled and Accepted. 2864PAP stands for Password Authentication Protocol. 2865Only one of PAP and CHAP (above) may be negotiated. 2866With PAP, the ID and Password are sent repeatedly to the peer until 2867authentication is acknowledged or the connection is terminated. 2868This is a rather poor security mechanism. 2869It is only performed when the connection is first established. 2870If you want to have your peer authenticate itself, you must 2871.Dq enable pap . 2872in 2873.Pa /etc/ppp/ppp.conf , 2874and have an entry in 2875.Pa /etc/ppp/ppp.secret 2876for the peer (although see the 2877.Dq passwdauth 2878and 2879.Dq set radius 2880options below). 2881.Pp 2882When using PAP as the client, you need only specify 2883.Dq AuthName 2884and 2885.Dq AuthKey 2886in 2887.Pa /etc/ppp/ppp.conf . 2888PAP is accepted by default. 2889.It pred1 2890Default: Enabled and Accepted. 2891This option decides if Predictor 1 2892compression will be used by the Compression Control Protocol (CCP). 2893.It protocomp 2894Default: Enabled and Accepted. 2895This option is used to negotiate 2896PFC (Protocol Field Compression), a mechanism where the protocol 2897field number is reduced to one octet rather than two. 2898.It shortseq 2899Default: Enabled and Accepted. 2900This option determines if 2901.Nm 2902will request and accept requests for short 2903(12 bit) 2904sequence numbers when negotiating multi-link mode. 2905This is only applicable if our MRRU is set (thus enabling multi-link). 2906.It vjcomp 2907Default: Enabled and Accepted. 2908This option determines if Van Jacobson header compression will be used. 2909.El 2910.Pp 2911The following options are not actually negotiated with the peer. 2912Therefore, accepting or denying them makes no sense. 2913.Bl -tag -width 2n 2914.It filter-decapsulation 2915Default: Disabled. 2916When this option is enabled, 2917.Nm 2918will examine UDP frames to see if they actually contain a 2919.Em PPP 2920frame as their payload. 2921If this is the case, all filters will operate on the payload rather 2922than the actual packet. 2923.Pp 2924This is useful if you want to send PPPoUDP traffic over a 2925.Em PPP 2926link, but want that link to do smart things with the real data rather than 2927the UDP wrapper. 2928.Pp 2929The UDP frame payload must not be compressed in any way, otherwise 2930.Nm 2931will not be able to interpret it. 2932It's therefore recommended that you 2933.Ic disable vj pred1 deflate 2934and 2935.Ic deny vj pred1 deflate 2936in the configuration for the 2937.Nm 2938invocation with the udp link. 2939.It idcheck 2940Default: Enabled. 2941When 2942.Nm 2943exchanges low-level LCP, CCP and IPCP configuration traffic, the 2944.Em Identifier 2945field of any replies is expected to be the same as that of the request. 2946By default, 2947.Nm 2948drops any reply packets that do not contain the expected identifier 2949field, reporting the fact at the respective log level. 2950If 2951.Ar idcheck 2952is disabled, 2953.Nm 2954will ignore the identifier field. 2955.It iface-alias 2956Default: Enabled if 2957.Fl nat 2958is specified. 2959This option simply tells 2960.Nm 2961to add new interface addresses to the interface rather than replacing them. 2962The option can only be enabled if network address translation is enabled 2963.Pq Dq nat enable yes . 2964.Pp 2965With this option enabled, 2966.Nm 2967will pass traffic for old interface addresses through the NAT 2968ifdef({LOCALNAT},{engine,},{engine 2969(see 2970.Xr libalias 3 ) ,}) 2971resulting in the ability (in 2972.Fl auto 2973mode) to properly connect the process that caused the PPP link to 2974come up in the first place. 2975.Pp 2976Disabling NAT with 2977.Dq nat enable no 2978will also disable 2979.Sq iface-alias . 2980.It ipcp 2981Default: Enabled. 2982This option allows 2983.Nm 2984to attempt to negotiate IP control protocol capabilities and if 2985successful to exchange IP datagrams with the peer. 2986.It ipv6cp 2987Default: Enabled. 2988This option allows 2989.Nm 2990to attempt to negotiate IPv6 control protocol capabilities and if 2991successful to exchange IPv6 datagrams with the peer. 2992.It keep-session 2993Default: Disabled. 2994When 2995.Nm 2996runs as a Multi-link server, a different 2997.Nm 2998instance initially receives each connection. 2999After determining that 3000the link belongs to an already existing bundle (controlled by another 3001.Nm 3002invocation), 3003.Nm 3004will transfer the link to that process. 3005.Pp 3006If the link is a tty device or if this option is enabled, 3007.Nm 3008will not exit, but will change its process name to 3009.Dq session owner 3010and wait for the controlling 3011.Nm 3012to finish with the link and deliver a signal back to the idle process. 3013This prevents the confusion that results from 3014.Nm Ns No 's 3015parent considering the link resource available again. 3016.Pp 3017For tty devices that have entries in 3018.Pa /etc/ttys , 3019this is necessary to prevent another 3020.Xr getty 8 3021from being started, and for program links such as 3022.Xr sshd 8 , 3023it prevents 3024.Xr sshd 8 3025from exiting due to the death of its child. 3026As 3027.Nm 3028cannot determine its parents requirements (except for the tty case), this 3029option must be enabled manually depending on the circumstances. 3030.It loopback 3031Default: Enabled. 3032When 3033.Ar loopback 3034is enabled, 3035.Nm 3036will automatically loop back packets being sent 3037out with a destination address equal to that of the 3038.Em PPP 3039interface. 3040If disabled, 3041.Nm 3042will send the packet, probably resulting in an ICMP redirect from 3043the other end. 3044It is convenient to have this option enabled when 3045the interface is also the default route as it avoids the necessity 3046of a loopback route. 3047.It passwdauth 3048Default: Disabled. 3049Enabling this option will tell the PAP authentication 3050code to use the password database (see 3051.Xr passwd 5 ) 3052to authenticate the caller if they cannot be found in the 3053.Pa /etc/ppp/ppp.secret 3054file. 3055.Pa /etc/ppp/ppp.secret 3056is always checked first. 3057If you wish to use passwords from 3058.Xr passwd 5 , 3059but also to specify an IP number or label for a given client, use 3060.Dq \&* 3061as the client password in 3062.Pa /etc/ppp/ppp.secret . 3063.It proxy 3064Default: Disabled. 3065Enabling this option will tell 3066.Nm 3067to proxy ARP for the peer. 3068This means that 3069.Nm 3070will make an entry in the ARP table using 3071.Dv HISADDR 3072and the 3073.Dv MAC 3074address of the local network in which 3075.Dv HISADDR 3076appears. 3077This allows other machines connecteed to the LAN to talk to 3078the peer as if the peer itself was connected to the LAN. 3079The proxy entry cannot be made unless 3080.Dv HISADDR 3081is an address from a LAN. 3082.It proxyall 3083Default: Disabled. 3084Enabling this will tell 3085.Nm 3086to add proxy arp entries for every IP address in all class C or 3087smaller subnets routed via the tun interface. 3088.Pp 3089Proxy arp entries are only made for sticky routes that are added 3090using the 3091.Dq add 3092command. 3093No proxy arp entries are made for the interface address itself 3094(as created by the 3095.Dq set ifaddr 3096command). 3097.It sroutes 3098Default: Enabled. 3099When the 3100.Dq add 3101command is used with the 3102.Dv HISADDR , 3103.Dv MYADDR , 3104.Dv HISADDR6 3105or 3106.Dv MYADDR6 3107values, entries are stored in the 3108.Sq sticky route 3109list. 3110Each time these variables change, this list is re-applied to the routing table. 3111.Pp 3112Disabling this option will prevent the re-application of sticky routes, 3113although the 3114.Sq stick route 3115list will still be maintained. 3116.It Op tcp Ns Xo 3117.No mssfixup 3118.Xc 3119Default: Enabled. 3120This option tells 3121.Nm 3122to adjust TCP SYN packets so that the maximum receive segment 3123size is not greater than the amount allowed by the interface MTU. 3124.It throughput 3125Default: Enabled. 3126This option tells 3127.Nm 3128to gather throughput statistics. 3129Input and output is sampled over 3130a rolling 5 second window, and current, best and total figures are retained. 3131This data is output when the relevant 3132.Em PPP 3133layer shuts down, and is also available using the 3134.Dq show 3135command. 3136Throughput statistics are available at the 3137.Dq IPCP 3138and 3139.Dq physical 3140levels. 3141.It utmp 3142Default: Enabled. 3143Normally, when a user is authenticated using PAP or CHAP, and when 3144.Nm 3145is running in 3146.Fl direct 3147mode, an entry is made in the utmp and wtmp files for that user. 3148Disabling this option will tell 3149.Nm 3150not to make any utmp or wtmp entries. 3151This is usually only necessary if 3152you require the user to both login and authenticate themselves. 3153.El 3154.Pp 3155.It add Ns Xo 3156.Op !\& 3157.Ar dest Ns Op / Ns Ar nn 3158.Op Ar mask 3159.Op Ar gateway 3160.Xc 3161.Ar Dest 3162is the destination IP address. 3163The netmask is specified either as a number of bits with 3164.Ar /nn 3165or as an IP number using 3166.Ar mask . 3167.Ar 0 0 3168or simply 3169.Ar 0 3170with no mask refers to the default route. 3171It is also possible to use the literal name 3172.Sq default 3173instead of 3174.Ar 0 . 3175.Ar Gateway 3176is the next hop gateway to get to the given 3177.Ar dest 3178machine/network. 3179Refer to the 3180.Xr route 8 3181command for further details. 3182.Pp 3183It is possible to use the symbolic names 3184.Sq MYADDR , 3185.Sq HISADDR , 3186.Sq MYADDR6 3187or 3188.Sq HISADDR6 3189as the destination, and 3190.Sq HISADDR 3191or 3192.Sq HISADDR6 3193as the 3194.Ar gateway . 3195.Sq MYADDR 3196is replaced with the interface IP address, 3197.Sq HISADDR 3198is replaced with the interface IP destination (peer) address, 3199.Sq MYADDR6 3200is replaced with the interface IPv6 address, and 3201.Sq HISADDR6 3202is replaced with the interface IPv6 destination address, 3203.Pp 3204If the 3205.Ar add!\& 3206command is used 3207(note the trailing 3208.Dq !\& ) , 3209then if the route already exists, it will be updated as with the 3210.Sq route change 3211command (see 3212.Xr route 8 3213for further details). 3214.Pp 3215Routes that contain the 3216.Dq HISADDR , 3217.Dq MYADDR , 3218.Dq HISADDR6 , 3219.Dq MYADDR6 , 3220.Dq DNS0 , 3221or 3222.Dq DNS1 3223constants are considered 3224.Sq sticky . 3225They are stored in a list (use 3226.Dq show ncp 3227to see the list), and each time the value of one of these variables 3228changes, the appropriate routing table entries are updated. 3229This facility may be disabled using 3230.Dq disable sroutes . 3231.It allow Ar command Op Ar args 3232This command controls access to 3233.Nm 3234and its configuration files. 3235It is possible to allow user-level access, 3236depending on the configuration file label and on the mode that 3237.Nm 3238is being run in. 3239For example, you may wish to configure 3240.Nm 3241so that only user 3242.Sq fred 3243may access label 3244.Sq fredlabel 3245in 3246.Fl background 3247mode. 3248.Pp 3249User id 0 is immune to these commands. 3250.Bl -tag -width 2n 3251.It allow user Ns Xo 3252.Op s 3253.Ar logname Ns No ... 3254.Xc 3255By default, only user id 0 is allowed access to 3256.Nm . 3257If this command is used, all of the listed users are allowed access to 3258the section in which the 3259.Dq allow users 3260command is found. 3261The 3262.Sq default 3263section is always checked first (even though it is only ever automatically 3264loaded at startup). 3265.Dq allow users 3266commands are cumulative in a given section, but users allowed in any given 3267section override users allowed in the default section, so it's possible to 3268allow users access to everything except a given label by specifying default 3269users in the 3270.Sq default 3271section, and then specifying a new user list for that label. 3272.Pp 3273If user 3274.Sq * 3275is specified, access is allowed to all users. 3276.It allow mode Ns Xo 3277.Op s 3278.Ar mode Ns No ... 3279.Xc 3280By default, access using any 3281.Nm 3282mode is possible. 3283If this command is used, it restricts the access 3284.Ar modes 3285allowed to load the label under which this command is specified. 3286Again, as with the 3287.Dq allow users 3288command, each 3289.Dq allow modes 3290command overrides any previous settings, and the 3291.Sq default 3292section is always checked first. 3293.Pp 3294Possible modes are: 3295.Sq interactive , 3296.Sq auto , 3297.Sq direct , 3298.Sq dedicated , 3299.Sq ddial , 3300.Sq background 3301and 3302.Sq * . 3303.Pp 3304When running in multi-link mode, a section can be loaded if it allows 3305.Em any 3306of the currently existing line modes. 3307.El 3308.Pp 3309.It nat Ar command Op Ar args 3310This command allows the control of the network address translation (also 3311known as masquerading or IP aliasing) facilities that are built into 3312.Nm . 3313NAT is done on the external interface only, and is unlikely to make sense 3314if used with the 3315.Fl direct 3316flag. 3317.Pp 3318If nat is enabled on your system (it may be omitted at compile time), 3319the following commands are possible: 3320.Bl -tag -width 2n 3321.It nat enable yes|no 3322This command either switches network address translation on or turns it off. 3323The 3324.Fl nat 3325command line flag is synonymous with 3326.Dq nat enable yes . 3327.It nat addr Op Ar addr_local addr_alias 3328This command allows data for 3329.Ar addr_alias 3330to be redirected to 3331.Ar addr_local . 3332It is useful if you own a small number of real IP numbers that 3333you wish to map to specific machines behind your gateway. 3334.It nat deny_incoming yes|no 3335If set to yes, this command will refuse all incoming packets where an 3336aliasing link doesn't already exist. 3337ifdef({LOCALNAT},{},{Refer to the 3338.Sx CONCEPTUAL BACKGROUND 3339section of 3340.Xr libalias 3 3341for a description of what an 3342.Dq aliasing link 3343is. 3344})dnl 3345.Pp 3346It should be noted under what circumstances an aliasing link is 3347ifdef({LOCALNAT},{created.},{created by 3348.Xr libalias 3 .}) 3349It may be necessary to further protect your network from outside 3350connections using the 3351.Dq set filter 3352or 3353.Dq nat target 3354commands. 3355.It nat help|? 3356This command gives a summary of available nat commands. 3357.It nat log yes|no 3358This option causes various NAT statistics and information to 3359be logged to the file 3360.Pa /var/log/alias.log . 3361.It nat port Ar proto Ar targetIP Ns Xo 3362.No : Ns Ar targetPort Ns 3363.Oo 3364.No - Ns Ar targetPort 3365.Oc Ar aliasPort Ns 3366.Oo 3367.No - Ns Ar aliasPort 3368.Oc Oo Ar remoteIP : Ns 3369.Ar remotePort Ns 3370.Oo 3371.No - Ns Ar remotePort 3372.Oc Ns 3373.Oc 3374.Xc 3375This command causes incoming 3376.Ar proto 3377connections to 3378.Ar aliasPort 3379to be redirected to 3380.Ar targetPort 3381on 3382.Ar targetIP . 3383.Ar proto 3384is either 3385.Dq tcp 3386or 3387.Dq udp . 3388.Pp 3389A range of port numbers may be specified as shown above. 3390The ranges must be of the same size. 3391.Pp 3392If 3393.Ar remoteIP 3394is specified, only data coming from that IP number is redirected. 3395.Ar remotePort 3396must either be 3397.Dq 0 3398(indicating any source port) 3399or a range of ports the same size as the other ranges. 3400.Pp 3401This option is useful if you wish to run things like Internet phone on 3402machines behind your gateway, but is limited in that connections to only 3403one interior machine per source machine and target port are possible. 3404.It nat proto Ar proto localIP Oo 3405.Ar publicIP Op Ar remoteIP 3406.Oc 3407This command tells 3408.Nm 3409to redirect packets of protocol type 3410.Ar proto 3411(see 3412.Xr protocols 5 ) 3413to the internal address 3414.Ar localIP . 3415.Pp 3416If 3417.Ar publicIP 3418is specified, only packets destined for that address are matched, 3419otherwise the default alias address is used. 3420.Pp 3421If 3422.Ar remoteIP 3423is specified, only packets matching that source address are matched, 3424.Pp 3425This command is useful for redirecting tunnel endpoints to an internal machine, 3426for example: 3427.Pp 3428.Dl nat proto ipencap 10.0.0.1 3429.It "nat proxy cmd" Ar arg Ns No ... 3430This command tells 3431.Nm 3432to proxy certain connections, redirecting them to a given server. 3433ifdef({LOCALNAT},{},{Refer to the description of 3434.Fn PacketAliasProxyRule 3435in 3436.Xr libalias 3 3437for details of the available commands. 3438})dnl 3439.It nat punch_fw Op Ar base count 3440This command tells 3441.Nm 3442to punch holes in the firewall for FTP or IRC DCC connections. 3443This is done dynamically by installing termporary firewall rules which 3444allow a particular connection (and only that connection) to go through 3445the firewall. 3446The rules are removed once the corresponding connection terminates. 3447.Pp 3448A maximum of 3449.Ar count 3450rules starting from rule number 3451.Ar base 3452will be used for punching firewall holes. 3453The range will be cleared when the 3454.Dq nat punch_fw 3455command is run. 3456.Pp 3457If no arguments are given, firewall punching is disabled. 3458.It nat same_ports yes|no 3459When enabled, this command will tell the network address translation engine to 3460attempt to avoid changing the port number on outgoing packets. 3461This is useful 3462if you want to support protocols such as RPC and LPD which require 3463connections to come from a well known port. 3464.It nat target Op Ar address 3465Set the given target address or clear it if no address is given. 3466The target address is used 3467ifdef({LOCALNAT},{},{by libalias })dnl 3468to specify how to NAT incoming packets by default. 3469If a target address is not set or if 3470.Dq default 3471is given, packets are not altered and are allowed to route to the internal 3472network. 3473.Pp 3474The target address may be set to 3475.Dq MYADDR , 3476in which case 3477ifdef({LOCALNAT},{all packets will be redirected}, 3478{libalias will redirect all packets}) 3479to the interface address. 3480.It nat use_sockets yes|no 3481When enabled, this option tells the network address translation engine to 3482create a socket so that it can guarantee a correct incoming ftp data or 3483IRC connection. 3484.It nat unregistered_only yes|no 3485Only alter outgoing packets with an unregistered source address. 3486According to RFC 1918, unregistered source addresses 3487are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. 3488.El 3489.Pp 3490These commands are also discussed in the file 3491.Pa README.nat 3492which comes with the source distribution. 3493.Pp 3494.It Op !\& Ns Xo 3495.No bg Ar command 3496.Xc 3497The given 3498.Ar command 3499is executed in the background with the following words replaced: 3500.Bl -tag -width COMPILATIONDATE 3501.It Li AUTHNAME 3502This is replaced with the local 3503.Ar authname 3504value. 3505See the 3506.Dq set authname 3507command below. 3508.It Li COMPILATIONDATE 3509This is replaced with the date on which 3510.Nm 3511was compiled. 3512.It Li DNS0 & DNS1 3513These are replaced with the primary and secondary nameserver IP numbers. 3514If nameservers are negotiated by IPCP, the values of these macros will change. 3515.It Li ENDDISC 3516This is replaced with the local endpoint discriminator value. 3517See the 3518.Dq set enddisc 3519command below. 3520.It Li HISADDR 3521This is replaced with the peers IP number. 3522.It Li HISADDR6 3523This is replaced with the peers IPv6 number. 3524.It Li INTERFACE 3525This is replaced with the name of the interface that's in use. 3526.It Li IPOCTETSIN 3527This is replaced with the number of IP bytes received since the connection 3528was established. 3529.It Li IPOCTETSOUT 3530This is replaced with the number of IP bytes sent since the connection 3531was established. 3532.It Li IPPACKETSIN 3533This is replaced with the number of IP packets received since the connection 3534was established. 3535.It Li IPPACKETSOUT 3536This is replaced with the number of IP packets sent since the connection 3537was established. 3538.It Li IPV6OCTETSIN 3539This is replaced with the number of IPv6 bytes received since the connection 3540was established. 3541.It Li IPV6OCTETSOUT 3542This is replaced with the number of IPv6 bytes sent since the connection 3543was established. 3544.It Li IPV6PACKETSIN 3545This is replaced with the number of IPv6 packets received since the connection 3546was established. 3547.It Li IPV6PACKETSOUT 3548This is replaced with the number of IPv6 packets sent since the connection 3549was established. 3550.It Li LABEL 3551This is replaced with the last label name used. 3552A label may be specified on the 3553.Nm 3554command line, via the 3555.Dq load 3556or 3557.Dq dial 3558commands and in the 3559.Pa ppp.secret 3560file. 3561.It Li MYADDR 3562This is replaced with the IP number assigned to the local interface. 3563.It Li MYADDR6 3564This is replaced with the IPv6 number assigned to the local interface. 3565.It Li OCTETSIN 3566This is replaced with the number of bytes received since the connection 3567was established. 3568.It Li OCTETSOUT 3569This is replaced with the number of bytes sent since the connection 3570was established. 3571.It Li PACKETSIN 3572This is replaced with the number of packets received since the connection 3573was established. 3574.It Li PACKETSOUT 3575This is replaced with the number of packets sent since the connection 3576was established. 3577.It Li PEER_ENDDISC 3578This is replaced with the value of the peers endpoint discriminator. 3579.It Li PROCESSID 3580This is replaced with the current process id. 3581.It Li SOCKNAME 3582This is replaced with the name of the diagnostic socket. 3583.It Li UPTIME 3584This is replaced with the bundle uptime in HH:MM:SS format. 3585.It Li USER 3586This is replaced with the username that has been authenticated with PAP or 3587CHAP. 3588Normally, this variable is assigned only in -direct mode. 3589This value is available irrespective of whether utmp logging is enabled. 3590.It Li VERSION 3591This is replaced with the current version number of 3592.Nm . 3593.El 3594.Pp 3595These substitutions are also done by the 3596.Dq set proctitle , 3597.Dq ident 3598and 3599.Dq log 3600commands. 3601.Pp 3602If you wish to pause 3603.Nm 3604while the command executes, use the 3605.Dq shell 3606command instead. 3607.It clear physical|ipcp|ipv6 Op current|overall|peak... 3608Clear the specified throughput values at either the 3609.Dq physical , 3610.Dq ipcp 3611or 3612.Dq ipv6cp 3613level. 3614If 3615.Dq physical 3616is specified, context must be given (see the 3617.Dq link 3618command below). 3619If no second argument is given, all values are cleared. 3620.It clone Ar name Ns Xo 3621.Op \&, Ns Ar name Ns 3622.No ... 3623.Xc 3624Clone the specified link, creating one or more new links according to the 3625.Ar name 3626argument(s). 3627This command must be used from the 3628.Dq link 3629command below unless you've only got a single link (in which case that 3630link becomes the default). 3631Links may be removed using the 3632.Dq remove 3633command below. 3634.Pp 3635The default link name is 3636.Dq deflink . 3637.It close Op lcp|ccp Ns Op !\& 3638If no arguments are given, the relevant protocol layers will be brought 3639down and the link will be closed. 3640If 3641.Dq lcp 3642is specified, the LCP layer is brought down, but 3643.Nm 3644will not bring the link offline. 3645It is subsequently possible to use 3646.Dq term 3647(see below) 3648to talk to the peer machine if, for example, something like 3649.Dq slirp 3650is being used. 3651If 3652.Dq ccp 3653is specified, only the relevant compression layer is closed. 3654If the 3655.Dq !\& 3656is used, the compression layer will remain in the closed state, otherwise 3657it will re-enter the STOPPED state, waiting for the peer to initiate 3658further CCP negotiation. 3659In any event, this command does not disconnect the user from 3660.Nm 3661or exit 3662.Nm . 3663See the 3664.Dq quit 3665command below. 3666.It delete Ns Xo 3667.Op !\& 3668.Ar dest 3669.Xc 3670This command deletes the route with the given 3671.Ar dest 3672IP address. 3673If 3674.Ar dest 3675is specified as 3676.Sq ALL , 3677all non-direct entries in the routing table for the current interface, 3678and all 3679.Sq sticky route 3680entries are deleted. 3681If 3682.Ar dest 3683is specified as 3684.Sq default , 3685the default route is deleted. 3686.Pp 3687If the 3688.Ar delete!\& 3689command is used 3690(note the trailing 3691.Dq !\& ) , 3692.Nm 3693will not complain if the route does not already exist. 3694.It dial|call Op Ar label Ns Xo 3695.No ... 3696.Xc 3697This command is the equivalent of 3698.Dq load label 3699followed by 3700.Dq open , 3701and is provided for backwards compatibility. 3702.It down Op Ar lcp|ccp 3703Bring the relevant layer down ungracefully, as if the underlying layer 3704had become unavailable. 3705It's not considered polite to use this command on 3706a Finite State Machine that's in the OPEN state. 3707If no arguments are 3708supplied, the entire link is closed (or if no context is given, all links 3709are terminated). 3710If 3711.Sq lcp 3712is specified, the 3713.Em LCP 3714layer is terminated but the device is not brought offline and the link 3715is not closed. 3716If 3717.Sq ccp 3718is specified, only the relevant compression layer(s) are terminated. 3719.It help|? Op Ar command 3720Show a list of available commands. 3721If 3722.Ar command 3723is specified, show the usage string for that command. 3724.It ident Op Ar text Ns No ... 3725Identify the link to the peer using 3726.Ar text . 3727If 3728.Ar text 3729is empty, link identification is disabled. 3730It is possible to use any of the words described for the 3731.Ic bg 3732command above. 3733Refer to the 3734.Ic sendident 3735command for details of when 3736.Nm 3737identifies itself to the peer. 3738.It iface Ar command Op args 3739This command is used to control the interface used by 3740.Nm . 3741.Ar Command 3742may be one of the following: 3743.Bl -tag -width 2n 3744.It iface add Ns Xo 3745.Op !\& 3746.Ar addr Ns Op / Ns Ar bits 3747.Op Ar peer 3748.Xc 3749.It iface add Ns Xo 3750.Op !\& 3751.Ar addr 3752.Ar mask 3753.Ar peer 3754.Xc 3755Add the given 3756.Ar addr mask peer 3757combination to the interface. 3758Instead of specifying 3759.Ar mask , 3760.Ar /bits 3761can be used 3762(with no space between it and 3763.Ar addr ) . 3764If the given address already exists, the command fails unless the 3765.Dq !\& 3766is used - in which case the previous interface address entry is overwritten 3767with the new one, allowing a change of netmask or peer address. 3768.Pp 3769If only 3770.Ar addr 3771is specified, 3772.Ar bits 3773defaults to 3774.Dq 32 3775and 3776.Ar peer 3777defaults to 3778.Dq 255.255.255.255 . 3779This address (the broadcast address) is the only duplicate peer address that 3780.Nm 3781allows. 3782.It iface clear Op INET | INET6 3783If this command is used while 3784.Nm 3785is in the OPENED state or while in 3786.Fl auto 3787mode, all addresses except for the NCP negotiated address are deleted 3788from the interface. 3789If 3790.Nm 3791is not in the OPENED state and is not in 3792.Fl auto 3793mode, all interface addresses are deleted. 3794.Pp 3795If the INET or INET6 arguments are used, only addresses for that address 3796family are cleared. 3797.Pp 3798.It iface delete Ns Xo 3799.Op !\& Ns 3800.No |rm Ns Op !\& 3801.Ar addr 3802.Xc 3803This command deletes the given 3804.Ar addr 3805from the interface. 3806If the 3807.Dq !\& 3808is used, no error is given if the address isn't currently assigned to 3809the interface (and no deletion takes place). 3810.It iface show 3811Shows the current state and current addresses for the interface. 3812It is much the same as running 3813.Dq ifconfig INTERFACE . 3814.It iface help Op Ar sub-command 3815This command, when invoked without 3816.Ar sub-command , 3817will show a list of possible 3818.Dq iface 3819sub-commands and a brief synopsis for each. 3820When invoked with 3821.Ar sub-command , 3822only the synopsis for the given sub-command is shown. 3823.El 3824.It Op data Ns Xo 3825.No link 3826.Ar name Ns Op , Ns Ar name Ns 3827.No ... Ar command Op Ar args 3828.Xc 3829This command may prefix any other command if the user wishes to 3830specify which link the command should affect. 3831This is only applicable after multiple links have been created in Multi-link 3832mode using the 3833.Dq clone 3834command. 3835.Pp 3836.Ar Name 3837specifies the name of an existing link. 3838If 3839.Ar name 3840is a comma separated list, 3841.Ar command 3842is executed on each link. 3843If 3844.Ar name 3845is 3846.Dq * , 3847.Ar command 3848is executed on all links. 3849.It load Op Ar label Ns Xo 3850.No ... 3851.Xc 3852Load the given 3853.Ar label Ns No (s) 3854from the 3855.Pa ppp.conf 3856file. 3857If 3858.Ar label 3859is not given, the 3860.Ar default 3861label is used. 3862.Pp 3863Unless the 3864.Ar label 3865section uses the 3866.Dq set mode , 3867.Dq open 3868or 3869.Dq dial 3870commands, 3871.Nm 3872will not attempt to make an immediate connection. 3873.It log Ar word Ns No ... 3874Send the given word(s) to the log file with the prefix 3875.Dq LOG: . 3876Word substitutions are done as explained under the 3877.Dq !bg 3878command above. 3879.It open Op lcp|ccp|ipcp 3880This is the opposite of the 3881.Dq close 3882command. 3883All closed links are immediately brought up apart from second and subsequent 3884.Ar demand-dial 3885links - these will come up based on the 3886.Dq set autoload 3887command that has been used. 3888.Pp 3889If the 3890.Dq lcp 3891argument is used while the LCP layer is already open, LCP will be 3892renegotiated. 3893This allows various LCP options to be changed, after which 3894.Dq open lcp 3895can be used to put them into effect. 3896After renegotiating LCP, 3897any agreed authentication will also take place. 3898.Pp 3899If the 3900.Dq ccp 3901argument is used, the relevant compression layer is opened. 3902Again, if it is already open, it will be renegotiated. 3903.Pp 3904If the 3905.Dq ipcp 3906argument is used, the link will be brought up as normal, but if 3907IPCP is already open, it will be renegotiated and the network 3908interface will be reconfigured. 3909.Pp 3910It is probably not good practice to re-open the PPP state machines 3911like this as it's possible that the peer will not behave correctly. 3912It 3913.Em is 3914however useful as a way of forcing the CCP or VJ dictionaries to be reset. 3915.It passwd Ar pass 3916Specify the password required for access to the full 3917.Nm 3918command set. 3919This password is required when connecting to the diagnostic port (see the 3920.Dq set server 3921command). 3922.Ar Pass 3923is specified on the 3924.Dq set server 3925command line. 3926The value of 3927.Ar pass 3928is not logged when 3929.Ar command 3930logging is active, instead, the literal string 3931.Sq ******** 3932is logged. 3933.It quit|bye Op all 3934If 3935.Dq quit 3936is executed from the controlling connection or from a command file, 3937ppp will exit after closing all connections. 3938Otherwise, if the user 3939is connected to a diagnostic socket, the connection is simply dropped. 3940.Pp 3941If the 3942.Ar all 3943argument is given, 3944.Nm 3945will exit despite the source of the command after closing all existing 3946connections. 3947.It remove|rm 3948This command removes the given link. 3949It is only really useful in multi-link mode. 3950A link must be in the 3951.Dv CLOSED 3952state before it is removed. 3953.It rename|mv Ar name 3954This command renames the given link to 3955.Ar name . 3956It will fail if 3957.Ar name 3958is already used by another link. 3959.Pp 3960The default link name is 3961.Sq deflink . 3962Renaming it to 3963.Sq modem , 3964.Sq cuaa0 3965or 3966.Sq USR 3967may make the log file more readable. 3968.It resolv Ar command 3969This command controls 3970.Nm Ns No 's 3971manipulation of the 3972.Xr resolv.conf 5 3973file. 3974When 3975.Nm 3976starts up, it loads the contents of this file into memory and retains this 3977image for future use. 3978.Ar command 3979is one of the following: 3980.Bl -tag -width readonly 3981.It Em readonly 3982Treat 3983.Pa /etc/resolv.conf 3984as read only. 3985If 3986.Dq dns 3987is enabled, 3988.Nm 3989will still attempt to negotiate nameservers with the peer, making the results 3990available via the 3991.Dv DNS0 3992and 3993.Dv DNS1 3994macros. 3995This is the opposite of the 3996.Dq resolv writable 3997command. 3998.It Em reload 3999Reload 4000.Pa /etc/resolv.conf 4001into memory. 4002This may be necessary if for example a DHCP client overwrote 4003.Pa /etc/resolv.conf . 4004.It Em restore 4005Replace 4006.Pa /etc/resolv.conf 4007with the version originally read at startup or with the last 4008.Dq resolv reload 4009command. 4010This is sometimes a useful command to put in the 4011.Pa /etc/ppp/ppp.linkdown 4012file. 4013.It Em rewrite 4014Rewrite the 4015.Pa /etc/resolv.conf 4016file. 4017This command will work even if the 4018.Dq resolv readonly 4019command has been used. 4020It may be useful as a command in the 4021.Pa /etc/ppp/ppp.linkup 4022file if you wish to defer updating 4023.Pa /etc/resolv.conf 4024until after other commands have finished. 4025.It Em writable 4026Allow 4027.Nm 4028to update 4029.Pa /etc/resolv.conf 4030if 4031.Dq dns 4032is enabled and 4033.Nm 4034successfully negotiates a DNS. 4035This is the opposite of the 4036.Dq resolv readonly 4037command. 4038.El 4039.It save 4040This option is not (yet) implemented. 4041.It sendident 4042This command tells 4043.Nm 4044to identify itself to the peer. 4045The link must be in LCP state or higher. 4046If no identity has been set (via the 4047.Ic ident 4048command), 4049.Ic sendident 4050will fail. 4051.Pp 4052When an identity has been set, 4053.Nm 4054will automatically identify itself when it sends or receives a configure 4055reject, when negotiation fails or when LCP reaches the opened state. 4056.Pp 4057Received identification packets are logged to the LCP log (see 4058.Ic set log 4059for details) and are never responded to. 4060.It set Ns Xo 4061.Op up 4062.Ar var value 4063.Xc 4064This option allows the setting of any of the following variables: 4065.Bl -tag -width 2n 4066.It set accmap Ar hex-value 4067ACCMap stands for Asynchronous Control Character Map. 4068This is always 4069negotiated with the peer, and defaults to a value of 00000000 in hex. 4070This protocol is required to defeat hardware that depends on passing 4071certain characters from end to end (such as XON/XOFF etc). 4072.Pp 4073For the XON/XOFF scenario, use 4074.Dq set accmap 000a0000 . 4075.It set Op auth Ns Xo 4076.No key Ar value 4077.Xc 4078This sets the authentication key (or password) used in client mode 4079PAP or CHAP negotiation to the given value. 4080It also specifies the 4081password to be used in the dial or login scripts in place of the 4082.Sq \eP 4083sequence, preventing the actual password from being logged. 4084If 4085.Ar command 4086or 4087.Ar chat 4088logging is in effect, 4089.Ar value 4090is logged as 4091.Sq ******** 4092for security reasons. 4093.Pp 4094If the first character of 4095.Ar value 4096is an exclamation mark 4097.Pq Dq !\& , 4098.Nm 4099treats the remainder of the string as a program that must be executed 4100to determine the 4101.Dq authname 4102and 4103.Dq authkey 4104values. 4105.Pp 4106If the 4107.Dq !\& 4108is doubled up 4109(to 4110.Dq !! ) , 4111it is treated as a single literal 4112.Dq !\& , 4113otherwise, ignoring the 4114.Dq !\& , 4115.Ar value 4116is parsed as a program to execute in the same was as the 4117.Dq !bg 4118command above, substituting special names in the same manner. 4119Once executed, 4120.Nm 4121will feed the program three lines of input, each terminated by a newline 4122character: 4123.Bl -bullet 4124.It 4125The host name as sent in the CHAP challenge. 4126.It 4127The challenge string as sent in the CHAP challenge. 4128.It 4129The locally defined 4130.Dq authname . 4131.El 4132.Pp 4133Two lines of output are expected: 4134.Bl -bullet 4135.It 4136The 4137.Dq authname 4138to be sent with the CHAP response. 4139.It 4140The 4141.Dq authkey , 4142which is encrypted with the challenge and request id, the answer being sent 4143in the CHAP response packet. 4144.El 4145.Pp 4146When configuring 4147.Nm 4148in this manner, it's expected that the host challenge is a series of ASCII 4149digits or characters. 4150An encryption device or Secure ID card is usually 4151required to calculate the secret appropriate for the given challenge. 4152.It set authname Ar id 4153This sets the authentication id used in client mode PAP or CHAP negotiation. 4154.Pp 4155If used in 4156.Fl direct 4157mode with CHAP enabled, 4158.Ar id 4159is used in the initial authentication challenge and should normally be set to 4160the local machine name. 4161.It set autoload Xo 4162.Ar min-percent max-percent period 4163.Xc 4164These settings apply only in multi-link mode and default to zero, zero and 4165five respectively. 4166When more than one 4167.Ar demand-dial 4168(also known as 4169.Fl auto ) 4170mode link is available, only the first link is made active when 4171.Nm 4172first reads data from the tun device. 4173The next 4174.Ar demand-dial 4175link will be opened only when the current bundle throughput is at least 4176.Ar max-percent 4177percent of the total bundle bandwidth for 4178.Ar period 4179seconds. 4180When the current bundle throughput decreases to 4181.Ar min-percent 4182percent or less of the total bundle bandwidth for 4183.Ar period 4184seconds, a 4185.Ar demand-dial 4186link will be brought down as long as it's not the last active link. 4187.Pp 4188Bundle throughput is measured as the maximum of inbound and outbound 4189traffic. 4190.Pp 4191The default values cause 4192.Ar demand-dial 4193links to simply come up one at a time. 4194.Pp 4195Certain devices cannot determine their physical bandwidth, so it 4196is sometimes necessary to use the 4197.Dq set bandwidth 4198command (described below) to make 4199.Dq set autoload 4200work correctly. 4201.It set bandwidth Ar value 4202This command sets the connection bandwidth in bits per second. 4203.Ar value 4204must be greater than zero. 4205It is currently only used by the 4206.Dq set autoload 4207command above. 4208.It set callback Ar option Ns No ... 4209If no arguments are given, callback is disabled, otherwise, 4210.Nm 4211will request (or in 4212.Fl direct 4213mode, will accept) one of the given 4214.Ar option Ns No s . 4215In client mode, if an 4216.Ar option 4217is NAK'd 4218.Nm 4219will request a different 4220.Ar option , 4221until no options remain at which point 4222.Nm 4223will terminate negotiations (unless 4224.Dq none 4225is one of the specified 4226.Ar option ) . 4227In server mode, 4228.Nm 4229will accept any of the given protocols - but the client 4230.Em must 4231request one of them. 4232If you wish callback to be optional, you must {include} 4233.Ar none 4234as an option. 4235.Pp 4236The 4237.Ar option Ns No s 4238are as follows (in this order of preference): 4239.Pp 4240.Bl -tag -width Ds 4241.It auth 4242The callee is expected to decide the callback number based on 4243authentication. 4244If 4245.Nm 4246is the callee, the number should be specified as the fifth field of 4247the peers entry in 4248.Pa /etc/ppp/ppp.secret . 4249.It cbcp 4250Microsoft's callback control protocol is used. 4251See 4252.Dq set cbcp 4253below. 4254.Pp 4255If you wish to negotiate 4256.Ar cbcp 4257in client mode but also wish to allow the server to request no callback at 4258CBCP negotiation time, you must specify both 4259.Ar cbcp 4260and 4261.Ar none 4262as callback options. 4263.It E.164 *| Ns Xo 4264.Ar number Ns Op , Ns Ar number Ns 4265.No ... 4266.Xc 4267The caller specifies the 4268.Ar number . 4269If 4270.Nm 4271is the callee, 4272.Ar number 4273should be either a comma separated list of allowable numbers or a 4274.Dq \&* , 4275meaning any number is permitted. 4276If 4277.Nm 4278is the caller, only a single number should be specified. 4279.Pp 4280Note, this option is very unsafe when used with a 4281.Dq \&* 4282as a malicious caller can tell 4283.Nm 4284to call any (possibly international) number without first authenticating 4285themselves. 4286.It none 4287If the peer does not wish to do callback at all, 4288.Nm 4289will accept the fact and continue without callback rather than terminating 4290the connection. 4291This is required (in addition to one or more other callback 4292options) if you wish callback to be optional. 4293.El 4294.Pp 4295.It set cbcp Oo 4296.No *| Ns Ar number Ns Oo 4297.No , Ns Ar number Ns ...\& Oc 4298.Op Ar delay Op Ar retry 4299.Oc 4300If no arguments are given, CBCP (Microsoft's CallBack Control Protocol) 4301is disabled - ie, configuring CBCP in the 4302.Dq set callback 4303command will result in 4304.Nm 4305requesting no callback in the CBCP phase. 4306Otherwise, 4307.Nm 4308attempts to use the given phone 4309.Ar number Ns No (s). 4310.Pp 4311In server mode 4312.Pq Fl direct , 4313.Nm 4314will insist that the client uses one of these numbers, unless 4315.Dq \&* 4316is used in which case the client is expected to specify the number. 4317.Pp 4318In client mode, 4319.Nm 4320will attempt to use one of the given numbers (whichever it finds to 4321be agreeable with the peer), or if 4322.Dq \&* 4323is specified, 4324.Nm 4325will expect the peer to specify the number. 4326.It set cd Oo 4327.No off| Ns Ar seconds Ns Op !\& 4328.Oc 4329Normally, 4330.Nm 4331checks for the existence of carrier depending on the type of device 4332that has been opened: 4333.Bl -tag -width XXX -offset XXX 4334.It Terminal Devices 4335Carrier is checked one second after the login script is complete. 4336If it's not set, 4337.Nm 4338assumes that this is because the device doesn't support carrier (which 4339is true for most 4340.Dq laplink 4341NULL-modem cables), logs the fact and stops checking 4342for carrier. 4343.Pp 4344As ptys don't support the TIOCMGET ioctl, the tty device will switch all 4345carrier detection off when it detects that the device is a pty. 4346.It ISDN (i4b) Devices 4347Carrier is checked once per second for 6 seconds. 4348If it's not set after 4349the sixth second, the connection attempt is considered to have failed and 4350the device is closed. 4351Carrier is always required for i4b devices. 4352.It PPPoE (netgraph) Devices 4353Carrier is checked once per second for 5 seconds. 4354If it's not set after 4355the fifth second, the connection attempt is considered to have failed and 4356the device is closed. 4357Carrier is always required for PPPoE devices. 4358.El 4359.Pp 4360All other device types don't support carrier. 4361Setting a carrier value will 4362result in a warning when the device is opened. 4363.Pp 4364Some modems take more than one second after connecting to assert the carrier 4365signal. 4366If this delay isn't increased, this will result in 4367.Nm Ns No 's 4368inability to detect when the link is dropped, as 4369.Nm 4370assumes that the device isn't asserting carrier. 4371.Pp 4372The 4373.Dq set cd 4374command overrides the default carrier behaviour. 4375.Ar seconds 4376specifies the maximum number of seconds that 4377.Nm 4378should wait after the dial script has finished before deciding if 4379carrier is available or not. 4380.Pp 4381If 4382.Dq off 4383is specified, 4384.Nm 4385will not check for carrier on the device, otherwise 4386.Nm 4387will not proceed to the login script until either carrier is detected 4388or until 4389.Ar seconds 4390has elapsed, at which point 4391.Nm 4392assumes that the device will not set carrier. 4393.Pp 4394If no arguments are given, carrier settings will go back to their default 4395values. 4396.Pp 4397If 4398.Ar seconds 4399is followed immediately by an exclamation mark 4400.Pq Dq !\& , 4401.Nm 4402will 4403.Em require 4404carrier. 4405If carrier is not detected after 4406.Ar seconds 4407seconds, the link will be disconnected. 4408.It set choked Op Ar timeout 4409This sets the number of seconds that 4410.Nm 4411will keep a choked output queue before dropping all pending output packets. 4412If 4413.Ar timeout 4414is less than or equal to zero or if 4415.Ar timeout 4416isn't specified, it is set to the default value of 4417.Em 120 seconds . 4418.Pp 4419A choked output queue occurs when 4420.Nm 4421has read a certain number of packets from the local network for transmission, 4422but cannot send the data due to link failure (the peer is busy etc.). 4423.Nm 4424will not read packets indefinitely. 4425Instead, it reads up to 4426.Em 30 4427packets (or 4428.Em 30 No + 4429.Em nlinks No * 4430.Em 2 4431packets in multi-link mode), then stops reading the network interface 4432until either 4433.Ar timeout 4434seconds have passed or at least one packet has been sent. 4435.Pp 4436If 4437.Ar timeout 4438seconds pass, all pending output packets are dropped. 4439.It set ctsrts|crtscts on|off 4440This sets hardware flow control. 4441Hardware flow control is 4442.Ar on 4443by default. 4444.It set deflate Ar out-winsize Op Ar in-winsize 4445This sets the DEFLATE algorithms default outgoing and incoming window 4446sizes. 4447Both 4448.Ar out-winsize 4449and 4450.Ar in-winsize 4451must be values between 4452.Em 8 4453and 4454.Em 15 . 4455If 4456.Ar in-winsize 4457is specified, 4458.Nm 4459will insist that this window size is used and will not accept any other 4460values from the peer. 4461.It set dns Op Ar primary Op Ar secondary 4462This command specifies DNS overrides for the 4463.Dq accept dns 4464command. 4465Refer to the 4466.Dq accept 4467command description above for details. 4468This command does not affect the IP numbers requested using 4469.Dq enable dns . 4470.It set device|line Xo 4471.Ar value Ns No ... 4472.Xc 4473This sets the device(s) to which 4474.Nm 4475will talk to the given 4476.Dq value . 4477.Pp 4478All ISDN and serial device names are expected to begin with 4479.Pa /dev/ . 4480ISDN devices are usually called 4481.Pa i4brbchX 4482and serial devices are usually called 4483.Pa cuaXX . 4484.Pp 4485If 4486.Dq value 4487does not begin with 4488.Pa /dev/ , 4489it must either begin with an exclamation mark 4490.Pq Dq !\& , 4491be of the format 4492.No PPPoE: Ns Ar iface Ns Xo 4493.Op \&: Ns Ar provider Ns 4494.Xc 4495(on 4496.Xr netgraph 4 4497enabled systems), or be of the format 4498.Sm off 4499.Ar host : port Op /tcp|udp . 4500.Sm on 4501.Pp 4502If it begins with an exclamation mark, the rest of the device name is 4503treated as a program name, and that program is executed when the device 4504is opened. 4505Standard input, output and error are fed back to 4506.Nm 4507and are read and written as if they were a regular device. 4508.Pp 4509If a 4510.No PPPoE: Ns Ar iface Ns Xo 4511.Op \&: Ns Ar provider Ns 4512.Xc 4513specification is given, 4514.Nm 4515will attempt to create a 4516.Em PPP 4517over Ethernet connection using the given 4518.Ar iface 4519interface by using 4520.Xr netgraph 4 . 4521If 4522.Xr netgraph 4 4523is not available, 4524.Nm 4525will attempt to load it using 4526.Xr kldload 2 . 4527If this fails, an external program must be used such as the 4528.Xr pppoe 8 4529program available under 4530.Ox . 4531The given 4532.Ar provider 4533is passed as the service name in the PPPoE Discovery Initiation (PADI) 4534packet. 4535If no provider is given, an empty value will be used. 4536.Pp 4537When a PPPoE connection is established, 4538.Nm 4539will place the name of the Access Concentrator in the environment variable 4540.Ev ACNAME . 4541.Pp 4542Refer to 4543.Xr netgraph 4 4544and 4545.Xr ng_pppoe 4 4546for further details. 4547.Pp 4548If a 4549.Ar host Ns No : Ns Ar port Ns Oo 4550.No /tcp|udp 4551.Oc 4552specification is given, 4553.Nm 4554will attempt to connect to the given 4555.Ar host 4556on the given 4557.Ar port . 4558If a 4559.Dq /tcp 4560or 4561.Dq /udp 4562suffix is not provided, the default is 4563.Dq /tcp . 4564Refer to the section on 4565.Em PPP OVER TCP and UDP 4566above for further details. 4567.Pp 4568If multiple 4569.Dq values 4570are specified, 4571.Nm 4572will attempt to open each one in turn until it succeeds or runs out of 4573devices. 4574.It set dial Ar chat-script 4575This specifies the chat script that will be used to dial the other 4576side. 4577See also the 4578.Dq set login 4579command below. 4580Refer to 4581.Xr chat 8 4582and to the example configuration files for details of the chat script 4583format. 4584It is possible to specify some special 4585.Sq values 4586in your chat script as follows: 4587.Bl -tag -width 2n 4588.It Li \ec 4589When used as the last character in a 4590.Sq send 4591string, this indicates that a newline should not be appended. 4592.It Li \ed 4593When the chat script encounters this sequence, it delays two seconds. 4594.It Li \ep 4595When the chat script encounters this sequence, it delays for one quarter of 4596a second. 4597.It Li \en 4598This is replaced with a newline character. 4599.It Li \er 4600This is replaced with a carriage return character. 4601.It Li \es 4602This is replaced with a space character. 4603.It Li \et 4604This is replaced with a tab character. 4605.It Li \eT 4606This is replaced by the current phone number (see 4607.Dq set phone 4608below). 4609.It Li \eP 4610This is replaced by the current 4611.Ar authkey 4612value (see 4613.Dq set authkey 4614above). 4615.It Li \eU 4616This is replaced by the current 4617.Ar authname 4618value (see 4619.Dq set authname 4620above). 4621.El 4622.Pp 4623Note that two parsers will examine these escape sequences, so in order to 4624have the 4625.Sq chat parser 4626see the escape character, it is necessary to escape it from the 4627.Sq command parser . 4628This means that in practice you should use two escapes, for example: 4629.Bd -literal -offset indent 4630set dial "... ATDT\\\\T CONNECT" 4631.Ed 4632.Pp 4633It is also possible to execute external commands from the chat script. 4634To do this, the first character of the expect or send string is an 4635exclamation mark 4636.Pq Dq !\& . 4637If a literal exclamation mark is required, double it up to 4638.Dq !!\& 4639and it will be treated as a single literal 4640.Dq !\& . 4641When the command is executed, standard input and standard output are 4642directed to the open device (see the 4643.Dq set device 4644command), and standard error is read by 4645.Nm 4646and substituted as the expect or send string. 4647If 4648.Nm 4649is running in interactive mode, file descriptor 3 is attached to 4650.Pa /dev/tty . 4651.Pp 4652For example (wrapped for readability): 4653.Bd -literal -offset indent 4654set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e 4655word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e 4656\\"!/bin/echo in\\" HELLO" 4657.Ed 4658.Pp 4659would result in the following chat sequence (output using the 4660.Sq set log local chat 4661command before dialing): 4662.Bd -literal -offset indent 4663Dial attempt 1 of 1 4664dial OK! 4665Chat: Expecting: 4666Chat: Sending: 4667Chat: Expecting: login:--login: 4668Chat: Wait for (5): login: 4669Chat: Sending: ppp 4670Chat: Expecting: word: 4671Chat: Wait for (5): word: 4672Chat: Sending: ppp 4673Chat: Expecting: !sh \\-c "echo \\-n label: >&2" 4674Chat: Exec: sh -c "echo -n label: >&2" 4675Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label: 4676Chat: Exec: /bin/echo in 4677Chat: Sending: 4678Chat: Expecting: HELLO 4679Chat: Wait for (5): HELLO 4680login OK! 4681.Ed 4682.Pp 4683Note (again) the use of the escape character, allowing many levels of 4684nesting. 4685Here, there are four parsers at work. 4686The first parses the original line, reading it as three arguments. 4687The second parses the third argument, reading it as 11 arguments. 4688At this point, it is 4689important that the 4690.Dq \&- 4691signs are escaped, otherwise this parser will see them as constituting 4692an expect-send-expect sequence. 4693When the 4694.Dq !\& 4695character is seen, the execution parser reads the first command as three 4696arguments, and then 4697.Xr sh 1 4698itself expands the argument after the 4699.Fl c . 4700As we wish to send the output back to the modem, in the first example 4701we redirect our output to file descriptor 2 (stderr) so that 4702.Nm 4703itself sends and logs it, and in the second example, we just output to stdout, 4704which is attached directly to the modem. 4705.Pp 4706This, of course means that it is possible to execute an entirely external 4707.Dq chat 4708command rather than using the internal one. 4709See 4710.Xr chat 8 4711for a good alternative. 4712.Pp 4713The external command that is executed is subjected to the same special 4714word expansions as the 4715.Dq !bg 4716command. 4717.It set enddisc Op label|IP|MAC|magic|psn value 4718This command sets our local endpoint discriminator. 4719If set prior to LCP negotiation, and if no 4720.Dq disable enddisc 4721command has been used, 4722.Nm 4723will send the information to the peer using the LCP endpoint discriminator 4724option. 4725The following discriminators may be set: 4726.Bl -tag -width indent 4727.It Li label 4728The current label is used. 4729.It Li IP 4730Our local IP number is used. 4731As LCP is negotiated prior to IPCP, it is 4732possible that the IPCP layer will subsequently change this value. 4733If 4734it does, the endpoint discriminator stays at the old value unless manually 4735reset. 4736.It Li MAC 4737This is similar to the 4738.Ar IP 4739option above, except that the MAC address associated with the local IP 4740number is used. 4741If the local IP number is not resident on any Ethernet 4742interface, the command will fail. 4743.Pp 4744As the local IP number defaults to whatever the machine host name is, 4745.Dq set enddisc mac 4746is usually done prior to any 4747.Dq set ifaddr 4748commands. 4749.It Li magic 4750A 20 digit random number is used. 4751Care should be taken when using magic numbers as restarting 4752.Nm 4753or creating a link using a different 4754.Nm 4755invocation will also use a different magic number and will therefore not 4756be recognised by the peer as belonging to the same bundle. 4757This makes it unsuitable for 4758.Fl direct 4759connections. 4760.It Li psn Ar value 4761The given 4762.Ar value 4763is used. 4764.Ar Value 4765should be set to an absolute public switched network number with the 4766country code first. 4767.El 4768.Pp 4769If no arguments are given, the endpoint discriminator is reset. 4770.It set escape Ar value... 4771This option is similar to the 4772.Dq set accmap 4773option above. 4774It allows the user to specify a set of characters that will be 4775.Sq escaped 4776as they travel across the link. 4777.It set filter dial|alive|in|out Ar rule-no Xo 4778.No permit|deny|clear| Ns Ar rule-no 4779.Op !\& 4780.Oo Op host 4781.Ar src_addr Ns Op / Ns Ar width 4782.Op Ar dst_addr Ns Op / Ns Ar width 4783.Oc [ Ns Ar proto 4784.Op src lt|eq|gt Ar port 4785.Op dst lt|eq|gt Ar port 4786.Op estab 4787.Op syn 4788.Op finrst 4789.Op timeout Ar secs ] 4790.Xc 4791.Nm 4792supports four filter sets. 4793The 4794.Em alive 4795filter specifies packets that keep the connection alive - resetting the 4796idle timer. 4797The 4798.Em dial 4799filter specifies packets that cause 4800.Nm 4801to dial when in 4802.Fl auto 4803mode. 4804The 4805.Em in 4806filter specifies packets that are allowed to travel 4807into the machine and the 4808.Em out 4809filter specifies packets that are allowed out of the machine. 4810.Pp 4811Filtering is done prior to any IP alterations that might be done by the 4812NAT engine on outgoing packets and after any IP alterations that might 4813be done by the NAT engine on incoming packets. 4814By default all empty filter sets allow all packets to pass. 4815Rules are processed in order according to 4816.Ar rule-no 4817(unless skipped by specifying a rule number as the 4818.Ar action ) . 4819Up to 40 rules may be given for each set. 4820If a packet doesn't match 4821any of the rules in a given set, it is discarded. 4822In the case of 4823.Em in 4824and 4825.Em out 4826filters, this means that the packet is dropped. 4827In the case of 4828.Em alive 4829filters it means that the packet will not reset the idle timer (even if 4830the 4831.Ar in Ns No / Ns Ar out 4832filter has a 4833.Dq timeout 4834value) and in the case of 4835.Em dial 4836filters it means that the packet will not trigger a dial. 4837A packet failing to trigger a dial will be dropped rather than queued. 4838Refer to the 4839section on 4840.Sx PACKET FILTERING 4841above for further details. 4842.It set hangup Ar chat-script 4843This specifies the chat script that will be used to reset the device 4844before it is closed. 4845It should not normally be necessary, but can 4846be used for devices that fail to reset themselves properly on close. 4847.It set help|? Op Ar command 4848This command gives a summary of available set commands, or if 4849.Ar command 4850is specified, the command usage is shown. 4851.It set ifaddr Oo Ar myaddr Ns 4852.Op / Ns Ar \&nn 4853.Oo Ar hisaddr Ns Op / Ns Ar \&nn 4854.Oo Ar netmask 4855.Op Ar triggeraddr 4856.Oc Oc 4857.Oc 4858This command specifies the IP addresses that will be used during 4859IPCP negotiation. 4860Addresses are specified using the format 4861.Pp 4862.Dl a.b.c.d/nn 4863.Pp 4864Where 4865.Dq a.b.c.d 4866is the preferred IP, but 4867.Ar nn 4868specifies how many bits of the address we will insist on. 4869If 4870.No / Ns Ar nn 4871is omitted, it defaults to 4872.Dq /32 4873unless the IP address is 0.0.0.0 in which case it defaults to 4874.Dq /0 . 4875.Pp 4876If you wish to assign a dynamic IP number to the peer, 4877.Ar hisaddr 4878may also be specified as a range of IP numbers in the format 4879.Bd -ragged -offset indent 4880.Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Xo 4881.Oc Ns Oo , Ns Ar \&IP Ns 4882.Op \&- Ns Ar \&IP Ns 4883.Oc Ns ... 4884.Xc 4885.Ed 4886.Pp 4887for example: 4888.Pp 4889.Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20 4890.Pp 4891will only negotiate 4892.Dq 10.0.0.1 4893as the local IP number, but may assign any of the given 10 IP 4894numbers to the peer. 4895If the peer requests one of these numbers, 4896and that number is not already in use, 4897.Nm 4898will grant the peers request. 4899This is useful if the peer wants 4900to re-establish a link using the same IP number as was previously 4901allocated (thus maintaining any existing tcp or udp connections). 4902.Pp 4903If the peer requests an IP number that's either outside 4904of this range or is already in use, 4905.Nm 4906will suggest a random unused IP number from the range. 4907.Pp 4908If 4909.Ar triggeraddr 4910is specified, it is used in place of 4911.Ar myaddr 4912in the initial IPCP negotiation. 4913However, only an address in the 4914.Ar myaddr 4915range will be accepted. 4916This is useful when negotiating with some 4917.Dv PPP 4918implementations that will not assign an IP number unless their peer 4919requests 4920.Dq 0.0.0.0 . 4921.Pp 4922It should be noted that in 4923.Fl auto 4924mode, 4925.Nm 4926will configure the interface immediately upon reading the 4927.Dq set ifaddr 4928line in the config file. 4929In any other mode, these values are just 4930used for IPCP negotiations, and the interface isn't configured 4931until the IPCP layer is up. 4932.Pp 4933Note that the 4934.Ar HISADDR 4935argument may be overridden by the third field in the 4936.Pa ppp.secret 4937file once the client has authenticated itself 4938(if PAP or CHAP are 4939.Dq enabled ) . 4940Refer to the 4941.Sx AUTHENTICATING INCOMING CONNECTIONS 4942section for details. 4943.Pp 4944In all cases, if the interface is already configured, 4945.Nm 4946will try to maintain the interface IP numbers so that any existing 4947bound sockets will remain valid. 4948.It set ifqueue Ar packets 4949Set the maximum number of packets that 4950.Nm 4951will read from the tunnel interface while data cannot be sent to any of 4952the available links. 4953This queue limit is necessary to flow control outgoing data as the tunnel 4954interface is likely to be far faster than the combined links available to 4955.Nm . 4956.Pp 4957If 4958.Ar packets 4959is set to a value less than the number of links, 4960.Nm 4961will read up to that value regardless. 4962This prevents any possible latency problems. 4963.Pp 4964The default value for 4965.Ar packets 4966is 4967.Dq 30 . 4968.It set ccpretry|ccpretries Oo Ar timeout 4969.Op Ar reqtries Op Ar trmtries 4970.Oc 4971.It set chapretry|chapretries Oo Ar timeout 4972.Op Ar reqtries 4973.Oc 4974.It set ipcpretry|ipcpretries Oo Ar timeout 4975.Op Ar reqtries Op Ar trmtries 4976.Oc 4977.It set lcpretry|lcpretries Oo Ar timeout 4978.Op Ar reqtries Op Ar trmtries 4979.Oc 4980.It set papretry|papretries Oo Ar timeout 4981.Op Ar reqtries 4982.Oc 4983These commands set the number of seconds that 4984.Nm 4985will wait before resending Finite State Machine (FSM) Request packets. 4986The default 4987.Ar timeout 4988for all FSMs is 3 seconds (which should suffice in most cases). 4989.Pp 4990If 4991.Ar reqtries 4992is specified, it tells 4993.Nm 4994how many configuration request attempts it should make while receiving 4995no reply from the peer before giving up. 4996The default is 5 attempts for 4997CCP, LCP and IPCP and 3 attempts for PAP and CHAP. 4998.Pp 4999If 5000.Ar trmtries 5001is specified, it tells 5002.Nm 5003how many terminate requests should be sent before giving up waiting for the 5004peers response. 5005The default is 3 attempts. 5006Authentication protocols are 5007not terminated and it is therefore invalid to specify 5008.Ar trmtries 5009for PAP or CHAP. 5010.Pp 5011In order to avoid negotiations with the peer that will never converge, 5012.Nm 5013will only send at most 3 times the configured number of 5014.Ar reqtries 5015in any given negotiation session before giving up and closing that layer. 5016.It set log Xo 5017.Op local 5018.Op +|- Ns 5019.Ar value Ns No ... 5020.Xc 5021This command allows the adjustment of the current log level. 5022Refer to the Logging Facility section for further details. 5023.It set login Ar chat-script 5024This 5025.Ar chat-script 5026compliments the dial-script. 5027If both are specified, the login 5028script will be executed after the dial script. 5029Escape sequences available in the dial script are also available here. 5030.It set logout Ar chat-script 5031This specifies the chat script that will be used to logout 5032before the hangup script is called. 5033It should not normally be necessary. 5034.It set lqrperiod Ar frequency 5035This command sets the 5036.Ar frequency 5037in seconds at which 5038.Em LQR 5039or 5040.Em ECHO LQR 5041packets are sent. 5042The default is 30 seconds. 5043You must also use the 5044.Dq enable lqr 5045command if you wish to send LQR requests to the peer. 5046.It set mode Ar interactive|auto|ddial|background 5047This command allows you to change the 5048.Sq mode 5049of the specified link. 5050This is normally only useful in multi-link mode, 5051but may also be used in uni-link mode. 5052.Pp 5053It is not possible to change a link that is 5054.Sq direct 5055or 5056.Sq dedicated . 5057.Pp 5058Note: If you issue the command 5059.Dq set mode auto , 5060and have network address translation enabled, it may be useful to 5061.Dq enable iface-alias 5062afterwards. 5063This will allow 5064.Nm 5065to do the necessary address translations to enable the process that 5066triggers the connection to connect once the link is up despite the 5067peer assigning us a new (dynamic) IP address. 5068.It set mppe Op 40|56|128|* Op stateless|stateful|* 5069This option selects the encryption parameters used when negotiation 5070MPPE. 5071MPPE can be disabled entirely with the 5072.Dq disable mppe 5073command. 5074If no arguments are given, 5075.Nm 5076will attempt to negotiate a stateful link with a 128 bit key, but 5077will agree to whatever the peer requests (including no encryption 5078at all). 5079.Pp 5080If any arguments are given, 5081.Nm 5082will 5083.Em insist 5084on using MPPE and will close the link if it's rejected by the peer. 5085.Pp 5086The first argument specifies the number of bits that 5087.Nm 5088should insist on during negotiations and the second specifies whether 5089.Nm 5090should insist on stateful or stateless mode. 5091In stateless mode, the 5092encryption dictionary is re-initialised with every packet according to 5093an encryption key that is changed with every packet. 5094In stateful mode, 5095the encryption dictionary is re-initialised every 256 packets or after 5096the loss of any data and the key is changed every 256 packets. 5097Stateless mode is less efficient but is better for unreliable transport 5098layers. 5099.It set mrru Op Ar value 5100Setting this option enables Multi-link PPP negotiations, also known as 5101Multi-link Protocol or MP. 5102There is no default MRRU (Maximum Reconstructed Receive Unit) value. 5103If no argument is given, multi-link mode is disabled. 5104.It set mru Xo 5105.Op max Ns Op imum 5106.Op Ar value 5107.Xc 5108The default MRU (Maximum Receive Unit) is 1500. 5109If it is increased, the other side *may* increase its MTU. 5110In theory there is no point in decreasing the MRU to below the default as the 5111.Em PPP 5112protocol says implementations *must* be able to accept packets of at 5113least 1500 octets. 5114.Pp 5115If the 5116.Dq maximum 5117keyword is used, 5118.Nm 5119will refuse to negotiate a higher value. 5120The maximum MRU can be set to 2048 at most. 5121Setting a maximum of less than 1500 violates the 5122.Em PPP 5123rfc, but may sometimes be necessary. 5124For example, 5125.Em PPPoE 5126imposes a maximum of 1492 due to hardware limitations. 5127.Pp 5128If no argument is given, 1500 is assumed. 5129A value must be given when 5130.Dq maximum 5131is specified. 5132.It set mtu Xo 5133.Op max Ns Op imum 5134.Op Ar value 5135.Xc 5136The default MTU is 1500. 5137At negotiation time, 5138.Nm 5139will accept whatever MRU the peer requests (assuming it's 5140not less than 296 bytes or greater than the assigned maximum). 5141If the MTU is set, 5142.Nm 5143will not accept MRU values less than 5144.Ar value . 5145When negotiations are complete, the MTU is used when writing to the 5146interface, even if the peer requested a higher value MRU. 5147This can be useful for 5148limiting your packet size (giving better bandwidth sharing at the expense 5149of more header data). 5150.Pp 5151If the 5152.Dq maximum 5153keyword is used, 5154.Nm 5155will refuse to negotiate a higher value. 5156The maximum MTU can be set to 2048 at most. 5157.Pp 5158If no 5159.Ar value 5160is given, 1500, or whatever the peer asks for is used. 5161A value must be given when 5162.Dq maximum 5163is specified. 5164.It set nbns Op Ar x.x.x.x Op Ar y.y.y.y 5165This option allows the setting of the Microsoft NetBIOS name server 5166values to be returned at the peers request. 5167If no values are given, 5168.Nm 5169will reject any such requests. 5170.It set openmode active|passive Op Ar delay 5171By default, 5172.Ar openmode 5173is always 5174.Ar active 5175with a one second 5176.Ar delay . 5177That is, 5178.Nm 5179will always initiate LCP/IPCP/CCP negotiation one second after the line 5180comes up. 5181If you want to wait for the peer to initiate negotiations, you 5182can use the value 5183.Ar passive . 5184If you want to initiate negotiations immediately or after more than one 5185second, the appropriate 5186.Ar delay 5187may be specified here in seconds. 5188.It set parity odd|even|none|mark 5189This allows the line parity to be set. 5190The default value is 5191.Ar none . 5192.It set phone Ar telno Ns Xo 5193.Oo \&| Ns Ar backupnumber 5194.Oc Ns ... Ns Oo : Ns Ar nextnumber 5195.Oc Ns ... 5196.Xc 5197This allows the specification of the phone number to be used in 5198place of the \\\\T string in the dial and login chat scripts. 5199Multiple phone numbers may be given separated either by a pipe 5200.Pq Dq \&| 5201or a colon 5202.Pq Dq \&: . 5203.Pp 5204Numbers after the pipe are only dialed if the dial or login 5205script for the previous number failed. 5206.Pp 5207Numbers after the colon are tried sequentially, irrespective of 5208the reason the line was dropped. 5209.Pp 5210If multiple numbers are given, 5211.Nm 5212will dial them according to these rules until a connection is made, retrying 5213the maximum number of times specified by 5214.Dq set redial 5215below. 5216In 5217.Fl background 5218mode, each number is attempted at most once. 5219.It set Op proc Ns Xo 5220.No title Op Ar value 5221.Xc 5222The current process title as displayed by 5223.Xr ps 1 5224is changed according to 5225.Ar value . 5226If 5227.Ar value 5228is not specified, the original process title is restored. 5229All the 5230word replacements done by the shell commands (see the 5231.Dq bg 5232command above) are done here too. 5233.Pp 5234Note, if USER is required in the process title, the 5235.Dq set proctitle 5236command must appear in 5237.Pa ppp.linkup , 5238as it is not known when the commands in 5239.Pa ppp.conf 5240are executed. 5241.It set radius Op Ar config-file 5242This command enables RADIUS support (if it's compiled in). 5243.Ar config-file 5244refers to the radius client configuration file as described in 5245.Xr radius.conf 5 . 5246If PAP or CHAP are 5247.Dq enable Ns No d , 5248.Nm 5249behaves as a 5250.Em \&N Ns No etwork 5251.Em \&A Ns No ccess 5252.Em \&S Ns No erver 5253and uses the configured RADIUS server to authenticate rather than 5254authenticating from the 5255.Pa ppp.secret 5256file or from the passwd database. 5257.Pp 5258If neither PAP or CHAP are enabled, 5259.Dq set radius 5260will do nothing. 5261.Pp 5262.Nm 5263uses the following attributes from the RADIUS reply: 5264.Bl -tag -width XXX -offset XXX 5265.It RAD_FRAMED_IP_ADDRESS 5266The peer IP address is set to the given value. 5267.It RAD_FRAMED_IP_NETMASK 5268The tun interface netmask is set to the given value. 5269.It RAD_FRAMED_MTU 5270If the given MTU is less than the peers MRU as agreed during LCP 5271negotiation, *and* it is less that any configured MTU (see the 5272.Dq set mru 5273command), the tun interface MTU is set to the given value. 5274.It RAD_FRAMED_COMPRESSION 5275If the received compression type is 5276.Dq 1 , 5277.Nm 5278will request VJ compression during IPCP negotiations despite any 5279.Dq disable vj 5280configuration command. 5281.It RAD_FILTER_ID 5282This attribute is stored but not yet used. 5283.It RAD_FRAMED_ROUTE 5284The received string is expected to be in the format 5285.Ar dest Ns Op / Ns Ar bits 5286.Ar gw 5287.Op Ar metrics . 5288Any specified metrics are ignored. 5289.Dv MYADDR 5290and 5291.Dv HISADDR 5292are understood as valid values for 5293.Ar dest 5294and 5295.Ar gw , 5296.Dq default 5297can be used for 5298.Ar dest 5299to sepcify the default route, and 5300.Dq 0.0.0.0 5301is understood to be the same as 5302.Dq default 5303for 5304.Ar dest 5305and 5306.Dv HISADDR 5307for 5308.Ar gw . 5309.Pp 5310For example, a returned value of 5311.Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400 5312would result in a routing table entry to the 1.2.3.0/24 network via 5313.Dv HISADDR 5314and a returned value of 5315.Dq 0.0.0.0 0.0.0.0 5316or 5317.Dq default HISADDR 5318would result in a default route to 5319.Dv HISADDR . 5320.Pp 5321All RADIUS routes are applied after any sticky routes are applied, making 5322RADIUS routes override configured routes. 5323This also applies for RADIUS routes that don't {include} the 5324.Dv MYADDR 5325or 5326.Dv HISADDR 5327keywords. 5328.Pp 5329.It RAD_SESSION_TIMEOUT 5330If supplied, the client connection is closed after the given number of 5331seconds. 5332.It RAD_REPLY_MESSAGE 5333If supplied, this message is passed back to the peer as the authentication 5334SUCCESS text. 5335.It RAD_MICROSOFT_MS_CHAP_ERROR 5336If this 5337.Dv RAD_VENDOR_MICROSOFT 5338vendor specific attribute is supplied, it is passed back to the peer as the 5339authentication FAILURE text. 5340.It RAD_MICROSOFT_MS_CHAP2_SUCCESS 5341If this 5342.Dv RAD_VENDOR_MICROSOFT 5343vendor specific attribute is supplied and if MS-CHAPv2 authentication is 5344being used, it is passed back to the peer as the authentication SUCCESS text. 5345.El 5346Values received from the RADIUS server may be viewed using 5347.Dq show bundle . 5348.It set reconnect Ar timeout ntries 5349Should the line drop unexpectedly (due to loss of CD or LQR 5350failure), a connection will be re-established after the given 5351.Ar timeout . 5352The line will be re-connected at most 5353.Ar ntries 5354times. 5355.Ar Ntries 5356defaults to zero. 5357A value of 5358.Ar random 5359for 5360.Ar timeout 5361will result in a variable pause, somewhere between 1 and 30 seconds. 5362.It set recvpipe Op Ar value 5363This sets the routing table RECVPIPE value. 5364The optimum value is just over twice the MTU value. 5365If 5366.Ar value 5367is unspecified or zero, the default kernel controlled value is used. 5368.It set redial Ar secs Ns Xo 5369.Oo + Ns Ar inc Ns 5370.Op - Ns Ar max Ns 5371.Oc Ns Op . Ns Ar next 5372.Op Ar attempts 5373.Xc 5374.Nm 5375can be instructed to attempt to redial 5376.Ar attempts 5377times. 5378If more than one phone number is specified (see 5379.Dq set phone 5380above), a pause of 5381.Ar next 5382is taken before dialing each number. 5383A pause of 5384.Ar secs 5385is taken before starting at the first number again. 5386A literal value of 5387.Dq Li random 5388may be used here in place of 5389.Ar secs 5390and 5391.Ar next , 5392causing a random delay of between 1 and 30 seconds. 5393.Pp 5394If 5395.Ar inc 5396is specified, its value is added onto 5397.Ar secs 5398each time 5399.Nm 5400tries a new number. 5401.Ar secs 5402will only be incremented at most 5403.Ar max 5404times. 5405.Ar max 5406defaults to 10. 5407.Pp 5408Note, the 5409.Ar secs 5410delay will be effective, even after 5411.Ar attempts 5412has been exceeded, so an immediate manual dial may appear to have 5413done nothing. 5414If an immediate dial is required, a 5415.Dq !\& 5416should immediately follow the 5417.Dq open 5418keyword. 5419See the 5420.Dq open 5421description above for further details. 5422.It set sendpipe Op Ar value 5423This sets the routing table SENDPIPE value. 5424The optimum value is just over twice the MTU value. 5425If 5426.Ar value 5427is unspecified or zero, the default kernel controlled value is used. 5428.It "set server|socket" Ar TcpPort Ns No \&| Ns Xo 5429.Ar LocalName Ns No |none|open|closed 5430.Op password Op Ar mask 5431.Xc 5432This command tells 5433.Nm 5434to listen on the given socket or 5435.Sq diagnostic port 5436for incoming command connections. 5437.Pp 5438The word 5439.Dq none 5440instructs 5441.Nm 5442to close any existing socket and clear the socket configuration. 5443The word 5444.Dq open 5445instructs 5446.Nm 5447to attempt to re-open the port. 5448The word 5449.Dq closed 5450instructs 5451.Nm 5452to close the open port. 5453.Pp 5454If you wish to specify a local domain socket, 5455.Ar LocalName 5456must be specified as an absolute file name, otherwise it is assumed 5457to be the name or number of a TCP port. 5458You may specify the octal umask to be used with a local domain socket. 5459Refer to 5460.Xr umask 2 5461for umask details. 5462Refer to 5463.Xr services 5 5464for details of how to translate TCP port names. 5465.Pp 5466You must also specify the password that must be entered by the client 5467(using the 5468.Dq passwd 5469variable above) when connecting to this socket. 5470If the password is 5471specified as an empty string, no password is required for connecting clients. 5472.Pp 5473When specifying a local domain socket, the first 5474.Dq %d 5475sequence found in the socket name will be replaced with the current 5476interface unit number. 5477This is useful when you wish to use the same 5478profile for more than one connection. 5479.Pp 5480In a similar manner TCP sockets may be prefixed with the 5481.Dq + 5482character, in which case the current interface unit number is added to 5483the port number. 5484.Pp 5485When using 5486.Nm 5487with a server socket, the 5488.Xr pppctl 8 5489command is the preferred mechanism of communications. 5490Currently, 5491.Xr telnet 1 5492can also be used, but link encryption may be implemented in the future, so 5493.Xr telnet 1 5494should be avoided. 5495.Pp 5496Note; 5497.Dv SIGUSR1 5498and 5499.Dv SIGUSR2 5500interact with the diagnostic socket. 5501.It set speed Ar value 5502This sets the speed of the serial device. 5503If speed is specified as 5504.Dq sync , 5505.Nm 5506treats the device as a synchronous device. 5507.Pp 5508Certain device types will know whether they should be specified as 5509synchronous or asynchronous. 5510These devices will override incorrect 5511settings and log a warning to this effect. 5512.It set stopped Op Ar LCPseconds Op Ar CCPseconds 5513If this option is set, 5514.Nm 5515will time out after the given FSM (Finite State Machine) has been in 5516the stopped state for the given number of 5517.Dq seconds . 5518This option may be useful if the peer sends a terminate request, 5519but never actually closes the connection despite our sending a terminate 5520acknowledgement. 5521This is also useful if you wish to 5522.Dq set openmode passive 5523and time out if the peer doesn't send a Configure Request within the 5524given time. 5525Use 5526.Dq set log +lcp +ccp 5527to make 5528.Nm 5529log the appropriate state transitions. 5530.Pp 5531The default value is zero, where 5532.Nm 5533doesn't time out in the stopped state. 5534.Pp 5535This value should not be set to less than the openmode delay (see 5536.Dq set openmode 5537above). 5538.It set timeout Ar idleseconds Op Ar mintimeout 5539This command allows the setting of the idle timer. 5540Refer to the section titled 5541.Sx SETTING THE IDLE TIMER 5542for further details. 5543.Pp 5544If 5545.Ar mintimeout 5546is specified, 5547.Nm 5548will never idle out before the link has been up for at least that number 5549of seconds. 5550.It set urgent Xo 5551.Op tcp|udp|none 5552.Oo Op +|- Ns 5553.Ar port 5554.Oc No ... 5555.Xc 5556This command controls the ports that 5557.Nm 5558prioritizes when transmitting data. 5559The default priority TCP ports 5560are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell), 5561543 (klogin) and 544 (kshell). 5562There are no priority UDP ports by default. 5563See 5564.Xr services 5 5565for details. 5566.Pp 5567If neither 5568.Dq tcp 5569or 5570.Dq udp 5571are specified, 5572.Dq tcp 5573is assumed. 5574.Pp 5575If no 5576.Ar port Ns No s 5577are given, the priority port lists are cleared (although if 5578.Dq tcp 5579or 5580.Dq udp 5581is specified, only that list is cleared). 5582If the first 5583.Ar port 5584argument is prefixed with a plus 5585.Pq Dq \&+ 5586or a minus 5587.Pq Dq \&- , 5588the current list is adjusted, otherwise the list is reassigned. 5589.Ar port Ns No s 5590prefixed with a plus or not prefixed at all are added to the list and 5591.Ar port Ns No s 5592prefixed with a minus are removed from the list. 5593.Pp 5594If 5595.Dq none 5596is specified, all priority port lists are disabled and even 5597.Dv IPTOS_LOWDELAY 5598packets are not prioritised. 5599.It set vj slotcomp on|off 5600This command tells 5601.Nm 5602whether it should attempt to negotiate VJ slot compression. 5603By default, slot compression is turned 5604.Ar on . 5605.It set vj slots Ar nslots 5606This command sets the initial number of slots that 5607.Nm 5608will try to negotiate with the peer when VJ compression is enabled (see the 5609.Sq enable 5610command above). 5611It defaults to a value of 16. 5612.Ar Nslots 5613must be between 5614.Ar 4 5615and 5616.Ar 16 5617inclusive. 5618.El 5619.Pp 5620.It shell|! Op Ar command 5621If 5622.Ar command 5623is not specified a shell is invoked according to the 5624.Dv SHELL 5625environment variable. 5626Otherwise, the given 5627.Ar command 5628is executed. 5629Word replacement is done in the same way as for the 5630.Dq !bg 5631command as described above. 5632.Pp 5633Use of the ! character 5634requires a following space as with any of the other commands. 5635You should note that this command is executed in the foreground; 5636.Nm 5637will not continue running until this process has exited. 5638Use the 5639.Dv bg 5640command if you wish processing to happen in the background. 5641.It show Ar var 5642This command allows the user to examine the following: 5643.Bl -tag -width 2n 5644.It show bundle 5645Show the current bundle settings. 5646.It show ccp 5647Show the current CCP compression statistics. 5648.It show compress 5649Show the current VJ compression statistics. 5650.It show escape 5651Show the current escape characters. 5652.It show filter Op Ar name 5653List the current rules for the given filter. 5654If 5655.Ar name 5656is not specified, all filters are shown. 5657.It show hdlc 5658Show the current HDLC statistics. 5659.It show help|? 5660Give a summary of available show commands. 5661.It show iface 5662Show the current interface information 5663(the same as 5664.Dq iface show ) . 5665.It show ipcp 5666Show the current IPCP statistics. 5667.It show layers 5668Show the protocol layers currently in use. 5669.It show lcp 5670Show the current LCP statistics. 5671.It show Op data Ns Xo 5672.No link 5673.Xc 5674Show high level link information. 5675.It show links 5676Show a list of available logical links. 5677.It show log 5678Show the current log values. 5679.It show mem 5680Show current memory statistics. 5681.It show ncp 5682Show the current NCP statistics. 5683.It show physical 5684Show low level link information. 5685.It show mp 5686Show Multi-link information. 5687.It show proto 5688Show current protocol totals. 5689.It show route 5690Show the current routing tables. 5691.It show stopped 5692Show the current stopped timeouts. 5693.It show timer 5694Show the active alarm timers. 5695.It show version 5696Show the current version number of 5697.Nm . 5698.El 5699.Pp 5700.It term 5701Go into terminal mode. 5702Characters typed at the keyboard are sent to the device. 5703Characters read from the device are displayed on the screen. 5704When a remote 5705.Em PPP 5706peer is detected, 5707.Nm 5708automatically enables Packet Mode and goes back into command mode. 5709.El 5710.Sh MORE DETAILS 5711.Bl -bullet 5712.It 5713Read the example configuration files. 5714They are a good source of information. 5715.It 5716Use 5717.Dq help , 5718.Dq nat \&? , 5719.Dq enable \&? , 5720.Dq set ?\& 5721and 5722.Dq show ?\& 5723to get online information about what's available. 5724.It 5725The following URLs contain useful information: 5726.Bl -bullet -compact 5727.It 5728http://www.FreeBSD.org/FAQ/userppp.html 5729.It 5730http://www.FreeBSD.org/handbook/userppp.html 5731.El 5732.Pp 5733.El 5734.Sh FILES 5735.Nm 5736refers to four files: 5737.Pa ppp.conf , 5738.Pa ppp.linkup , 5739.Pa ppp.linkdown 5740and 5741.Pa ppp.secret . 5742These files are placed in the 5743.Pa /etc/ppp 5744directory. 5745.Bl -tag -width 2n 5746.It Pa /etc/ppp/ppp.conf 5747System default configuration file. 5748.It Pa /etc/ppp/ppp.secret 5749An authorisation file for each system. 5750.It Pa /etc/ppp/ppp.linkup 5751A file to check when 5752.Nm 5753establishes a network level connection. 5754.It Pa /etc/ppp/ppp.linkdown 5755A file to check when 5756.Nm 5757closes a network level connection. 5758.It Pa /var/log/ppp.log 5759Logging and debugging information file. 5760Note, this name is specified in 5761.Pa /etc/syslog.conf . 5762See 5763.Xr syslog.conf 5 5764for further details. 5765.It Pa /var/spool/lock/LCK..* 5766tty port locking file. 5767Refer to 5768.Xr uucplock 3 5769for further details. 5770.It Pa /var/run/tunN.pid 5771The process id (pid) of the 5772.Nm 5773program connected to the tunN device, where 5774.Sq N 5775is the number of the device. 5776.It Pa /var/run/ttyXX.if 5777The tun interface used by this port. 5778Again, this file is only created in 5779.Fl background , 5780.Fl auto 5781and 5782.Fl ddial 5783modes. 5784.It Pa /etc/services 5785Get port number if port number is using service name. 5786.It Pa /var/run/ppp-authname-class-value 5787In multi-link mode, local domain sockets are created using the peer 5788authentication name 5789.Pq Sq authname , 5790the peer endpoint discriminator class 5791.Pq Sq class 5792and the peer endpoint discriminator value 5793.Pq Sq value . 5794As the endpoint discriminator value may be a binary value, it is turned 5795to HEX to determine the actual file name. 5796.Pp 5797This socket is used to pass links between different instances of 5798.Nm . 5799.El 5800.Sh SEE ALSO 5801.Xr at 1 , 5802.Xr ftp 1 , 5803.Xr gzip 1 , 5804.Xr hostname 1 , 5805.Xr login 1 , 5806.Xr tcpdump 1 , 5807.Xr telnet 1 , 5808.Xr kldload 2 , 5809ifdef({LOCALNAT},{},{.Xr libalias 3 , 5810})dnl 5811ifdef({LOCALRAD},{},{.Xr libradius 3 , 5812})dnl 5813.Xr syslog 3 , 5814.Xr uucplock 3 , 5815.Xr netgraph 4 , 5816.Xr ng_pppoe 4 , 5817.Xr crontab 5 , 5818.Xr group 5 , 5819.Xr passwd 5 , 5820.Xr protocols 5 , 5821.Xr radius.conf 5 , 5822.Xr resolv.conf 5 , 5823.Xr syslog.conf 5 , 5824.Xr adduser 8 , 5825.Xr chat 8 , 5826.Xr getty 8 , 5827.Xr inetd 8 , 5828.Xr init 8 , 5829.Xr isdn 8 , 5830.Xr named 8 , 5831.Xr ping 8 , 5832.Xr pppctl 8 , 5833.Xr pppd 8 , 5834.Xr pppoe 8 , 5835.Xr route 8 , 5836.Xr sshd 8 , 5837.Xr syslogd 8 , 5838.Xr traceroute 8 , 5839.Xr vipw 8 5840.Sh HISTORY 5841This program was originally written by 5842.An Toshiharu OHNO Aq tony-o@iij.ad.jp , 5843and was submitted to 5844.Fx 2.0.5 5845by 5846.An Atsushi Murai Aq amurai@spec.co.jp . 5847.Pp 5848It was substantially modified during 1997 by 5849.An Brian Somers Aq brian@Awfulhak.org , 5850and was ported to 5851.Ox 5852in November that year 5853(just after the 2.2 release). 5854.Pp 5855Most of the code was rewritten by 5856.An Brian Somers 5857in early 1998 when multi-link ppp support was added. 5858