ppp.conf.sample revision 75207
1################################################################# 2# 3# PPP Sample Configuration File 4# 5# Originally written by Toshiharu OHNO 6# 7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 75207 2001-04-05 01:25:42Z dd $ 8# 9################################################################# 10 11# This file is separated into sections. Each section is named with 12# a label starting in column 0 and followed directly by a ``:''. The 13# section continues until the next section. Blank lines and lines 14# beginning with ``#'' are ignored. All commands inside sections that do 15# not begin with ``!'' (e.g., ``!include'') *must* be indented by at least 16# one space or tab or they will not be recognized! 17# 18# Lines beginning with "!include" will ``include'' another file. You 19# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 20# 21 22# Default setup. Always executed when PPP is invoked. 23# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 24# 25# This is the best place to specify your modem device, it's DTR rate, 26# your dial script and any logging specification. Logging specs should 27# be done first so that the results of subsequent commands are logged. 28# 29default: 30 set log Phase Chat LCP IPCP CCP tun command 31 set device /dev/cuaa1 32 set speed 115200 33 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 34 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 35 36# Client side PPP 37# 38# Although the PPP protocol is a peer to peer protocol, we normally 39# consider the side that initiates the connection as the client and 40# the side that receives the connection as the server. Authentication 41# is required by the server either using a unix-style login procedure 42# or by demanding PAP or CHAP authentication from the client. 43# 44 45# An on demand example where we have dynamic IP addresses and wish to 46# use a unix-style login script: 47# 48# If the peer assigns us an arbitrary IP (most ISPs do this) and we 49# can't predict what their IP will be either, take a wild guess at 50# some IPs that you can't currently route to. Ppp can change this 51# when the link comes up. 52# 53# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 54# specified IP actually being correct, therefore, the other side can assign 55# any IP number. 56# 57# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 58# IP number, forcing the peer to make the decision. This is necessary 59# when negotiating with some (broken) ppp implementations. 60# 61# This entry also works with static IP numbers or when not in -auto mode. 62# The ``add'' line adds a `sticky' default route that will be updated if 63# and when any of the IP numbers are changed in IPCP negotiations. 64# The "set ifaddr" is required in -auto mode only. 65# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 66# 67# Finally, the ``enable dns'' line tells ppp to ask the peer for the 68# nameserver addresses that should be used. This isn't always supported 69# by the other side, but if it is, ppp will update /etc/resolv.conf with 70# the correct nameserver values at connection time. 71# 72# The login script shown says that you're expecting ``ogin:''. If you 73# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 74# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 75# You *MUST* customise this login script according to your local 76# requirements. 77# 78pmdemand: 79 set phone 1234567 80 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 81 set timeout 120 82 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 83 add default HISADDR 84 enable dns 85 86# If you want to use PAP or CHAP instead of using a unix-style login 87# procedure, do the following. Note, the peer suggests whether we 88# should send PAP or CHAP. By default, we send whatever we're asked for. 89# 90# You *MUST* customise ``MyName'' and ``MyKey'' below. 91# 92PAPorCHAPpmdemand: 93 set phone 1234567 94 set login 95 set authname MyName 96 set authkey MyKey 97 set timeout 120 98 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 99 add default HISADDR 100 enable dns 101 102# On demand dialup example with static IP addresses: 103# Here, the local side uses 192.244.185.226 and the remote side 104# uses 192.244.176.44. 105# 106# # ppp -auto ondemand 107# 108# With static IP numbers, our setup is similar to dynamic: 109# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 110# a "ondemand" label, and finally the "MYADDR" label. 111# 112ondemand: 113 set phone 1234567 114 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 115 set timeout 120 116 set ifaddr 192.244.185.226 192.244.176.44 117 add default HISADDR 118 enable dns 119 120# Example segments 121# 122# The following lines may be included as part of your configuration 123# section and aren't themselves complete. They're provided as examples 124# of how to achieve different things. 125 126examples: 127# Multi-phone example. Numbers separated by a : are used sequentially. 128# Numbers separated by a | are used if the previous dial or login script 129# failed. Usually, you will prefer to use only one of | or :, but both 130# are allowed. 131# 132 set phone 12345678|12345679:12345670|12345671 133# 134# Ppp can accept control instructions from the ``pppctl'' program. 135# First, you must set up your control socket. It's safest to use 136# a UNIX domain socket, and watch the permissions: 137# 138 set server /var/tmp/internet MySecretPassword 0177 139# 140# Although a TCP port may be used if you want to allow control 141# connections from other machines: 142# 143 set server 6670 MySecretpassword 144# 145# If you don't like ppp's builtin chat, use an external one: 146# 147 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 148# 149# If we have a ``strange'' modem that must be re-initialized when we 150# hangup: 151# 152 set hangup "\"\" AT OK-AT-OK ATZ OK" 153# 154# To adjust logging without blowing away the setting in default: 155# 156 set log -command +tcp/ip 157# 158# To see log messages on the screen in interactive mode: 159# 160 set log local LCP IPCP CCP 161# 162# If you're seeing a lot of magic number problems and failed connections, 163# try this (see the man page): 164# 165 set openmode active 5 166# 167# For noisy lines, we may want to reconnect (up to 20 times) after loss 168# of carrier, with 3 second delays between each attempt: 169# 170 set reconnect 3 20 171# 172# When playing server for M$ clients, tell them who our NetBIOS name 173# servers are: 174# 175 set nbns 10.0.0.1 10.0.0.2 176# 177# Inform the client if they ask for our DNS IP numbers: 178# 179 enable dns 180# 181# If you don't want to tell them what's in your /etc/resolv.conf file 182# with `enable dns', override the values: 183# 184 set dns 10.0.0.1 10.0.0.2 185# 186# Some people like to prioritize DNS packets: 187# 188 set urgent udp +53 189# 190# If we're using the -nat switch, redirect ftp and http to an internal 191# machine: 192# 193 nat port tcp 10.0.0.2:ftp ftp 194 nat port tcp 10.0.0.2:http http 195# 196# or don't trust the outside at all 197# 198 nat deny_incoming yes 199# 200# I trust user brian to run ppp, so this goes in the `default' section: 201# 202 allow user brian 203# 204# But label `internet' contains passwords that even brian can't have, so 205# I empty out the user access list in that section so that only root can 206# have access: 207# 208 allow users 209# 210# I also may wish to set up my ppp login script so that it asks the client 211# for the label they wish to use. I may only want user ``dodgy'' to access 212# their own label in direct mode: 213# 214dodgy: 215 allow user dodgy 216 allow mode direct 217# 218# We don't want certain packets to keep our connection alive 219# 220 set filter alive 0 deny udp src eq 520 # routed 221 set filter alive 1 deny udp dst eq 520 # routed 222 set filter alive 2 deny udp src eq 513 # rwhod 223 set filter alive 3 deny udp src eq 525 # timed 224 set filter alive 4 deny udp src eq 137 # NetBIOS name service 225 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 226 set filter alive 6 deny udp src eq 139 # NetBIOS session service 227 set filter alive 7 deny udp dst eq 137 # NetBIOS name service 228 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 229 set filter alive 9 deny udp dst eq 139 # NetBIOS session service 230 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 231 set filter alive 11 permit 0/0 0/0 232# 233# And in auto mode, we don't want certain packets to cause a dialup 234# 235 set filter dial 0 deny udp src eq 513 # rwhod 236 set filter dial 1 deny udp src eq 525 # timed 237 set filter dial 2 deny udp src eq 137 # NetBIOS name service 238 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 239 set filter dial 4 deny udp src eq 139 # NetBIOS session service 240 set filter dial 5 deny udp dst eq 137 # NetBIOS name service 241 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 242 set filter dial 7 deny udp dst eq 139 # NetBIOS session service 243 set filter dial 8 deny tcp finrst # Badly closed TCP channels 244 set filter dial 9 permit 0 0 245# 246# Once the line's up, allow these connections 247# 248 set filter in 0 permit tcp dst eq 113 # ident 249 set filter out 0 permit tcp src eq 113 # ident 250 set filter in 1 permit tcp src eq 23 estab # telnet 251 set filter out 1 permit tcp dst eq 23 # telnet 252 set filter in 2 permit tcp src eq 21 estab # ftp 253 set filter out 2 permit tcp dst eq 21 # ftp 254 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 255 set filter out 3 permit tcp dst eq 20 # ftp-data 256 set filter in 4 permit udp src eq 53 # DNS 257 set filter out 4 permit udp dst eq 53 # DNS 258 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 259 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 260 set filter in 6 permit icmp # pings 261 set filter out 6 permit icmp # pings 262 set filter in 7 permit udp dst gt 33433 # traceroute 263 set filter out 7 permit udp dst gt 33433 # traceroute 264 265# 266# ``dodgynet'' is an example intended for an autodial configuration which 267# is connecting a local network to a host on an untrusted network. 268dodgynet: 269 set log Phase # Log link uptime 270 allow mode auto # For autoconnect only 271 set device /dev/cuaa1 # Define modem device and speed 272 set speed 115200 273 deny lqr # Don't support LQR 274 set phone 0W1194 # Remote system phone number, 275 set authname pppLogin # login 276 set authkey MyPassword # and password 277 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 278 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 279 ATE1Q0M0 OK \\dATDT\\T \ 280 TIMEOUT 40 CONNECT" 281 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 282 gin:--gin: \\U word: \\P" 283 284 # Drop the link after 15 minutes of inactivity 285 # Inactivity is defined by the `set filter alive' line below 286 set timeout 900 287 288 # Hard-code remote system to appear within local subnet and use proxy arp 289 # to make this system the gateway for the rest of the local network 290 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 291 enable proxy 292 293 # Allow any TCP packet to keep the link alive 294 set filter alive 0 permit tcp 295 296 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 297 # private TCP ports 24 and 4000 298 set filter dial 0 7 0 0 tcp dst eq http 299 set filter dial 1 7 0 0 tcp dst eq login 300 set filter dial 2 7 0 0 tcp dst eq shell 301 set filter dial 3 7 0 0 tcp dst eq telnet 302 set filter dial 4 7 0 0 tcp dst eq ftp 303 set filter dial 5 7 0 0 tcp dst eq 24 304 set filter dial 6 deny ! 0 0 tcp dst eq 4000 305 306 # From hosts on a couple of local subnets to the remote peer 307 # If the remote host allowed IP forwarding and we wanted to use it, the 308 # following rules could be split into two groups to separately validate 309 # the source and destination addresses. 310 set filter dial 7 permit 172.17.16.0/20 172.17.20.248 311 set filter dial 8 permit 172.17.36.0/22 172.17.20.248 312 set filter dial 9 permit 172.17.118.0/26 172.17.20.248 313 set filter dial 10 permit 10.123.5.0/24 172.17.20.248 314 315 # Once the link's up, limit outgoing access to the specified hosts 316 set filter out 0 4 172.17.16.0/20 172.17.20.248 317 set filter out 1 4 172.17.36.0/22 172.17.20.248 318 set filter out 2 4 172.17.118.0/26 172.17.20.248 319 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 320 321 # Allow established TCP connections 322 set filter out 4 permit 0 0 tcp estab 323 324 # And new connections to http, rlogin, rsh, telnet, ftp and ports 325 # 24 and 4000 326 set filter out 5 permit 0 0 tcp dst eq http 327 set filter out 6 permit 0 0 tcp dst eq login 328 set filter out 7 permit 0 0 tcp dst eq shell 329 set filter out 8 permit 0 0 tcp dst eq telnet 330 set filter out 9 permit 0 0 tcp dst eq ftp 331 set filter out 10 permit 0 0 tcp dst eq 24 332 set filter out 11 permit 0 0 tcp dst eq 4000 333 334 # And outgoing icmp 335 set filter out 12 permit 0 0 icmp 336 337 # Once the link's up, limit incoming access to the specified hosts 338 set filter in 0 4 172.17.20.248 172.17.16.0/20 339 set filter in 1 4 172.17.20.248 172.17.36.0/22 340 set filter in 2 4 172.17.20.248 172.17.118.0/26 341 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 342 343 # Established TCP connections and non-PASV FTP 344 set filter in 4 permit 0/0 0/0 tcp estab 345 set filter in 5 permit 0/0 0/0 tcp src eq 20 346 347 # Useful ICMP messages 348 set filter in 6 permit 0/0 0/0 icmp src eq 3 349 set filter in 7 permit 0/0 0/0 icmp src eq 4 350 set filter in 8 permit 0/0 0/0 icmp src eq 11 351 set filter in 9 permit 0/0 0/0 icmp src eq 12 352 353 # Echo reply (local systems can ping the remote host) 354 set filter in 10 permit 0/0 0/0 icmp src eq 0 355 356 # And the remote host can ping the local gateway (only) 357 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 358 359 360# Server side PPP 361# 362# If you want the remote system to authenticate itself, you must insist 363# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 364# PAP are disabled by default. You may enable either or both. If both 365# are enabled, CHAP is requested first. If the client doesn't agree, PAP 366# will then be requested. 367# 368# Note: If you use the getty/login process to authenticate users, you 369# don't need to enable CHAP or PAP, but the user that has logged 370# in *MUST* be a member of the ``network'' group (in /etc/group). 371# 372# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 373# 374# If you wish to allow any user in the passwd database ppp access, you 375# can ``enable passwdauth'', but this will only work with PAP. 376# 377# When the peer authenticates itself, we use ppp.secret for verification 378# (although refer to the ``set radius'' command below for an alternative). 379# 380# Note: We may supply a third field in ppp.secret specifying the IP 381# address for that user, a forth field to specify the 382# ppp.link{up,down} label to use and a fifth field to specify 383# callback characteristics. 384# 385# The easiest way to allow transparent LAN access to your dialin users 386# is to assign them a number from your local LAN and tell ppp to make a 387# ``proxy'' arp entry for them. In this example, we have a local LAN 388# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 389# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 390# override the dynamic IP number with a static IP number specified in 391# ppp.secret. 392# 393# Ppp is launched with: 394# # ppp -direct server 395# 396server: 397 enable chap chap80 chap81 pap passwdauth 398 enable proxy 399 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 400 accept dns 401 402# Example of a RADIUS configuration: 403# If there are one or more radius servers available, we can use them 404# instead of the ppp.secret file. Simply put then in a radius 405# configuration file (usually /etc/radius.conf) and give ppp the 406# file name. 407# Ppp will use the FRAMED characteristics supplied by the radius server 408# to configure the link. 409 410radius-server: 411 load server # load in the server config from above 412 set radius /etc/radius.conf 413 414 415# Example to connect using a null-modem cable: 416# The important thing here is to allow the lqr packets on both sides. 417# Without them enabled, we can't tell if the line's dropped - there 418# should always be carrier on a direct connection. 419# Here, the server sends lqr's every 10 seconds and quits if five in a 420# row fail. 421# 422# Make sure you don't have "deny lqr" in your default: on the client ! 423# If the peer denies LQR, we still send ECHO LQR packets at the given 424# lqrperiod interval (ppp-style-pings). 425# 426direct-client: 427 set dial 428 set device /dev/cuaa0 429 set sp 115200 430 set timeout 900 431 set lqrperiod 10 432 set log Phase Chat LQM 433 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 434 set ifaddr 10.0.4.2 10.0.4.1 435 enable lqr 436 accept lqr 437 438direct-server: 439 set timeout 0 440 set lqrperiod 10 441 set log Phase LQM 442 set ifaddr 10.0.4.1 10.0.4.2 443 enable lqr 444 accept lqr 445 446 447# Example to connect via compuserve 448# Compuserve insists on 7 bits even parity during the chat phase. Modem 449# parity is always reset to ``none'' after the link has been established. 450# 451compuserve: 452 set phone 1234567 453 set parity even 454 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 455 word: XXXXXXXX PPP" 456 set timeout 300 457 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 458 delete ALL 459 add default HISADDR 460 461 462# Example for PPP over TCP. 463# We assume that inetd on tcpsrv.mynet has been 464# configured to run "ppp -direct tcp-server" when it gets a connection on 465# port 1234 with an entry something like this in /etc/inetd.conf.: 466# 467# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 468# 469# with this in /etc/services: 470# 471# ppp 6671/tcp 472# 473# Read the man page for further details. 474# 475# Note, we assume we're using a binary-clean connection. If something 476# such as `rlogin' is involved, you may need to ``set escape 0xff'' 477# 478tcp-client: 479 set device tcpsrv.mynet:1234 480 set dial 481 set login 482 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 483 484tcp-server: 485 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 486 487 488# Using UDP is also possible with this in /etc/inetd.conf: 489# 490# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 491# 492# and this in /etc/services: 493# 494# ppp 6671/tcp 495# 496udp-client: 497 set device udpsrv.mynet:1234/udp 498 set dial 499 set login 500 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 501 502udp-server: 503 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 504 505 506# Example for PPP testing. 507# If you want to test ppp, do it through the loopback interface: 508# 509# Requires a line in /etc/services: 510# ppploop 6671/tcp # loopback ppp daemon 511# 512# and a line in /etc/inetd.conf: 513# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in 514# 515loop: 516 set timeout 0 517 set log phase chat connect lcp ipcp command 518 set device localhost:ppploop 519 set dial 520 set login 521 set ifaddr 127.0.0.2 127.0.0.3 522 set server /var/tmp/loop "" 0177 523 524loop-in: 525 set timeout 0 526 set log phase lcp ipcp command 527 allow mode direct 528 529# Example of a VPN. 530# If you're going to create a tunnel through a public network, your VPN 531# should be set up something like this: 532# 533# You should already have set up ssh using ssh-agent & ssh-add. 534# 535sloop: 536 load loop 537 # Passive mode allows ssh plenty of time to establish the connection 538 set openmode passive 539 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in" 540 541 542# or a better VPN solution (which doesn't run IP over a reliable 543# protocol like tcp) may be: 544# 545vpn-client: 546 set device udpsrv.mynet:1234/udp # PPP over UDP 547 set dial 548 set login 549 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 550 disable deflate pred1 551 deny deflate pred1 552 enable MPPE # With encryption 553 accept MPPE 554 555vpn-server: 556 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 557 disable deflate pred1 558 deny deflate pred1 559 enable MPPE 560 accept MPPE 561 enable chap81 # Required for MPPE 562 563# Example of non-PPP callback. 564# If you wish to connect to a server that will dial back *without* using 565# the ppp callback facility (rfc1570), take advantage of the fact that 566# ppp doesn't look for carrier 'till `set login' is complete: 567# 568# Here, we expect the server to say DIALBACK then disconnect after 569# we've authenticated ourselves. When this has happened, we wait 570# 60 seconds for a RING. 571# 572# Note, it's important that we tell ppp not to expect carrier, otherwise 573# we'll drop out at the ``NO CARRIER'' stage. 574# 575dialback: 576 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 577 ATDT\\T TIMEOUT 60 CONNECT" 578 set cd off 579 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 580 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 581 582# Example of PPP callback. 583# Alternatively, if the peer is using the PPP callback protocol, we're 584# happy either with ``auth'' style callback where the server dials us 585# back based on what we authenticate ourselves with, ``cbcp'' style 586# callback (invented by Microsoft but not agreed by the IETF) where 587# we negotiate callback *after* authentication or E.164 callback where 588# we specify only a phone number. I would recommend only ``auth'' and/or 589# ``cbcp'' callback methods. 590# For ``cbcp'', we insist that we choose ``1234567'' as the number that 591# the server must call back. 592# 593callback: 594 load pmdemand # load in the pmdemand config 595 set callback auth cbcp e.164 1234567 596 set cbcp 1234567 597 598# If we're running a ppp server that wants to only call back microsoft 599# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 600# 601callback-server: 602 load server 603 set callback cbcp 604 set cbcp 605 set log +cbcp 606 set redial 3 1 607 set device /dev/cuaa0 608 set speed 115200 609 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 610 611# Or if we want to allow authenticated clients to specify their own 612# callback number: 613# 614callback-server-client-decides: 615 load callback-server 616 set cbcp * 617 618# Multilink mode is available (rfc1990). 619# To enable multi-link capabilities, you must specify a MRRU. 1500 is 620# a reasonable value. To create new links, use the ``clone'' command 621# to duplicate an existing link. If you already have more than one 622# link, you must specify which link you wish to run the command on via 623# the ``link'' command. 624# 625# It's worth increasing your MTU and MRU slightly in multi-link mode to 626# prevent full packets from being fragmented. 627# 628# See ppp.conf.isdn for an example of how to do multi-link isdn. 629# 630# You can now ``dial'' specific links, or even dial all links at the 631# same time. The `dial' command may also be prefixed with a specific 632# link that should do the dialing. 633# 634mloop: 635 load loop 636 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 # Use any of these devices 637 set mode interactive 638 set mrru 1500 639 set mru 1504 # Room for the MP header 640 clone 1 2 3 641 link deflink remove 642 # dial 643 # link 2 dial 644 # link 3 dial 645 646mloop-in: 647 set timeout 0 # No idle timer 648 set log tun phase 649 allow mode direct 650 set mrru 1500 651 set mru 1504 # Room for the MP header 652 653# User supplied authentication: 654# It's possible to run ppp in the background while specifying a 655# program to use to obtain authentication details on demand. 656# This program would usually be a simple GUI that presents a 657# prompt to a known user. The ``chap-auth'' program is supplied 658# as an example (and requires tcl version 8.0). 659# 660CHAPprompt: 661 load PAPorCHAPpmdemand 662 set authkey !/usr/share/examples/ppp/chap-auth 663 664# It's possible to do the same sort of thing at the login prompt. 665# Here, after sending ``brian'' in response to the ``name'' prompt, 666# we're prompted with ``code:''. A window is then displayed on the 667# ``keep:0.0'' display and the typed response is sent to the peer 668# as the password. We then expect to see ``MTU'' and ``.'' in the 669# servers response. 670# 671loginprompt: 672 load pmdemand 673 set authname brian 674 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 675 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 676 AUTHNAME\" MTU \\c ." 677 678# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 679# the MAC address that connects to them, making it impossible to switch 680# your PPPoE connection between machines. 681# 682# The current implementation requires Netgraph, so it doesn't work with 683# OpenBSD or NetBSD. 684# 685# The client should be something like this: 686# 687pppoe: 688 set device PPPoE:de0:pppoe-in 689 set mru 1492 690 set mtu 1492 691 set speed sync 692 enable lqr 693 set cd 5 694 set dial 695 set login 696 set redial 0 0 697 698# And the server should be running 699# 700# /usr/libexec/pppoed -p pppoe-in fxp0 701# 702# See rc.conf(5) 703# 704pppoe-in: 705 allow mode direct # Only for use on server-side 706 set mru 1492 # Max allowed by the PPPoE spec 707 set mtu 1492 # Max allowed by the PPPoE spec 708 set speed sync # PPPoE is always synchronous 709 enable lqr proxy # Enable LQR and proxy-arp 710 enable chap pap passwdauth # Force client authentication 711 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 712 accept dns # Allow DNS negotiation 713