ppp.conf.sample revision 76363
1################################################################# 2# 3# PPP Sample Configuration File 4# 5# Originally written by Toshiharu OHNO 6# 7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 76363 2001-05-08 08:58:57Z brian $ 8# 9################################################################# 10 11# This file is separated into sections. Each section is named with 12# a label starting in column 0 and followed directly by a ``:''. The 13# section continues until the next label. Blank lines and characters 14# after a ``#'' are ignored (a literal ``#'' must be escaped with a ``\'' 15# or quoted with ""). All commands inside sections that do not begin 16# with ``!'' (e.g., ``!include'') *must* be indented by at least one 17# space or tab or they will not be recognized! 18# 19# Lines beginning with "!include" will ``include'' another file. You 20# may want to ``!include ~/.ppp.conf'' for backwards compatibility. 21# 22 23# Default setup. Always executed when PPP is invoked. 24# This section is *not* pre-loaded by the ``load'' or ``dial'' commands. 25# 26# This is the best place to specify your modem device, it's DTR rate, 27# your dial script and any logging specification. Logging specs should 28# be done first so that the results of subsequent commands are logged. 29# 30default: 31 set log Phase Chat LCP IPCP CCP tun command 32 set device /dev/cuaa1 33 set speed 115200 34 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \ 35 OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 36 37# Client side PPP 38# 39# Although the PPP protocol is a peer to peer protocol, we normally 40# consider the side that initiates the connection as the client and 41# the side that receives the connection as the server. Authentication 42# is required by the server either using a unix-style login procedure 43# or by demanding PAP or CHAP authentication from the client. 44# 45 46# An on demand example where we have dynamic IP addresses and wish to 47# use a unix-style login script: 48# 49# If the peer assigns us an arbitrary IP (most ISPs do this) and we 50# can't predict what their IP will be either, take a wild guess at 51# some IPs that you can't currently route to. Ppp can change this 52# when the link comes up. 53# 54# The /0 bit in "set ifaddr" says that we insist on 0 bits of the 55# specified IP actually being correct, therefore, the other side can assign 56# any IP number. 57# 58# The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested 59# IP number, forcing the peer to make the decision. This is necessary 60# when negotiating with some (broken) ppp implementations. 61# 62# This entry also works with static IP numbers or when not in -auto mode. 63# The ``add'' line adds a `sticky' default route that will be updated if 64# and when any of the IP numbers are changed in IPCP negotiations. 65# The "set ifaddr" is required in -auto mode only. 66# It's better to put the ``add'' line in ppp.linkup when not in -auto mode. 67# 68# Finally, the ``enable dns'' line tells ppp to ask the peer for the 69# nameserver addresses that should be used. This isn't always supported 70# by the other side, but if it is, ppp will update /etc/resolv.conf with 71# the correct nameserver values at connection time. 72# 73# The login script shown says that you're expecting ``ogin:''. If you 74# don't receive that, send a ``\n'' and expect ``ogin:'' again. When 75# it's received, send ``ppp'', expect ``word:'' then send ``ppp''. 76# You *MUST* customise this login script according to your local 77# requirements. 78# 79pmdemand: 80 set phone 1234567 81 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 82 set timeout 120 83 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 84 add default HISADDR 85 enable dns 86 87# If you want to use PAP or CHAP instead of using a unix-style login 88# procedure, do the following. Note, the peer suggests whether we 89# should send PAP or CHAP. By default, we send whatever we're asked for. 90# 91# You *MUST* customise ``MyName'' and ``MyKey'' below. 92# 93PAPorCHAPpmdemand: 94 set phone 1234567 95 set login 96 set authname MyName 97 set authkey MyKey 98 set timeout 120 99 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 100 add default HISADDR 101 enable dns 102 103# On demand dialup example with static IP addresses: 104# Here, the local side uses 192.244.185.226 and the remote side 105# uses 192.244.176.44. 106# 107# # ppp -auto ondemand 108# 109# With static IP numbers, our setup is similar to dynamic: 110# Remember, ppp.linkup is searched for a "192.244.176.44" label, then 111# a "ondemand" label, and finally the "MYADDR" label. 112# 113ondemand: 114 set phone 1234567 115 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp" 116 set timeout 120 117 set ifaddr 192.244.185.226 192.244.176.44 118 add default HISADDR 119 enable dns 120 121# Example segments 122# 123# The following lines may be included as part of your configuration 124# section and aren't themselves complete. They're provided as examples 125# of how to achieve different things. 126 127examples: 128# Multi-phone example. Numbers separated by a : are used sequentially. 129# Numbers separated by a | are used if the previous dial or login script 130# failed. Usually, you will prefer to use only one of | or :, but both 131# are allowed. 132# 133 set phone 12345678|12345679:12345670|12345671 134# 135# Some phone numbers may include # characters - don't forget to escape 136# (or quote) them: 137# 138 set phone "12345##678" 139# 140# Ppp can accept control instructions from the ``pppctl'' program. 141# First, you must set up your control socket. It's safest to use 142# a UNIX domain socket, and watch the permissions: 143# 144 set server /var/tmp/internet MySecretPassword 0177 145# 146# Although a TCP port may be used if you want to allow control 147# connections from other machines: 148# 149 set server 6670 MySecretpassword 150# 151# If you don't like ppp's builtin chat, use an external one: 152# 153 set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\"" 154# 155# If we have a ``strange'' modem that must be re-initialized when we 156# hangup: 157# 158 set hangup "\"\" AT OK-AT-OK ATZ OK" 159# 160# To adjust logging without blowing away the setting in default: 161# 162 set log -command +tcp/ip 163# 164# To see log messages on the screen in interactive mode: 165# 166 set log local LCP IPCP CCP 167# 168# If you're seeing a lot of magic number problems and failed connections, 169# try this (see the man page): 170# 171 set openmode active 5 172# 173# For noisy lines, we may want to reconnect (up to 20 times) after loss 174# of carrier, with 3 second delays between each attempt: 175# 176 set reconnect 3 20 177# 178# When playing server for M$ clients, tell them who our NetBIOS name 179# servers are: 180# 181 set nbns 10.0.0.1 10.0.0.2 182# 183# Inform the client if they ask for our DNS IP numbers: 184# 185 enable dns 186# 187# If you don't want to tell them what's in your /etc/resolv.conf file 188# with `enable dns', override the values: 189# 190 set dns 10.0.0.1 10.0.0.2 191# 192# Some people like to prioritize DNS packets: 193# 194 set urgent udp +53 195# 196# If we're using the -nat switch, redirect ftp and http to an internal 197# machine: 198# 199 nat port tcp 10.0.0.2:ftp ftp 200 nat port tcp 10.0.0.2:http http 201# 202# or don't trust the outside at all 203# 204 nat deny_incoming yes 205# 206# I trust user brian to run ppp, so this goes in the `default' section: 207# 208 allow user brian 209# 210# But label `internet' contains passwords that even brian can't have, so 211# I empty out the user access list in that section so that only root can 212# have access: 213# 214 allow users 215# 216# I also may wish to set up my ppp login script so that it asks the client 217# for the label they wish to use. I may only want user ``dodgy'' to access 218# their own label in direct mode: 219# 220dodgy: 221 allow user dodgy 222 allow mode direct 223# 224# We don't want certain packets to keep our connection alive 225# 226 set filter alive 0 deny udp src eq 520 # routed 227 set filter alive 1 deny udp dst eq 520 # routed 228 set filter alive 2 deny udp src eq 513 # rwhod 229 set filter alive 3 deny udp src eq 525 # timed 230 set filter alive 4 deny udp src eq 137 # NetBIOS name service 231 set filter alive 5 deny udp src eq 138 # NetBIOS datagram service 232 set filter alive 6 deny udp src eq 139 # NetBIOS session service 233 set filter alive 7 deny udp dst eq 137 # NetBIOS name service 234 set filter alive 8 deny udp dst eq 138 # NetBIOS datagram service 235 set filter alive 9 deny udp dst eq 139 # NetBIOS session service 236 set filter alive 10 deny 0/0 MYADDR icmp # Ping to us from outside 237 set filter alive 11 permit 0/0 0/0 238# 239# And in auto mode, we don't want certain packets to cause a dialup 240# 241 set filter dial 0 deny udp src eq 513 # rwhod 242 set filter dial 1 deny udp src eq 525 # timed 243 set filter dial 2 deny udp src eq 137 # NetBIOS name service 244 set filter dial 3 deny udp src eq 138 # NetBIOS datagram service 245 set filter dial 4 deny udp src eq 139 # NetBIOS session service 246 set filter dial 5 deny udp dst eq 137 # NetBIOS name service 247 set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service 248 set filter dial 7 deny udp dst eq 139 # NetBIOS session service 249 set filter dial 8 deny tcp finrst # Badly closed TCP channels 250 set filter dial 9 permit 0 0 251# 252# Once the line's up, allow these connections 253# 254 set filter in 0 permit tcp dst eq 113 # ident 255 set filter out 0 permit tcp src eq 113 # ident 256 set filter in 1 permit tcp src eq 23 estab # telnet 257 set filter out 1 permit tcp dst eq 23 # telnet 258 set filter in 2 permit tcp src eq 21 estab # ftp 259 set filter out 2 permit tcp dst eq 21 # ftp 260 set filter in 3 permit tcp src eq 20 dst gt 1023 # ftp-data 261 set filter out 3 permit tcp dst eq 20 # ftp-data 262 set filter in 4 permit udp src eq 53 # DNS 263 set filter out 4 permit udp dst eq 53 # DNS 264 set filter in 5 permit 192.244.191.0/24 0/0 # Where I work 265 set filter out 5 permit 0/0 192.244.191.0/24 # Where I work 266 set filter in 6 permit icmp # pings 267 set filter out 6 permit icmp # pings 268 set filter in 7 permit udp dst gt 33433 # traceroute 269 set filter out 7 permit udp dst gt 33433 # traceroute 270 271# 272# ``dodgynet'' is an example intended for an autodial configuration which 273# is connecting a local network to a host on an untrusted network. 274dodgynet: 275 set log Phase # Log link uptime 276 allow mode auto # For autoconnect only 277 set device /dev/cuaa1 # Define modem device and speed 278 set speed 115200 279 deny lqr # Don't support LQR 280 set phone 0W1194 # Remote system phone number, 281 set authname pppLogin # login 282 set authkey MyPassword # and password 283 set dial "ABORT BUSY ABORT NO\\sCARRIER \ # Chat script to dial the peer 284 TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 285 ATE1Q0M0 OK \\dATDT\\T \ 286 TIMEOUT 40 CONNECT" 287 set login "TIMEOUT 10 \"\" \"\" \ # And to login to remote system 288 gin:--gin: \\U word: \\P" 289 290 # Drop the link after 15 minutes of inactivity 291 # Inactivity is defined by the `set filter alive' line below 292 set timeout 900 293 294 # Hard-code remote system to appear within local subnet and use proxy arp 295 # to make this system the gateway for the rest of the local network 296 set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 297 enable proxy 298 299 # Allow any TCP packet to keep the link alive 300 set filter alive 0 permit tcp 301 302 # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or 303 # private TCP ports 24 and 4000 304 set filter dial 0 7 0 0 tcp dst eq http 305 set filter dial 1 7 0 0 tcp dst eq login 306 set filter dial 2 7 0 0 tcp dst eq shell 307 set filter dial 3 7 0 0 tcp dst eq telnet 308 set filter dial 4 7 0 0 tcp dst eq ftp 309 set filter dial 5 7 0 0 tcp dst eq 24 310 set filter dial 6 deny ! 0 0 tcp dst eq 4000 311 312 # From hosts on a couple of local subnets to the remote peer 313 # If the remote host allowed IP forwarding and we wanted to use it, the 314 # following rules could be split into two groups to separately validate 315 # the source and destination addresses. 316 set filter dial 7 permit 172.17.16.0/20 172.17.20.248 317 set filter dial 8 permit 172.17.36.0/22 172.17.20.248 318 set filter dial 9 permit 172.17.118.0/26 172.17.20.248 319 set filter dial 10 permit 10.123.5.0/24 172.17.20.248 320 321 # Once the link's up, limit outgoing access to the specified hosts 322 set filter out 0 4 172.17.16.0/20 172.17.20.248 323 set filter out 1 4 172.17.36.0/22 172.17.20.248 324 set filter out 2 4 172.17.118.0/26 172.17.20.248 325 set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 326 327 # Allow established TCP connections 328 set filter out 4 permit 0 0 tcp estab 329 330 # And new connections to http, rlogin, rsh, telnet, ftp and ports 331 # 24 and 4000 332 set filter out 5 permit 0 0 tcp dst eq http 333 set filter out 6 permit 0 0 tcp dst eq login 334 set filter out 7 permit 0 0 tcp dst eq shell 335 set filter out 8 permit 0 0 tcp dst eq telnet 336 set filter out 9 permit 0 0 tcp dst eq ftp 337 set filter out 10 permit 0 0 tcp dst eq 24 338 set filter out 11 permit 0 0 tcp dst eq 4000 339 340 # And outgoing icmp 341 set filter out 12 permit 0 0 icmp 342 343 # Once the link's up, limit incoming access to the specified hosts 344 set filter in 0 4 172.17.20.248 172.17.16.0/20 345 set filter in 1 4 172.17.20.248 172.17.36.0/22 346 set filter in 2 4 172.17.20.248 172.17.118.0/26 347 set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 348 349 # Established TCP connections and non-PASV FTP 350 set filter in 4 permit 0/0 0/0 tcp estab 351 set filter in 5 permit 0/0 0/0 tcp src eq 20 352 353 # Useful ICMP messages 354 set filter in 6 permit 0/0 0/0 icmp src eq 3 355 set filter in 7 permit 0/0 0/0 icmp src eq 4 356 set filter in 8 permit 0/0 0/0 icmp src eq 11 357 set filter in 9 permit 0/0 0/0 icmp src eq 12 358 359 # Echo reply (local systems can ping the remote host) 360 set filter in 10 permit 0/0 0/0 icmp src eq 0 361 362 # And the remote host can ping the local gateway (only) 363 set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 364 365 366# Server side PPP 367# 368# If you want the remote system to authenticate itself, you must insist 369# that the peer uses CHAP or PAP with the "enable" keyword. Both CHAP and 370# PAP are disabled by default. You may enable either or both. If both 371# are enabled, CHAP is requested first. If the client doesn't agree, PAP 372# will then be requested. 373# 374# Note: If you use the getty/login process to authenticate users, you 375# don't need to enable CHAP or PAP, but the user that has logged 376# in *MUST* be a member of the ``network'' group (in /etc/group). 377# 378# Note: Chap80 and chap81 are Microsoft variations of standard chap (05). 379# 380# If you wish to allow any user in the passwd database ppp access, you 381# can ``enable passwdauth'', but this will only work with PAP. 382# 383# When the peer authenticates itself, we use ppp.secret for verification 384# (although refer to the ``set radius'' command below for an alternative). 385# 386# Note: We may supply a third field in ppp.secret specifying the IP 387# address for that user, a forth field to specify the 388# ppp.link{up,down} label to use and a fifth field to specify 389# callback characteristics. 390# 391# The easiest way to allow transparent LAN access to your dialin users 392# is to assign them a number from your local LAN and tell ppp to make a 393# ``proxy'' arp entry for them. In this example, we have a local LAN 394# with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our 395# ppp clients between 10.0.0.100 and 10.0.0.199. It is possible to 396# override the dynamic IP number with a static IP number specified in 397# ppp.secret. 398# 399# Ppp is launched with: 400# # ppp -direct server 401# 402server: 403 enable chap chap80 chap81 pap passwdauth 404 enable proxy 405 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 406 accept dns 407 408# Example of a RADIUS configuration: 409# If there are one or more radius servers available, we can use them 410# instead of the ppp.secret file. Simply put then in a radius 411# configuration file (usually /etc/radius.conf) and give ppp the 412# file name. 413# Ppp will use the FRAMED characteristics supplied by the radius server 414# to configure the link. 415 416radius-server: 417 load server # load in the server config from above 418 set radius /etc/radius.conf 419 420 421# Example to connect using a null-modem cable: 422# The important thing here is to allow the lqr packets on both sides. 423# Without them enabled, we can't tell if the line's dropped - there 424# should always be carrier on a direct connection. 425# Here, the server sends lqr's every 10 seconds and quits if five in a 426# row fail. 427# 428# Make sure you don't have "deny lqr" in your default: on the client ! 429# If the peer denies LQR, we still send ECHO LQR packets at the given 430# lqrperiod interval (ppp-style-pings). 431# 432direct-client: 433 set dial 434 set device /dev/cuaa0 435 set sp 115200 436 set timeout 900 437 set lqrperiod 10 438 set log Phase Chat LQM 439 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO" 440 set ifaddr 10.0.4.2 10.0.4.1 441 enable lqr 442 accept lqr 443 444direct-server: 445 set timeout 0 446 set lqrperiod 10 447 set log Phase LQM 448 set ifaddr 10.0.4.1 10.0.4.2 449 enable lqr 450 accept lqr 451 452 453# Example to connect via compuserve 454# Compuserve insists on 7 bits even parity during the chat phase. Modem 455# parity is always reset to ``none'' after the link has been established. 456# 457compuserve: 458 set phone 1234567 459 set parity even 460 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \ 461 word: XXXXXXXX PPP" 462 set timeout 300 463 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 464 delete ALL 465 add default HISADDR 466 467 468# Example for PPP over TCP. 469# We assume that inetd on tcpsrv.mynet has been 470# configured to run "ppp -direct tcp-server" when it gets a connection on 471# port 1234 with an entry something like this in /etc/inetd.conf.: 472# 473# ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server 474# 475# with this in /etc/services: 476# 477# ppp 6671/tcp 478# 479# Read the man page for further details. 480# 481# Note, we assume we're using a binary-clean connection. If something 482# such as `rlogin' is involved, you may need to ``set escape 0xff'' 483# 484tcp-client: 485 set device tcpsrv.mynet:1234 486 set dial 487 set login 488 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 489 490tcp-server: 491 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 492 493 494# Using UDP is also possible with this in /etc/inetd.conf: 495# 496# ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server 497# 498# and this in /etc/services: 499# 500# ppp 6671/tcp 501# 502udp-client: 503 set device udpsrv.mynet:1234/udp 504 set dial 505 set login 506 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 507 508udp-server: 509 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 510 511 512# Example for PPP testing. 513# If you want to test ppp, do it through the loopback interface: 514# 515# Requires a line in /etc/services: 516# ppploop 6671/tcp # loopback ppp daemon 517# 518# and a line in /etc/inetd.conf: 519# ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in 520# 521loop: 522 set timeout 0 523 set log phase chat connect lcp ipcp command 524 set device localhost:ppploop 525 set dial 526 set login 527 set ifaddr 127.0.0.2 127.0.0.3 528 set server /var/tmp/loop "" 0177 529 530loop-in: 531 set timeout 0 532 set log phase lcp ipcp command 533 allow mode direct 534 535# Example of a VPN. 536# If you're going to create a tunnel through a public network, your VPN 537# should be set up something like this: 538# 539# You should already have set up ssh using ssh-agent & ssh-add. 540# 541sloop: 542 load loop 543 # Passive mode allows ssh plenty of time to establish the connection 544 set openmode passive 545 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in" 546 547 548# or a better VPN solution (which doesn't run IP over a reliable 549# protocol like tcp) may be: 550# 551vpn-client: 552 set device udpsrv.mynet:1234/udp # PPP over UDP 553 set dial 554 set login 555 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0 556 disable deflate pred1 557 deny deflate pred1 558 enable MPPE # With encryption 559 accept MPPE 560 561vpn-server: 562 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0 563 disable deflate pred1 564 deny deflate pred1 565 enable MPPE 566 accept MPPE 567 enable chap81 # Required for MPPE 568 569# Example of non-PPP callback. 570# If you wish to connect to a server that will dial back *without* using 571# the ppp callback facility (rfc1570), take advantage of the fact that 572# ppp doesn't look for carrier 'till `set login' is complete: 573# 574# Here, we expect the server to say DIALBACK then disconnect after 575# we've authenticated ourselves. When this has happened, we wait 576# 60 seconds for a RING. 577# 578# Note, it's important that we tell ppp not to expect carrier, otherwise 579# we'll drop out at the ``NO CARRIER'' stage. 580# 581dialback: 582 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ 583 ATDT\\T TIMEOUT 60 CONNECT" 584 set cd off 585 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \ 586 \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT" 587 588# Example of PPP callback. 589# Alternatively, if the peer is using the PPP callback protocol, we're 590# happy either with ``auth'' style callback where the server dials us 591# back based on what we authenticate ourselves with, ``cbcp'' style 592# callback (invented by Microsoft but not agreed by the IETF) where 593# we negotiate callback *after* authentication or E.164 callback where 594# we specify only a phone number. I would recommend only ``auth'' and/or 595# ``cbcp'' callback methods. 596# For ``cbcp'', we insist that we choose ``1234567'' as the number that 597# the server must call back. 598# 599callback: 600 load pmdemand # load in the pmdemand config 601 set callback auth cbcp e.164 1234567 602 set cbcp 1234567 603 604# If we're running a ppp server that wants to only call back microsoft 605# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field): 606# 607callback-server: 608 load server 609 set callback cbcp 610 set cbcp 611 set log +cbcp 612 set redial 3 1 613 set device /dev/cuaa0 614 set speed 115200 615 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT" 616 617# Or if we want to allow authenticated clients to specify their own 618# callback number: 619# 620callback-server-client-decides: 621 load callback-server 622 set cbcp * 623 624# Multilink mode is available (rfc1990). 625# To enable multi-link capabilities, you must specify a MRRU. 1500 is 626# a reasonable value. To create new links, use the ``clone'' command 627# to duplicate an existing link. If you already have more than one 628# link, you must specify which link you wish to run the command on via 629# the ``link'' command. 630# 631# It's worth increasing your MTU and MRU slightly in multi-link mode to 632# prevent full packets from being fragmented. 633# 634# See ppp.conf.isdn for an example of how to do multi-link isdn. 635# 636# You can now ``dial'' specific links, or even dial all links at the 637# same time. The `dial' command may also be prefixed with a specific 638# link that should do the dialing. 639# 640mloop: 641 load loop 642 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 # Use any of these devices 643 set mode interactive 644 set mrru 1500 645 set mru 1504 # Room for the MP header 646 clone 1 2 3 647 link deflink remove 648 # dial 649 # link 2 dial 650 # link 3 dial 651 652mloop-in: 653 set timeout 0 # No idle timer 654 set log tun phase 655 allow mode direct 656 set mrru 1500 657 set mru 1504 # Room for the MP header 658 659# User supplied authentication: 660# It's possible to run ppp in the background while specifying a 661# program to use to obtain authentication details on demand. 662# This program would usually be a simple GUI that presents a 663# prompt to a known user. The ``chap-auth'' program is supplied 664# as an example (and requires tcl version 8.0). 665# 666CHAPprompt: 667 load PAPorCHAPpmdemand 668 set authkey !/usr/share/examples/ppp/chap-auth 669 670# It's possible to do the same sort of thing at the login prompt. 671# Here, after sending ``brian'' in response to the ``name'' prompt, 672# we're prompted with ``code:''. A window is then displayed on the 673# ``keep:0.0'' display and the typed response is sent to the peer 674# as the password. We then expect to see ``MTU'' and ``.'' in the 675# servers response. 676# 677loginprompt: 678 load pmdemand 679 set authname brian 680 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \ 681 code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \ 682 AUTHNAME\" MTU \\c ." 683 684# ppp supports ppp over ethernet (PPPoE). Beware, many PPP servers cache 685# the MAC address that connects to them, making it impossible to switch 686# your PPPoE connection between machines. 687# 688# The current implementation requires Netgraph, so it doesn't work with 689# OpenBSD or NetBSD. 690# 691# The client should be something like this: 692# 693pppoe: 694 set device PPPoE:de0:pppoe-in 695 set mru 1492 696 set mtu 1492 697 set speed sync 698 enable lqr 699 set cd 5 700 set dial 701 set login 702 set redial 0 0 703 704# And the server should be running 705# 706# /usr/libexec/pppoed -p pppoe-in fxp0 707# 708# See rc.conf(5) 709# 710pppoe-in: 711 allow mode direct # Only for use on server-side 712 set mru 1492 # Max allowed by the PPPoE spec 713 set mtu 1492 # Max allowed by the PPPoE spec 714 set speed sync # PPPoE is always synchronous 715 enable lqr proxy # Enable LQR and proxy-arp 716 enable chap pap passwdauth # Force client authentication 717 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199 # Hand out up to 100 IP numbers 718 accept dns # Allow DNS negotiation 719