150476Speter# $FreeBSD$
247857Sbrian
347857Sbrian# This advanced ppp configuration file explains how to implement
447857Sbrian# the following:
547857Sbrian#
647857Sbrian#    -------------       -------------       -------------
747857Sbrian#    |   host1   |       |   host2   |       |   host3   |
847857Sbrian#    -------------       -------------       -------------
947857Sbrian#          |                       |               |
1047857Sbrian#     |---------------------- LAN ----------------------|
1147857Sbrian#                          |
1247857Sbrian#                        -------------
1347857Sbrian#                        |  Gateway  |
1447857Sbrian#                        -------------
1547857Sbrian#                              |
1647857Sbrian#             -----------------------------------
1747857Sbrian#             |          |           |          |
1847857Sbrian#            isp1       isp2       isp3       ispN
1947857Sbrian#             |          |           |          |
2047857Sbrian#             -----------------------------------
2147857Sbrian#                              |
2247857Sbrian#                         ------------
2347857Sbrian#                         | Receiver |
2447857Sbrian#                         ------------
2547857Sbrian#                              |
2647857Sbrian#                          Internet
2747857Sbrian#
2847857Sbrian# The connection is implemented so that any ISP connection can go down
2947857Sbrian# without loss of connectivity between the LAN and the Internet.  It is
3047857Sbrian# of course also possible to shut down any link manually.
3147857Sbrian#
3247857Sbrian# There is a working example in ppp.*.span-isp.working that can be tested
3347857Sbrian# on a single machine !
3447857Sbrian#
3547857Sbrian#
3647857Sbrian# Prerequisites:
3747857Sbrian#
3847857Sbrian# o The Receiver machine must be in the outside world and must be willing
3947857Sbrian#   to accept a multilink ppp connection over UDP, assigning a routable IP
4047857Sbrian#   number to the Gateway machine.  This probably means that it must be
4147857Sbrian#   a *BSD box as I know of no other ppp implementations that can use UDP
4247857Sbrian#   as a transport.
4347857Sbrian#
4447857Sbrian# o The Receiver machine must be multi-homed with at least N+1 addresses
4547857Sbrian#   where N is the maximun number of ISPs that you wish to use
4647857Sbrian#   simultaneously.  We assume the IP numbers to be RIP1, RIP2 ... RIPN.
4747857Sbrian#   REAL-LOCAL-IP is the real IP number of the Receiver machine (and must
4847857Sbrian#   not be the same as any of the RIP* numbers).
4947857Sbrian#
5047857Sbrian# o Both the Gateway and the Receiver machines must have several tun
5147857Sbrian#   interfaces configured into the kernel (see below).
5247857Sbrian#
5347857Sbrian# o Both the Gateway and the Receiver machines must have the following
5447857Sbrian#   entry in /etc/services:
5547857Sbrian#
5647857Sbrian#      ppp 6671/udp
5747857Sbrian#
5847857Sbrian#   The port number isn't important, but it must be consistent across
5947857Sbrian#   machines.
6047857Sbrian#
6147857Sbrian# o The Receiver machine must have the following entry in
6247857Sbrian#   /etc/inetd.conf:
6347857Sbrian#
6447857Sbrian#      ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in
6547857Sbrian#
6647857Sbrian#   Note: Because inetd ``wait''s for ppp to finish, a single ppp
6747857Sbrian#         invocation receives all incoming packets.  This creates
6847857Sbrian#         havoc with LQR magic number checks, so LQR *must not* be
6947857Sbrian#         enabled.
7047857Sbrian#         Also, -direct invocations of ppp do sendto()s using the
7147857Sbrian#         address that was last recvfrom()d.  This means that the
7247857Sbrian#         returning traffic is a bit unbalanced.  Perhaps ppp should
7347857Sbrian#         be smart enough to automatically clone an existing link
7447857Sbrian#         when it detects a new incoming address.... tricky !
7547857Sbrian#
7647857Sbrian# If you use ppp to connect to your ISPs, the isp* profiles shold be used,
7747857Sbrian# resulting in the vpn* profiles being called from ppp.linkup.span-isp.
7847857Sbrian# These invocations will bond together into a MP ppp invocation.
7947857Sbrian#
8047857Sbrian# If the link to your ISP is via another type of interface (cable modem
8147857Sbrian# etc), simply configure the interface with a netmask of 0xffffffff and
8247857Sbrian# add a route to RIPN via the interface address (no default).  You can
8347857Sbrian# then start ppp using the vpn-nic label.
8447857Sbrian#
8547857Sbrian# The Receiver machine should have N tun interfaces (where N is the maximum
8647857Sbrian# number of ISPs that you wish to use simultaneously).  The Gateway machine
8747857Sbrian# requires N interfaces plus an additional N interfaces (total 2 * N) if
8847857Sbrian# you're using ppp to talk to the ISPs.
8947857Sbrian
9047857Sbrian# Using ppp to connect to your ISPs (PPP over UDP over PPP):
9147857Sbrian#
9247857Sbrian# When we connect to our ISPs using ppp, we start the MP ppp invocation
9347857Sbrian# from ppp.linkup (see ppp.linkup.span-isp) for each link.  We also remove
9447857Sbrian# the link from ppp.linkdown (see ppp.linkdown.span-isp).  This is necessary
9547857Sbrian# because relying on our LQR strategy (dropping the link after 5 missing
9647857Sbrian# replies) is just too slow to be practical in this environment.
9747857Sbrian#
9847857Sbrian# This works because the MP invocations are smart enough to recognise that
9947857Sbrian# another process is already running and to pass the link over to that
10047857Sbrian# running version.
10147857Sbrian#
10247857Sbrian# Only the ISP links should be started manually.  When they come up, they'll
10347857Sbrian# start the MP invocation.
10447857Sbrian
10547857Sbriandefault:
10647857Sbrian  set speed 115200
107244040Seadler  set device /dev/cuau0 /dev/cuau1 /dev/cuau2 /dev/cuau3
10847857Sbrian  set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \
10947857Sbrian            \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"
11047857Sbrian  set login
11147857Sbrian  set redial 3 5
11247857Sbrian  set timeout 0
113138815Sbrian  enable lqr echo
11447857Sbrian  set lqrperiod 15
11547857Sbrian
11647857Sbrianisp1:
11747857Sbrian  set phone "1234567"
118113346Skeramida  set authname "isp1name"
119113346Skeramida  set authkey "isp1key"
12047857Sbrian  add! RIP1/32 HISADDR
12147857Sbrian
12247857Sbrianisp2:
12347857Sbrian  set phone "2345678"
124113346Skeramida  set authname "isp2name"
125113346Skeramida  set authkey "isp2key"
12647857Sbrian  add! RIP2/32 HISADDR
12747857Sbrian
12847857SbrianispN:
12947857Sbrian  set phone "3456789"
130113346Skeramida  set authname "ispNname"
131113346Skeramida  set authkey "ispNkey"
13247857Sbrian  add! RIPN/32 HISADDR
13347857Sbrian
13447857Sbrian
13547857Sbrian# Our MP version of ppp.  vpn is a generic label used by each of the
13647857Sbrian# other vpn invocations by envoking ppp with both labels (see
13747857Sbrian# ppp.linkup.span-isp).
13847857Sbrian# Each ``set device'' command tells ppp to use UDP packets destined for
13947857Sbrian# the given IP/port as the link (transport).  The routing table will
14047857Sbrian# ensure that these UDP packets use the correct ISP connection.
14147857Sbrian
14247857Sbrianvpn:
14347857Sbrian  set enddisc LABEL
14447857Sbrian  set speed sync
14547857Sbrian  set mrru 1500
14664783Sbrian  set mru 1504			# Room for the MP header
14751049Sbrian  nat enable yes
148113346Skeramida  set authname "vpnname"
149113346Skeramida  set authkey "vpnkey"
15047857Sbrian  add! default HISADDR
15147857Sbrian  disable deflate pred1 lqr
15247857Sbrian  deny deflate pred1
15347857Sbrian 
15447857Sbrianvpn1:
15547857Sbrian  rename 1
15647857Sbrian  set device RIP1:ppp/udp
15747857Sbrian 
15847857Sbrianvpn2:
15947857Sbrian  rename 2
16047857Sbrian  set device RIP2:ppp/udp
16147857Sbrian 
16247857SbrianvpnN:
16347857Sbrian  rename N
16447857Sbrian  set device RIPN:ppp/udp
16547857Sbrian
16647857Sbrianvpn-nic:
16747857Sbrian  load vpn
16847857Sbrian  clone 1 2 N
16947857Sbrian  link deflink rm
17047857Sbrian  link 1 set device RIP1:ppp/udp
17147857Sbrian  link 2 set device RIP2:ppp/udp
17247857Sbrian  link N set device RIPN:ppp/udp
17347857Sbrian
17447857Sbrian# The Receiver profile is a bit more straight forward, as it doesn't need
17547857Sbrian# to get bogged down with sublinks.  Replace REAL-ASSIGNED-IP with the
17647857Sbrian# IP number to be assigned to the Gateway machine.  Replace REAL-LOCAL-IP
17747857Sbrian# with the real IP number of the Receiver machine.
17847857Sbrian#
17947857Sbrian# No other entries are required on the Receiver machine, and this entry
18047857Sbrian# is not required on the Gateway machine.  The Receiver machine also
18147857Sbrian# requires the contents of ppp.secret.span-isp.
18247857Sbrian#
18347857Sbrian# Of course it's simple to assign an IP block to the client with a simple
18447857Sbrian# ``add'' command, and then have the client use those IP numbers on its
18551049Sbrian# LAN rather than using ``nat enable yes''.
18647857Sbrian
18747857Sbrianvpn-in:
18847857Sbrian  set enddisc label
18947857Sbrian  set speed sync
19047857Sbrian  set mrru 1500
19164783Sbrian  set mru 1504			# Room for the MP header
19247857Sbrian  enable chap
19347857Sbrian  disable lqr
19447857Sbrian  set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP
195