ppp.conf.span-isp revision 50476 
150476Speter# $FreeBSD: head/share/examples/ppp/ppp.conf.span-isp 50476 1999-08-28 00:22:10Z peter $
247857Sbrian
347857Sbrian# This advanced ppp configuration file explains how to implement
447857Sbrian# the following:
547857Sbrian#
647857Sbrian#    -------------       -------------       -------------
747857Sbrian#    |   host1   |       |   host2   |       |   host3   |
847857Sbrian#    -------------       -------------       -------------
947857Sbrian#          |                       |               |
1047857Sbrian#     |---------------------- LAN ----------------------|
1147857Sbrian#                          |
1247857Sbrian#                        -------------
1347857Sbrian#                        |  Gateway  |
1447857Sbrian#                        -------------
1547857Sbrian#                              |
1647857Sbrian#             -----------------------------------
1747857Sbrian#             |          |           |          |
1847857Sbrian#            isp1       isp2       isp3       ispN
1947857Sbrian#             |          |           |          |
2047857Sbrian#             -----------------------------------
2147857Sbrian#                              |
2247857Sbrian#                         ------------
2347857Sbrian#                         | Receiver |
2447857Sbrian#                         ------------
2547857Sbrian#                              |
2647857Sbrian#                          Internet
2747857Sbrian#
2847857Sbrian# The connection is implemented so that any ISP connection can go down
2947857Sbrian# without loss of connectivity between the LAN and the Internet.  It is
3047857Sbrian# of course also possible to shut down any link manually.
3147857Sbrian#
3247857Sbrian# There is a working example in ppp.*.span-isp.working that can be tested
3347857Sbrian# on a single machine !
3447857Sbrian#
3547857Sbrian#
3647857Sbrian# Prerequisites:
3747857Sbrian#
3847857Sbrian# o The Receiver machine must be in the outside world and must be willing
3947857Sbrian#   to accept a multilink ppp connection over UDP, assigning a routable IP
4047857Sbrian#   number to the Gateway machine.  This probably means that it must be
4147857Sbrian#   a *BSD box as I know of no other ppp implementations that can use UDP
4247857Sbrian#   as a transport.
4347857Sbrian#
4447857Sbrian# o The Receiver machine must be multi-homed with at least N+1 addresses
4547857Sbrian#   where N is the maximun number of ISPs that you wish to use
4647857Sbrian#   simultaneously.  We assume the IP numbers to be RIP1, RIP2 ... RIPN.
4747857Sbrian#   REAL-LOCAL-IP is the real IP number of the Receiver machine (and must
4847857Sbrian#   not be the same as any of the RIP* numbers).
4947857Sbrian#
5047857Sbrian# o Both the Gateway and the Receiver machines must have several tun
5147857Sbrian#   interfaces configured into the kernel (see below).
5247857Sbrian#
5347857Sbrian# o Both the Gateway and the Receiver machines must have the following
5447857Sbrian#   entry in /etc/services:
5547857Sbrian#
5647857Sbrian#      ppp 6671/udp
5747857Sbrian#
5847857Sbrian#   The port number isn't important, but it must be consistent across
5947857Sbrian#   machines.
6047857Sbrian#
6147857Sbrian# o The Receiver machine must have the following entry in
6247857Sbrian#   /etc/inetd.conf:
6347857Sbrian#
6447857Sbrian#      ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in
6547857Sbrian#
6647857Sbrian#   Note: Because inetd ``wait''s for ppp to finish, a single ppp
6747857Sbrian#         invocation receives all incoming packets.  This creates
6847857Sbrian#         havoc with LQR magic number checks, so LQR *must not* be
6947857Sbrian#         enabled.
7047857Sbrian#         Also, -direct invocations of ppp do sendto()s using the
7147857Sbrian#         address that was last recvfrom()d.  This means that the
7247857Sbrian#         returning traffic is a bit unbalanced.  Perhaps ppp should
7347857Sbrian#         be smart enough to automatically clone an existing link
7447857Sbrian#         when it detects a new incoming address.... tricky !
7547857Sbrian#
7647857Sbrian# If you use ppp to connect to your ISPs, the isp* profiles shold be used,
7747857Sbrian# resulting in the vpn* profiles being called from ppp.linkup.span-isp.
7847857Sbrian# These invocations will bond together into a MP ppp invocation.
7947857Sbrian#
8047857Sbrian# If the link to your ISP is via another type of interface (cable modem
8147857Sbrian# etc), simply configure the interface with a netmask of 0xffffffff and
8247857Sbrian# add a route to RIPN via the interface address (no default).  You can
8347857Sbrian# then start ppp using the vpn-nic label.
8447857Sbrian#
8547857Sbrian# The Receiver machine should have N tun interfaces (where N is the maximum
8647857Sbrian# number of ISPs that you wish to use simultaneously).  The Gateway machine
8747857Sbrian# requires N interfaces plus an additional N interfaces (total 2 * N) if
8847857Sbrian# you're using ppp to talk to the ISPs.
8947857Sbrian
9047857Sbrian# Using ppp to connect to your ISPs (PPP over UDP over PPP):
9147857Sbrian#
9247857Sbrian# When we connect to our ISPs using ppp, we start the MP ppp invocation
9347857Sbrian# from ppp.linkup (see ppp.linkup.span-isp) for each link.  We also remove
9447857Sbrian# the link from ppp.linkdown (see ppp.linkdown.span-isp).  This is necessary
9547857Sbrian# because relying on our LQR strategy (dropping the link after 5 missing
9647857Sbrian# replies) is just too slow to be practical in this environment.
9747857Sbrian#
9847857Sbrian# This works because the MP invocations are smart enough to recognise that
9947857Sbrian# another process is already running and to pass the link over to that
10047857Sbrian# running version.
10147857Sbrian#
10247857Sbrian# Only the ISP links should be started manually.  When they come up, they'll
10347857Sbrian# start the MP invocation.
10447857Sbrian
10547857Sbriandefault:
10647857Sbrian  set speed 115200
10747857Sbrian  set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 /dev/cuaa3
10847857Sbrian  set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \
10947857Sbrian            \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"
11047857Sbrian  set login
11147857Sbrian  set redial 3 5
11247857Sbrian  set timeout 0
11347857Sbrian  enable lqr
11447857Sbrian  set lqrperiod 15
11547857Sbrian
11647857Sbrianisp1:
11747857Sbrian  set phone "1234567"
11847857Sbrian  set authname isp1name
11947857Sbrian  set authkey isp1key
12047857Sbrian  add! RIP1/32 HISADDR
12147857Sbrian
12247857Sbrianisp2:
12347857Sbrian  set phone "2345678"
12447857Sbrian  set authname isp2name
12547857Sbrian  set authkey isp2key
12647857Sbrian  add! RIP2/32 HISADDR
12747857Sbrian
12847857SbrianispN:
12947857Sbrian  set phone "3456789"
13047857Sbrian  set authname ispNname
13147857Sbrian  set authkey ispNkey
13247857Sbrian  add! RIPN/32 HISADDR
13347857Sbrian
13447857Sbrian
13547857Sbrian# Our MP version of ppp.  vpn is a generic label used by each of the
13647857Sbrian# other vpn invocations by envoking ppp with both labels (see
13747857Sbrian# ppp.linkup.span-isp).
13847857Sbrian# Each ``set device'' command tells ppp to use UDP packets destined for
13947857Sbrian# the given IP/port as the link (transport).  The routing table will
14047857Sbrian# ensure that these UDP packets use the correct ISP connection.
14147857Sbrian
14247857Sbrianvpn:
14347857Sbrian  set enddisc LABEL
14447857Sbrian  set speed sync
14547857Sbrian  set mrru 1500
14647857Sbrian  alias enable yes
14747857Sbrian  set authname vpnname
14847857Sbrian  set authkey vpnkey
14947857Sbrian  add! default HISADDR
15047857Sbrian  disable deflate pred1 lqr
15147857Sbrian  deny deflate pred1
15247857Sbrian 
15347857Sbrianvpn1:
15447857Sbrian  rename 1
15547857Sbrian  set device RIP1:ppp/udp
15647857Sbrian 
15747857Sbrianvpn2:
15847857Sbrian  rename 2
15947857Sbrian  set device RIP2:ppp/udp
16047857Sbrian 
16147857SbrianvpnN:
16247857Sbrian  rename N
16347857Sbrian  set device RIPN:ppp/udp
16447857Sbrian
16547857Sbrianvpn-nic:
16647857Sbrian  load vpn
16747857Sbrian  clone 1 2 N
16847857Sbrian  link deflink rm
16947857Sbrian  link 1 set device RIP1:ppp/udp
17047857Sbrian  link 2 set device RIP2:ppp/udp
17147857Sbrian  link N set device RIPN:ppp/udp
17247857Sbrian
17347857Sbrian# The Receiver profile is a bit more straight forward, as it doesn't need
17447857Sbrian# to get bogged down with sublinks.  Replace REAL-ASSIGNED-IP with the
17547857Sbrian# IP number to be assigned to the Gateway machine.  Replace REAL-LOCAL-IP
17647857Sbrian# with the real IP number of the Receiver machine.
17747857Sbrian#
17847857Sbrian# No other entries are required on the Receiver machine, and this entry
17947857Sbrian# is not required on the Gateway machine.  The Receiver machine also
18047857Sbrian# requires the contents of ppp.secret.span-isp.
18147857Sbrian#
18247857Sbrian# Of course it's simple to assign an IP block to the client with a simple
18347857Sbrian# ``add'' command, and then have the client use those IP numbers on its
18447857Sbrian# LAN rather than using ``alias enable yes''.
18547857Sbrian
18647857Sbrianvpn-in:
18747857Sbrian  set enddisc label
18847857Sbrian  set speed sync
18947857Sbrian  set mrru 1500
19047857Sbrian  enable chap
19147857Sbrian  disable lqr
19247857Sbrian  set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP
193