ppp.conf.sample revision 64783 
1#################################################################
2#
3#              PPP  Sample Configuration File
4#
5#           Originally written by Toshiharu OHNO
6#
7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 64783 2000-08-17 14:40:42Z brian $
8#
9#################################################################
10
11# This file is separated into sections.  Each section is named with
12# a label starting in column 0 and followed directly by a ``:''.  The
13# section continues until the next section.  Blank lines and lines
14# beginning with ``#'' are ignored.
15#
16# Lines beginning with "!include" will ``include'' another file.  You
17# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
18#
19
20# Default setup. Always executed when PPP is invoked.
21#  This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
22#
23#  This is the best place to specify your modem device, it's DTR rate,
24#  your dial script and any logging specification.  Logging specs should
25#  be done first so that the results of subsequent commands are logged.
26#
27default:
28 set log Phase Chat LCP IPCP CCP tun command
29 set device /dev/cuaa1
30 set speed 115200
31 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
32           OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
33
34# Client side PPP
35#
36#  Although the PPP protocol is a peer to peer protocol, we normally
37#  consider the side that initiates the connection as the client and
38#  the side that receives the connection as the server.  Authentication
39#  is required by the server either using a unix-style login procedure
40#  or by demanding PAP or CHAP authentication from the client.
41#
42
43# An on demand example where we have dynamic IP addresses and wish to
44# use a unix-style login script:
45#
46#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
47#  can't predict what their IP will be either, take a wild guess at
48#  some IPs that you can't currently route to.  Ppp can change this
49#  when the link comes up.
50#
51#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
52#  specified IP actually being correct, therefore, the other side can assign
53#  any IP number.
54#
55#  The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
56#  IP number, forcing the peer to make the decision.  This is necessary
57#  when negotiating with some (broken) ppp implementations.
58#
59#  This entry also works with static IP numbers or when not in -auto mode.
60#  The ``add'' line adds a `sticky' default route that will be updated if
61#  and when any of the IP numbers are changed in IPCP negotiations.
62#  The "set ifaddr" is required in -auto mode.
63#
64#  Finally, the ``enable dns'' line tells ppp to ask the peer for the
65#  nameserver addresses that should be used.  This isn't always supported
66#  by the other side, but if it is, ppp will update /etc/resolv.conf with
67#  the correct nameserver values at connection time.
68#
69#  The login script shown says that you're expecting ``ogin:''.  If you
70#  don't receive that, send a ``\n'' and expect ``ogin:'' again.  When
71#  it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
72#  You *MUST* customise this login script according to your local
73#  requirements.
74#
75pmdemand:
76 set phone 1234567
77 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
78 set timeout 120
79 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
80 add default HISADDR
81 enable dns
82
83# If you want to use PAP or CHAP instead of using a unix-style login
84# procedure, do the following.  Note, the peer suggests whether we
85# should send PAP or CHAP.  By default, we send whatever we're asked for.
86#
87# You *MUST* customise ``MyName'' and ``MyKey'' below.
88#
89PAPorCHAPpmdemand:
90 set phone 1234567
91 set login
92 set authname MyName
93 set authkey MyKey
94 set timeout 120
95 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
96 add default HISADDR
97 enable dns
98
99# On demand dialup example with static IP addresses:
100#  Here, the local side uses 192.244.185.226 and the remote side
101#  uses 192.244.176.44.
102#
103#  # ppp -auto ondemand
104#
105#  With static IP numbers, our setup is similar to dynamic:
106#  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
107#  a "ondemand" label, and finally the "MYADDR" label.
108#
109ondemand:
110 set phone 1234567
111 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
112 set timeout 120
113 set ifaddr 192.244.185.226 192.244.176.44
114 add default HISADDR
115 enable dns
116
117#                          Example segments
118#
119# The following lines may be included as part of your configuration
120# section and aren't themselves complete.  They're provided as examples
121# of how to achieve different things.
122
123examples:
124# Multi-phone example.  Numbers separated by a : are used sequentially.
125# Numbers separated by a | are used if the previous dial or login script
126# failed.  Usually, you will prefer to use only one of | or :, but both
127# are allowed.
128#
129    set phone 12345678|12345679:12345670|12345671
130#
131# Ppp can accept control instructions from the ``pppctl'' program.
132# First, you must set up your control socket.  It's safest to use
133# a UNIX domain socket, and watch the permissions:
134#
135    set server /var/tmp/internet MySecretPassword 0177
136#
137# Although a TCP port may be used if you want to allow control
138# connections from other machines:
139#
140    set server 6670 MySecretpassword
141#
142# If you don't like ppp's builtin chat, use an external one:
143#
144    set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
145#
146# If we have a ``strange'' modem that must be re-initialized when we
147# hangup:
148#
149    set hangup "\"\" AT OK-AT-OK ATZ OK"
150#
151# To adjust logging withouth blasting the setting in default:
152#
153    set log -command +tcp/ip
154#
155# To see log messages on the screen in interactive mode:
156#
157    set log local LCP IPCP CCP
158#
159# If you're seeing a lot of magic number problems and failed connections,
160# try this (see the man page):
161#
162    set openmode active 5
163#
164# For noisy lines, we may want to reconnect (up to 20 times) after loss
165# of carrier, with 3 second delays between each attempt:
166#
167    set reconnect 3 20
168#
169# When playing server for M$ clients, tell them who our NetBIOS name
170# servers are:
171#
172    set nbns 10.0.0.1 10.0.0.2
173#
174# Inform the client if they ask for our DNS IP numbers:
175#
176    enable dns
177#
178# If you don't want to tell them what's in your /etc/resolv.conf file
179# with `enable dns', override the values:
180#
181    set dns 10.0.0.1 10.0.0.2
182#
183# Some people like to prioritize DNS packets:
184#
185   set urgent udp +53
186#
187# If we're using the -nat switch, redirect ftp and http to an internal
188# machine:
189#
190    nat port tcp 10.0.0.2:ftp ftp
191    nat port tcp 10.0.0.2:http http
192#
193# or don't trust the outside at all
194#
195    nat deny_incoming yes
196#
197# I trust user brian to run ppp, so this goes in the `default' section:
198#
199    allow user brian
200#
201# But label `internet' contains passwords that even brian can't have, so
202# I empty out the user access list in that section so that only root can
203# have access:
204#
205    allow users
206#
207# I also may wish to set up my ppp login script so that it asks the client
208# for the label they wish to use.  I may only want user ``dodgy'' to access
209# their own label in direct mode:
210#
211dodgy:
212    allow user dodgy
213    allow mode direct
214#
215# We don't want certain packets to keep our connection alive
216#
217    set filter alive 0 deny udp src eq 520         # routed
218    set filter alive 1 deny udp dst eq 520         # routed
219    set filter alive 2 deny udp src eq 513         # rwhod
220    set filter alive 3 deny udp src eq 525         # timed
221    set filter alive 4 deny udp src eq 137         # NetBIOS name service
222    set filter alive 5 deny udp src eq 138         # NetBIOS datagram service
223    set filter alive 6 deny udp src eq 139         # NetBIOS session service
224    set filter alive 7 deny udp dst eq 137         # NetBIOS name service
225    set filter alive 8 deny udp dst eq 138         # NetBIOS datagram service
226    set filter alive 9 deny udp dst eq 139         # NetBIOS session service
227    set filter alive 10 deny 0/0 MYADDR icmp       # Ping to us from outside
228    set filter alive 11 permit 0/0 0/0
229#
230# And in auto mode, we don't want certain packets to cause a dialup
231#
232    set filter dial 0 deny udp src eq 513          # rwhod
233    set filter dial 1 deny udp src eq 525          # timed
234    set filter dial 2 deny udp src eq 137          # NetBIOS name service
235    set filter dial 3 deny udp src eq 138          # NetBIOS datagram service
236    set filter dial 4 deny udp src eq 139          # NetBIOS session service
237    set filter dial 5 deny udp dst eq 137          # NetBIOS name service
238    set filter dial 6 deny udp dst eq 138          # NetBIOS datagram service
239    set filter dial 7 deny udp dst eq 139          # NetBIOS session service
240    set filter dial 8 deny tcp finrst              # Badly closed TCP channels
241    set filter dial 9 permit 0 0
242#
243# Once the line's up, allow these connections
244#
245    set filter in  0 permit tcp dst eq 113            # ident
246    set filter out 0 permit tcp src eq 113            # ident
247    set filter in  1 permit tcp src eq 23 estab       # telnet
248    set filter out 1 permit tcp dst eq 23             # telnet
249    set filter in  2 permit tcp src eq 21 estab       # ftp
250    set filter out 2 permit tcp dst eq 21             # ftp
251    set filter in  3 permit tcp src eq 20 dst gt 1023 # ftp-data
252    set filter out 3 permit tcp dst eq 20             # ftp-data
253    set filter in  4 permit udp src eq 53             # DNS
254    set filter out 4 permit udp dst eq 53             # DNS
255    set filter in  5 permit 192.244.191.0/24 0/0      # Where I work
256    set filter out 5 permit 0/0 192.244.191.0/24      # Where I work
257    set filter in  6 permit icmp                      # pings
258    set filter out 6 permit icmp                      # pings
259    set filter in  7 permit udp dst gt 33433          # traceroute
260    set filter out 7 permit udp dst gt 33433          # traceroute
261
262#
263# ``dodgynet'' is an example intended for an autodial configuration which
264# is connecting a local network to a host on an untrusted network.
265dodgynet:
266    # Log link uptime
267    set log Phase
268    # For autoconnect only
269    allow modes auto
270    # Define modem device and speed
271    set device /dev/cuaa1
272    set speed 115200
273    # Don't support LQR
274    deny lqr
275    # Remote system phone number, login and password
276    set phone 0W1194
277    set authname pppLogin
278    set authkey MyPassword
279    # Chat script to dial remote system
280    set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
281              ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
282    # Chat script to login to remote Unix system
283    set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
284    # Drop the link after 15 minutes of inactivity
285    # Inactivity is defined by the `set filter alive' line below
286    set timeout 900
287    # Hard-code remote system to appear within local subnet and use proxy arp
288    # to make this system the gateway
289    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
290    enable proxy
291
292    # Allow any TCP packet to keep the link alive
293    set filter alive 0 permit tcp
294
295    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
296    # private TCP ports 24 and 4000
297    set filter dial  0 7      0 0 tcp dst eq http
298    set filter dial  1 7      0 0 tcp dst eq login
299    set filter dial  2 7      0 0 tcp dst eq shell
300    set filter dial  3 7      0 0 tcp dst eq telnet
301    set filter dial  4 7      0 0 tcp dst eq ftp
302    set filter dial  5 7      0 0 tcp dst eq 24
303    set filter dial  6 deny ! 0 0 tcp dst eq 4000
304    # From hosts on a couple of local subnets to the remote peer
305    # If the remote host allowed IP forwarding and we wanted to use it, the
306    # following rules could be split into two groups to separately validate
307    # the source and destination addresses.
308    set filter dial  7 permit 172.17.16.0/20  172.17.20.248 
309    set filter dial  8 permit 172.17.36.0/22  172.17.20.248 
310    set filter dial  9 permit 172.17.118.0/26 172.17.20.248 
311    set filter dial 10 permit 10.123.5.0/24   172.17.20.248 
312
313    # Once the link's up, limit outgoing access to the specified hosts
314    set filter out  0 4      172.17.16.0/20  172.17.20.248 
315    set filter out  1 4      172.17.36.0/22  172.17.20.248 
316    set filter out  2 4      172.17.118.0/26 172.17.20.248 
317    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248 
318    # Allow established TCP connections
319    set filter out  4 permit 0 0 tcp estab
320    # And new connections to http, rlogin, rsh, telnet, ftp and ports
321    # 24 and 4000
322    set filter out  5 permit 0 0 tcp dst eq http
323    set filter out  6 permit 0 0 tcp dst eq login
324    set filter out  7 permit 0 0 tcp dst eq shell
325    set filter out  8 permit 0 0 tcp dst eq telnet
326    set filter out  9 permit 0 0 tcp dst eq ftp
327    set filter out 10 permit 0 0 tcp dst eq 24
328    set filter out 11 permit 0 0 tcp dst eq 4000
329    # And outgoing icmp
330    set filter out 12 permit 0 0 icmp
331
332    # Once the link's up, limit incoming access to the specified hosts
333    set filter in   0 4      172.17.20.248  172.17.16.0/20
334    set filter in   1 4      172.17.20.248  172.17.36.0/22
335    set filter in   2 4      172.17.20.248  172.17.118.0/26
336    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
337    # Established TCP connections and non-PASV FTP
338    set filter in   4 permit 0/0  0/0  tcp estab
339    set filter in   5 permit 0/0  0/0  tcp src eq 20
340    # Useful ICMP messages
341    set filter in   6 permit 0/0  0/0  icmp src eq 3
342    set filter in   7 permit 0/0  0/0  icmp src eq 4
343    set filter in   8 permit 0/0  0/0  icmp src eq 11
344    set filter in   9 permit 0/0  0/0  icmp src eq 12
345    # Echo reply (local systems can ping the remote host)
346    set filter in  10 permit 0/0  0/0  icmp src eq 0
347    # And the remote host can ping the local gateway (only)
348    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8
349
350
351# Server side PPP
352#
353#  If you want the remote system to authenticate itself, you must insist
354#  that the peer uses CHAP or PAP with the "enable" keyword.  Both CHAP and
355#  PAP are disabled by default.  You may enable either or both.  If both
356#  are enabled, CHAP is requested first.  If the client doesn't agree, PAP
357#  will then be requested.
358#
359#  Note:  If you use the getty/login process to authenticate users, you
360#         don't need to enable CHAP or PAP, but the user that has logged
361#         in *MUST* be a member of the ``network'' group (in /etc/group).
362#
363#  If you wish to allow any user in the passwd database ppp access, you
364#  can ``enable passwdauth''.
365#
366#  When the peer authenticates itself, we use ppp.secret for verification
367#  (although refer to the ``set radius'' command below for an alternative).
368#
369#  Note:  We may supply a third field in ppp.secret specifying the IP
370#         address for that user, a forth field to specify the
371#         ppp.link{up,down} label to use and a fifth field to specify
372#         callback characteristics.
373#
374#  The easiest way to allow transparent LAN access to your dialin users
375#  is to assign them a number from your local LAN and tell ppp to make a
376#  ``proxy'' arp entry for them.  In this example, we have a local LAN
377#  with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
378#  ppp clients between 10.0.0.100 and 10.0.0.199.  It is possible to
379#  override the dynamic IP number with a static IP number specified in
380#  ppp.secret.
381#
382#  Ppp is launched with:
383#   # ppp -direct server
384#
385server:
386 enable chap
387 enable pap
388 enable passwdauth
389 enable proxy
390 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
391 accept dns
392
393# Example of a RADIUS configuration:
394#  If there are one or more radius servers available, we can use them
395#  instead of the ppp.secret file.  Simply put then in a radius
396#  configuration file (usually /etc/radius.conf) and give ppp the
397#  file name.
398#  Ppp will use the FRAMED characteristics supplied by the radius server
399#  to configure the link.
400
401radius-server:
402 load server
403 set radius /etc/radius.conf
404
405
406# Example to connect using a null-modem cable:
407#  The important thing here is to allow the lqr packets on both sides.
408#  Without them enabled, we can't tell if the line's dropped - there
409#  should always be carrier on a direct connection.
410#  Here, the server sends lqr's every 10 seconds and quits if five in a
411#  row fail.
412#
413#  Make sure you don't have "deny lqr" in your default: on the client !
414#  If the peer denies LQR, we still send ECHO LQR packets at the given
415#  lqrperiod interval (ppp-style-pings).
416#
417direct-client:
418 set dial ""
419 set device /dev/cuaa0
420 set sp 115200
421 set timeout 900
422 set lqrperiod 10
423 set log Phase Chat LQM
424 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
425 set ifaddr 10.0.4.2 10.0.4.1
426 enable lqr
427 accept lqr
428 
429direct-server:
430 set timeout 0
431 set lqrperiod 10
432 set log Phase LQM
433 set ifaddr 10.0.4.1 10.0.4.2
434 enable lqr
435 accept lqr
436
437
438# Example to connect via compuserve
439#  Compuserve insists on 7 bits even parity during the chat phase.  Modem
440#  parity is always reset to ``none'' after the link has been established.
441#
442compuserve:
443 set phone 1234567
444 set parity even
445 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
446            word: XXXXXXXX PPP"
447 set timeout 300
448 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
449 delete ALL
450 add default HISADDR
451
452
453# Example for PPP over TCP.
454#  We assume that inetd on tcpsrv.mynet has been
455#  configured to run "ppp -direct tcp-server" when it gets a connection on
456#  port 1234.  Read the man page for further details
457#
458#  Note, we assume we're using a binary-clean connection.  If something
459#  such as `rlogin' is involved, you may need to ``set escape 0xff''
460#
461tcp-client:
462 set device tcpsrv.mynet:1234
463 set dial
464 set login
465 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
466
467tcp-server:
468 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
469
470# Example for PPP testing.
471#  If you want to test ppp, do it through the loopback interface:
472#
473#  Requires a line in /etc/services:
474#    ppploop 6671/tcp # loopback ppp daemon
475#
476#  and a line in /etc/inetd.conf:
477#    ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
478#
479loop:
480 set timeout 0
481 set log phase chat connect lcp ipcp command
482 set device localhost:ppploop
483 set dial
484 set login
485 set ifaddr 127.0.0.2 127.0.0.3
486 set server /var/tmp/loop "" 0177
487 
488loop-in:
489 set timeout 0
490 set log phase lcp ipcp command
491 allow mode direct
492
493# Example of a VPN.
494#  If you're going to create a tunnel through a public network, your VPN
495#  should be set up something like this:
496#
497#  You should already have set up ssh using ssh-agent & ssh-add.
498#
499sloop:
500 load loop
501 # Passive mode allows ssh plenty of time to establish the connection
502 set openmode passive
503 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
504
505# Example of non-PPP callback.
506#  If you wish to connect to a server that will dial back *without* using
507#  the ppp callback facility (rfc1570), take advantage of the fact that
508#  ppp doesn't look for carrier 'till `set login' is complete:
509#
510#  Here, we expect the server to say DIALBACK then disconnect after
511#  we've authenticated ourselves.  When this has happened, we wait
512#  60 seconds for a RING.
513#
514#  Note, it's important that we tell ppp not to expect carrier, otherwise
515#  we'll drop out at the ``NO CARRIER'' stage.
516#
517dialback:
518 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
519           ATDT\\T TIMEOUT 60 CONNECT"
520 set cd off
521 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
522           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
523
524# Example of PPP callback.
525#  Alternatively, if the peer is using the PPP callback protocol, we're
526#  happy either with ``auth'' style callback where the server dials us
527#  back based on what we authenticate ourselves with, ``cbcp'' style
528#  callback (invented by Microsoft but not agreed by the IETF) where
529#  we negotiate callback *after* authentication or E.164 callback where
530#  we specify only a phone number.  I would recommend only ``auth'' and/or
531#  ``cbcp'' callback methods.
532#  For ``cbcp'', we insist that we choose ``1234567'' as the number that
533#  the server must call back.
534#
535callback:
536 load pmdemand
537 set callback auth cbcp e.164 1234567
538 set cbcp 1234567
539
540# If we're running a ppp server that wants to only call back microsoft
541# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
542#
543callback-server:
544 load server
545 set callback cbcp
546 set cbcp
547 set log +cbcp
548 set redial 3 1
549 set device /dev/cuaa0
550 set speed 115200
551 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
552
553# Or if we want to allow authenticated clients to specify their own
554# callback number:
555#
556callback-server-client-decides:
557 load callback-server
558 set cbcp *
559
560# Multilink mode is available (rfc1990).
561# To enable multilink capabilities, you must specify a MRRU.  1500 is
562# a reasonable value.  To create new links, use the ``clone'' command
563# to duplicate an existing link.  If you already have more than one
564# link, you must specify which link you wish to run the command on via
565# the ``link'' command.
566#
567# You can now ``dial'' specific links, or even dial all links at the
568# same time.  The `dial' command may also be prefixed with a specific
569# link that should do the dialing.
570#
571mloop:
572 load loop
573 set mode interactive
574 set mrru 1500
575 set mru 1504			# Room for the MP header
576 clone 1 2 3
577 link deflink remove
578 # dial
579 # link 2 dial 
580 # link 3 dial 
581
582mloop-in:
583 set timeout 0
584 set log tun phase
585 allow mode direct
586 set mrru 1500
587 set mru 1504			# Room for the MP header
588
589# User supplied authentication:
590#  It's possible to run ppp in the background while specifying a
591#  program to use to obtain authentication details on demand.
592#  This program would usually be a simple GUI that presents a
593#  prompt to a known user.  The ``chap-auth'' program is supplied
594#  as an example (and requires tcl version 8.0).
595#
596CHAPprompt:
597 load PAPorCHAPpmdemand
598 set authkey !/usr/share/examples/ppp/chap-auth
599
600#  It's possible to do the same sort of thing at the login prompt.
601#  Here, after sending ``brian'' in response to the ``name'' prompt,
602#  we're prompted with ``code:''.  A window is then displayed on the
603#  ``keep:0.0'' display and the typed response is sent to the peer
604#  as the password.  We then expect to see ``MTU'' and ``.'' in the
605#  servers response.
606#
607loginprompt:
608 load pmdemand
609 set authname brian
610 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
611            code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
612                    AUTHNAME\" MTU \\c ."
613
614# ppp supports ppp over ethernet (PPPoE).  Beware, many PPP servers cache
615# the MAC address that connects to them, making it impossible to switch
616# your PPPoE connection between machines.
617#
618# The client should be something like:
619#
620pppoe:
621 set device PPPoE:de0:pppoe-in
622 set mru 1492
623 set mtu 1492
624 set speed sync   
625 enable lqr
626 set cd 5
627 set dial
628 set login
629 set redial 0 0
630
631# And the server should be running
632#
633#   /usr/libexec/pppoed -p pppoe-in fxp0
634#
635# See rc.conf(5)
636#
637pppoe-in:
638 allow mode direct				# Only for use on server-side
639 set mru 1492					# Max allowed by the PPPoE spec
640 set mtu 1492					# Max allowed by the PPPoE spec
641 set speed sync					# PPPoE is always synchronous
642 enable lqr proxy				# Enable LQR and proxy-arp
643 enable chap pap passwdauth			# Force client authentication
644 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199	# Hand out up to 100 IP numbers
645 accept dns					# Allow DNS negotiation
646