ppp.conf.sample revision 69470
1################################################################# 2# 3# PPP Sample Configuration File 4# 5# Originally written by Toshiharu OHNO 6# 7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 69470 2000-12-01 11:52:22Z brian $ 8# 9################################################################# 10 11# This file is separated into sections. Each section is named with 12# a label starting in column 0 and followed directly by a ``:''. The 13# section continues until the next section. Blank lines and lines 14# beginning with ``#'' are ignored. 15# 16# Lines beginning with "!include" will ``include'' another file. You 17# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 18# 19 20# Default setup. Always executed when PPP is invoked. 21# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 22# 23# This is the best place to specify your modem device, it's DTR rate, 24# your dial script and any logging specification. Logging specs should 25# be done first so that the results of subsequent commands are logged. 26# 27default: 28 set log Phase Chat LCP IPCP CCP tun command 29 set device /dev/cuaa1 30 set speed 115200 31 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 32 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 33 34# Client side PPP 35# 36# Although the PPP protocol is a peer to peer protocol, we normally 37# consider the side that initiates the connection as the client and 38# the side that receives the connection as the server. Authentication 39# is required by the server either using a unix-style login procedure 40# or by demanding PAP or CHAP authentication from the client. 41# 42 43# An on demand example where we have dynamic IP addresses and wish to 44# use a unix-style login script: 45# 46# If the peer assigns us an arbitrary IP (most ISPs do this) and we 47# can't predict what their IP will be either, take a wild guess at 48# some IPs that you can't currently route to. Ppp can change this 49# when the link comes up. 50# 51# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 52# specified IP actually being correct, therefore, the other side can assign 53# any IP number. 54# 55# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 56# IP number, forcing the peer to make the decision. This is necessary 57# when negotiating with some (broken) ppp implementations. 58# 59# This entry also works with static IP numbers or when not in -auto mode. 60# The ``add'' line adds a `sticky' default route that will be updated if 61# and when any of the IP numbers are changed in IPCP negotiations. 62# The "set ifaddr" is required in -auto mode only. 63# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 64# 65# Finally, the ``enable dns'' line tells ppp to ask the peer for the 66# nameserver addresses that should be used. This isn't always supported 67# by the other side, but if it is, ppp will update /etc/resolv.conf with 68# the correct nameserver values at connection time. 69# 70# The login script shown says that you're expecting ``ogin:''. If you 71# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 72# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 73# You *MUST* customise this login script according to your local 74# requirements. 75# 76pmdemand: 77 set phone 1234567 78 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 79 set timeout 120 80 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 81 add default HISADDR 82 enable dns 83 84# If you want to use PAP or CHAP instead of using a unix-style login 85# procedure, do the following. Note, the peer suggests whether we 86# should send PAP or CHAP. By default, we send whatever we're asked for. 87# 88# You *MUST* customise ``MyName'' and ``MyKey'' below. 89# 90PAPorCHAPpmdemand: 91 set phone 1234567 92 set login 93 set authname MyName 94 set authkey MyKey 95 set timeout 120 96 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 97 add default HISADDR 98 enable dns 99 100# On demand dialup example with static IP addresses: 101# Here, the local side uses 192.244.185.226 and the remote side 102# uses 192.244.176.44. 103# 104# # ppp -auto ondemand 105# 106# With static IP numbers, our setup is similar to dynamic: 107# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 108# a "ondemand" label, and finally the "MYADDR" label. 109# 110ondemand: 111 set phone 1234567 112 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 113 set timeout 120 114 set ifaddr 192.244.185.226 192.244.176.44 115 add default HISADDR 116 enable dns 117 118# Example segments 119# 120# The following lines may be included as part of your configuration 121# section and aren't themselves complete. They're provided as examples 122# of how to achieve different things. 123 124examples: 125# Multi-phone example. Numbers separated by a : are used sequentially. 126# Numbers separated by a | are used if the previous dial or login script 127# failed. Usually, you will prefer to use only one of | or :, but both 128# are allowed. 129# 130 set phone 12345678|12345679:12345670|12345671 131# 132# Ppp can accept control instructions from the ``pppctl'' program. 133# First, you must set up your control socket. It's safest to use 134# a UNIX domain socket, and watch the permissions: 135# 136 set server /var/tmp/internet MySecretPassword 0177 137# 138# Although a TCP port may be used if you want to allow control 139# connections from other machines: 140# 141 set server 6670 MySecretpassword 142# 143# If you don't like ppp's builtin chat, use an external one: 144# 145 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 146# 147# If we have a ``strange'' modem that must be re-initialized when we 148# hangup: 149# 150 set hangup "\"\" AT OK-AT-OK ATZ OK" 151# 152# To adjust logging without blowing away the setting in default: 153# 154 set log -command +tcp/ip 155# 156# To see log messages on the screen in interactive mode: 157# 158 set log local LCP IPCP CCP 159# 160# If you're seeing a lot of magic number problems and failed connections, 161# try this (see the man page): 162# 163 set openmode active 5 164# 165# For noisy lines, we may want to reconnect (up to 20 times) after loss 166# of carrier, with 3 second delays between each attempt: 167# 168 set reconnect 3 20 169# 170# When playing server for M$ clients, tell them who our NetBIOS name 171# servers are: 172# 173 set nbns 10.0.0.1 10.0.0.2 174# 175# Inform the client if they ask for our DNS IP numbers: 176# 177 enable dns 178# 179# If you don't want to tell them what's in your /etc/resolv.conf file 180# with `enable dns', override the values: 181# 182 set dns 10.0.0.1 10.0.0.2 183# 184# Some people like to prioritize DNS packets: 185# 186 set urgent udp +53 187# 188# If we're using the -nat switch, redirect ftp and http to an internal 189# machine: 190# 191 nat port tcp 10.0.0.2:ftp ftp 192 nat port tcp 10.0.0.2:http http 193# 194# or don't trust the outside at all 195# 196 nat deny_incoming yes 197# 198# I trust user brian to run ppp, so this goes in the `default' section: 199# 200 allow user brian 201# 202# But label `internet' contains passwords that even brian can't have, so 203# I empty out the user access list in that section so that only root can 204# have access: 205# 206 allow users 207# 208# I also may wish to set up my ppp login script so that it asks the client 209# for the label they wish to use. I may only want user ``dodgy'' to access 210# their own label in direct mode: 211# 212dodgy: 213 allow user dodgy 214 allow mode direct 215# 216# We don't want certain packets to keep our connection alive 217# 218 set filter alive 0 deny udp src eq 520 # routed 219 set filter alive 1 deny udp dst eq 520 # routed 220 set filter alive 2 deny udp src eq 513 # rwhod 221 set filter alive 3 deny udp src eq 525 # timed 222 set filter alive 4 deny udp src eq 137 # NetBIOS name service 223 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 224 set filter alive 6 deny udp src eq 139 # NetBIOS session service 225 set filter alive 7 deny udp dst eq 137 # NetBIOS name service 226 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 227 set filter alive 9 deny udp dst eq 139 # NetBIOS session service 228 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 229 set filter alive 11 permit 0/0 0/0 230# 231# And in auto mode, we don't want certain packets to cause a dialup 232# 233 set filter dial 0 deny udp src eq 513 # rwhod 234 set filter dial 1 deny udp src eq 525 # timed 235 set filter dial 2 deny udp src eq 137 # NetBIOS name service 236 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 237 set filter dial 4 deny udp src eq 139 # NetBIOS session service 238 set filter dial 5 deny udp dst eq 137 # NetBIOS name service 239 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 240 set filter dial 7 deny udp dst eq 139 # NetBIOS session service 241 set filter dial 8 deny tcp finrst # Badly closed TCP channels 242 set filter dial 9 permit 0 0 243# 244# Once the line's up, allow these connections 245# 246 set filter in 0 permit tcp dst eq 113 # ident 247 set filter out 0 permit tcp src eq 113 # ident 248 set filter in 1 permit tcp src eq 23 estab # telnet 249 set filter out 1 permit tcp dst eq 23 # telnet 250 set filter in 2 permit tcp src eq 21 estab # ftp 251 set filter out 2 permit tcp dst eq 21 # ftp 252 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 253 set filter out 3 permit tcp dst eq 20 # ftp-data 254 set filter in 4 permit udp src eq 53 # DNS 255 set filter out 4 permit udp dst eq 53 # DNS 256 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 257 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 258 set filter in 6 permit icmp # pings 259 set filter out 6 permit icmp # pings 260 set filter in 7 permit udp dst gt 33433 # traceroute 261 set filter out 7 permit udp dst gt 33433 # traceroute 262 263# 264# ``dodgynet'' is an example intended for an autodial configuration which 265# is connecting a local network to a host on an untrusted network. 266dodgynet: 267 set log Phase # Log link uptime 268 allow mode auto # For autoconnect only 269 set device /dev/cuaa1 # Define modem device and speed 270 set speed 115200 271 deny lqr # Don't support LQR 272 set phone 0W1194 # Remote system phone number, 273 set authname pppLogin # login 274 set authkey MyPassword # and password 275 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 276 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 277 ATE1Q0M0 OK \\dATDT\\T \ 278 TIMEOUT 40 CONNECT" 279 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 280 gin:--gin: \\U word: \\P" 281 282 # Drop the link after 15 minutes of inactivity 283 # Inactivity is defined by the `set filter alive' line below 284 set timeout 900 285 286 # Hard-code remote system to appear within local subnet and use proxy arp 287 # to make this system the gateway for the rest of the local network 288 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 289 enable proxy 290 291 # Allow any TCP packet to keep the link alive 292 set filter alive 0 permit tcp 293 294 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 295 # private TCP ports 24 and 4000 296 set filter dial 0 7 0 0 tcp dst eq http 297 set filter dial 1 7 0 0 tcp dst eq login 298 set filter dial 2 7 0 0 tcp dst eq shell 299 set filter dial 3 7 0 0 tcp dst eq telnet 300 set filter dial 4 7 0 0 tcp dst eq ftp 301 set filter dial 5 7 0 0 tcp dst eq 24 302 set filter dial 6 deny ! 0 0 tcp dst eq 4000 303 304 # From hosts on a couple of local subnets to the remote peer 305 # If the remote host allowed IP forwarding and we wanted to use it, the 306 # following rules could be split into two groups to separately validate 307 # the source and destination addresses. 308 set filter dial 7 permit 172.17.16.0/20 172.17.20.248 309 set filter dial 8 permit 172.17.36.0/22 172.17.20.248 310 set filter dial 9 permit 172.17.118.0/26 172.17.20.248 311 set filter dial 10 permit 10.123.5.0/24 172.17.20.248 312 313 # Once the link's up, limit outgoing access to the specified hosts 314 set filter out 0 4 172.17.16.0/20 172.17.20.248 315 set filter out 1 4 172.17.36.0/22 172.17.20.248 316 set filter out 2 4 172.17.118.0/26 172.17.20.248 317 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 318 319 # Allow established TCP connections 320 set filter out 4 permit 0 0 tcp estab 321 322 # And new connections to http, rlogin, rsh, telnet, ftp and ports 323 # 24 and 4000 324 set filter out 5 permit 0 0 tcp dst eq http 325 set filter out 6 permit 0 0 tcp dst eq login 326 set filter out 7 permit 0 0 tcp dst eq shell 327 set filter out 8 permit 0 0 tcp dst eq telnet 328 set filter out 9 permit 0 0 tcp dst eq ftp 329 set filter out 10 permit 0 0 tcp dst eq 24 330 set filter out 11 permit 0 0 tcp dst eq 4000 331 332 # And outgoing icmp 333 set filter out 12 permit 0 0 icmp 334 335 # Once the link's up, limit incoming access to the specified hosts 336 set filter in 0 4 172.17.20.248 172.17.16.0/20 337 set filter in 1 4 172.17.20.248 172.17.36.0/22 338 set filter in 2 4 172.17.20.248 172.17.118.0/26 339 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 340 341 # Established TCP connections and non-PASV FTP 342 set filter in 4 permit 0/0 0/0 tcp estab 343 set filter in 5 permit 0/0 0/0 tcp src eq 20 344 345 # Useful ICMP messages 346 set filter in 6 permit 0/0 0/0 icmp src eq 3 347 set filter in 7 permit 0/0 0/0 icmp src eq 4 348 set filter in 8 permit 0/0 0/0 icmp src eq 11 349 set filter in 9 permit 0/0 0/0 icmp src eq 12 350 351 # Echo reply (local systems can ping the remote host) 352 set filter in 10 permit 0/0 0/0 icmp src eq 0 353 354 # And the remote host can ping the local gateway (only) 355 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 356 357 358# Server side PPP 359# 360# If you want the remote system to authenticate itself, you must insist 361# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 362# PAP are disabled by default. You may enable either or both. If both 363# are enabled, CHAP is requested first. If the client doesn't agree, PAP 364# will then be requested. 365# 366# Note: If you use the getty/login process to authenticate users, you 367# don't need to enable CHAP or PAP, but the user that has logged 368# in *MUST* be a member of the ``network'' group (in /etc/group). 369# 370# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 371# 372# If you wish to allow any user in the passwd database ppp access, you 373# can ``enable passwdauth'', but this will only work with PAP. 374# 375# When the peer authenticates itself, we use ppp.secret for verification 376# (although refer to the ``set radius'' command below for an alternative). 377# 378# Note: We may supply a third field in ppp.secret specifying the IP 379# address for that user, a forth field to specify the 380# ppp.link{up,down} label to use and a fifth field to specify 381# callback characteristics. 382# 383# The easiest way to allow transparent LAN access to your dialin users 384# is to assign them a number from your local LAN and tell ppp to make a 385# ``proxy'' arp entry for them. In this example, we have a local LAN 386# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 387# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 388# override the dynamic IP number with a static IP number specified in 389# ppp.secret. 390# 391# Ppp is launched with: 392# # ppp -direct server 393# 394server: 395 enable chap chap80 chap81 pap passwdauth 396 enable proxy 397 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 398 accept dns 399 400# Example of a RADIUS configuration: 401# If there are one or more radius servers available, we can use them 402# instead of the ppp.secret file. Simply put then in a radius 403# configuration file (usually /etc/radius.conf) and give ppp the 404# file name. 405# Ppp will use the FRAMED characteristics supplied by the radius server 406# to configure the link. 407 408radius-server: 409 load server # load in the server config from above 410 set radius /etc/radius.conf 411 412 413# Example to connect using a null-modem cable: 414# The important thing here is to allow the lqr packets on both sides. 415# Without them enabled, we can't tell if the line's dropped - there 416# should always be carrier on a direct connection. 417# Here, the server sends lqr's every 10 seconds and quits if five in a 418# row fail. 419# 420# Make sure you don't have "deny lqr" in your default: on the client ! 421# If the peer denies LQR, we still send ECHO LQR packets at the given 422# lqrperiod interval (ppp-style-pings). 423# 424direct-client: 425 set dial 426 set device /dev/cuaa0 427 set sp 115200 428 set timeout 900 429 set lqrperiod 10 430 set log Phase Chat LQM 431 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 432 set ifaddr 10.0.4.2 10.0.4.1 433 enable lqr 434 accept lqr 435 436direct-server: 437 set timeout 0 438 set lqrperiod 10 439 set log Phase LQM 440 set ifaddr 10.0.4.1 10.0.4.2 441 enable lqr 442 accept lqr 443 444 445# Example to connect via compuserve 446# Compuserve insists on 7 bits even parity during the chat phase. Modem 447# parity is always reset to ``none'' after the link has been established. 448# 449compuserve: 450 set phone 1234567 451 set parity even 452 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 453 word: XXXXXXXX PPP" 454 set timeout 300 455 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 456 delete ALL 457 add default HISADDR 458 459 460# Example for PPP over TCP. 461# We assume that inetd on tcpsrv.mynet has been 462# configured to run "ppp -direct tcp-server" when it gets a connection on 463# port 1234 with an entry something like this in /etc/inetd.conf.: 464# 465# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 466# 467# with this in /etc/services: 468# 469# ppp 6671/tcp 470# 471# Read the man page for further details. 472# 473# Note, we assume we're using a binary-clean connection. If something 474# such as `rlogin' is involved, you may need to ``set escape 0xff'' 475# 476tcp-client: 477 set device tcpsrv.mynet:1234 478 set dial 479 set login 480 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 481 482tcp-server: 483 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 484 485 486# Using UDP is also possible with this in /etc/inetd.conf: 487# 488# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 489# 490# and this in /etc/services: 491# 492# ppp 6671/tcp 493# 494udp-client: 495 set device udpsrv.mynet:1234/udp 496 set dial 497 set login 498 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 499 500udp-server: 501 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 502 503 504# Example for PPP testing. 505# If you want to test ppp, do it through the loopback interface: 506# 507# Requires a line in /etc/services: 508# ppploop 6671/tcp # loopback ppp daemon 509# 510# and a line in /etc/inetd.conf: 511# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in 512# 513loop: 514 set timeout 0 515 set log phase chat connect lcp ipcp command 516 set device localhost:ppploop 517 set dial 518 set login 519 set ifaddr 127.0.0.2 127.0.0.3 520 set server /var/tmp/loop "" 0177 521 522loop-in: 523 set timeout 0 524 set log phase lcp ipcp command 525 allow mode direct 526 527# Example of a VPN. 528# If you're going to create a tunnel through a public network, your VPN 529# should be set up something like this: 530# 531# You should already have set up ssh using ssh-agent & ssh-add. 532# 533sloop: 534 load loop 535 # Passive mode allows ssh plenty of time to establish the connection 536 set openmode passive 537 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in" 538 539 540# or a better VPN solution (which doesn't run IP over a reliable 541# protocol like tcp) may be: 542# 543vpn-client: 544 set device udpsrv.mynet:1234/udp # PPP over UDP 545 set dial 546 set login 547 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 548 disable deflate pred1 549 deny deflate pred1 550 enable MPPE # With encryption 551 accept MPPE 552 553vpn-server: 554 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 555 disable deflate pred1 556 deny deflate pred1 557 enable MPPE 558 accept MPPE 559 enable chap81 # Required for MPPE 560 561# Example of non-PPP callback. 562# If you wish to connect to a server that will dial back *without* using 563# the ppp callback facility (rfc1570), take advantage of the fact that 564# ppp doesn't look for carrier 'till `set login' is complete: 565# 566# Here, we expect the server to say DIALBACK then disconnect after 567# we've authenticated ourselves. When this has happened, we wait 568# 60 seconds for a RING. 569# 570# Note, it's important that we tell ppp not to expect carrier, otherwise 571# we'll drop out at the ``NO CARRIER'' stage. 572# 573dialback: 574 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 575 ATDT\\T TIMEOUT 60 CONNECT" 576 set cd off 577 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 578 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 579 580# Example of PPP callback. 581# Alternatively, if the peer is using the PPP callback protocol, we're 582# happy either with ``auth'' style callback where the server dials us 583# back based on what we authenticate ourselves with, ``cbcp'' style 584# callback (invented by Microsoft but not agreed by the IETF) where 585# we negotiate callback *after* authentication or E.164 callback where 586# we specify only a phone number. I would recommend only ``auth'' and/or 587# ``cbcp'' callback methods. 588# For ``cbcp'', we insist that we choose ``1234567'' as the number that 589# the server must call back. 590# 591callback: 592 load pmdemand # load in the pmdemand config 593 set callback auth cbcp e.164 1234567 594 set cbcp 1234567 595 596# If we're running a ppp server that wants to only call back microsoft 597# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 598# 599callback-server: 600 load server 601 set callback cbcp 602 set cbcp 603 set log +cbcp 604 set redial 3 1 605 set device /dev/cuaa0 606 set speed 115200 607 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 608 609# Or if we want to allow authenticated clients to specify their own 610# callback number: 611# 612callback-server-client-decides: 613 load callback-server 614 set cbcp * 615 616# Multilink mode is available (rfc1990). 617# To enable multi-link capabilities, you must specify a MRRU. 1500 is 618# a reasonable value. To create new links, use the ``clone'' command 619# to duplicate an existing link. If you already have more than one 620# link, you must specify which link you wish to run the command on via 621# the ``link'' command. 622# 623# It's worth increasing your MTU and MRU slightly in multi-link mode to 624# prevent full packets from being fragmented. 625# 626# See ppp.conf.isdn for an example of how to do multi-link isdn. 627# 628# You can now ``dial'' specific links, or even dial all links at the 629# same time. The `dial' command may also be prefixed with a specific 630# link that should do the dialing. 631# 632mloop: 633 load loop 634 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 # Use any of these devices 635 set mode interactive 636 set mrru 1500 637 set mru 1504 # Room for the MP header 638 clone 1 2 3 639 link deflink remove 640 # dial 641 # link 2 dial 642 # link 3 dial 643 644mloop-in: 645 set timeout 0 # No idle timer 646 set log tun phase 647 allow mode direct 648 set mrru 1500 649 set mru 1504 # Room for the MP header 650 651# User supplied authentication: 652# It's possible to run ppp in the background while specifying a 653# program to use to obtain authentication details on demand. 654# This program would usually be a simple GUI that presents a 655# prompt to a known user. The ``chap-auth'' program is supplied 656# as an example (and requires tcl version 8.0). 657# 658CHAPprompt: 659 load PAPorCHAPpmdemand 660 set authkey !/usr/share/examples/ppp/chap-auth 661 662# It's possible to do the same sort of thing at the login prompt. 663# Here, after sending ``brian'' in response to the ``name'' prompt, 664# we're prompted with ``code:''. A window is then displayed on the 665# ``keep:0.0'' display and the typed response is sent to the peer 666# as the password. We then expect to see ``MTU'' and ``.'' in the 667# servers response. 668# 669loginprompt: 670 load pmdemand 671 set authname brian 672 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 673 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 674 AUTHNAME\" MTU \\c ." 675 676# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 677# the MAC address that connects to them, making it impossible to switch 678# your PPPoE connection between machines. 679# 680# The current implementation requires Netgraph, so it doesn't work with 681# OpenBSD or NetBSD. 682# 683# The client should be something like this: 684# 685pppoe: 686 set device PPPoE:de0:pppoe-in 687 set mru 1492 688 set mtu 1492 689 set speed sync 690 enable lqr 691 set cd 5 692 set dial 693 set login 694 set redial 0 0 695 696# And the server should be running 697# 698# /usr/libexec/pppoed -p pppoe-in fxp0 699# 700# See rc.conf(5) 701# 702pppoe-in: 703 allow mode direct # Only for use on server-side 704 set mru 1492 # Max allowed by the PPPoE spec 705 set mtu 1492 # Max allowed by the PPPoE spec 706 set speed sync # PPPoE is always synchronous 707 enable lqr proxy # Enable LQR and proxy-arp 708 enable chap pap passwdauth # Force client authentication 709 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 710 accept dns # Allow DNS negotiation 711