ppp.conf.sample revision 75207
1#################################################################
2#
3#              PPP  Sample Configuration File
4#
5#           Originally written by Toshiharu OHNO
6#
7# $FreeBSD: head/share/examples/ppp/ppp.conf.sample 75207 2001-04-05 01:25:42Z dd $
8#
9#################################################################
10
11# This file is separated into sections.  Each section is named with
12# a label starting in column 0 and followed directly by a ``:''.  The
13# section continues until the next section.  Blank lines and lines
14# beginning with ``#'' are ignored.  All commands inside sections that do
15# not begin with ``!'' (e.g., ``!include'') *must* be indented by at least
16# one space or tab or they will not be recognized!
17#
18# Lines beginning with "!include" will ``include'' another file.  You
19# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
20#
21
22# Default setup. Always executed when PPP is invoked.
23#  This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
24#
25#  This is the best place to specify your modem device, it's DTR rate,
26#  your dial script and any logging specification.  Logging specs should
27#  be done first so that the results of subsequent commands are logged.
28#
29default:
30 set log Phase Chat LCP IPCP CCP tun command
31 set device /dev/cuaa1
32 set speed 115200
33 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
34           OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
35
36# Client side PPP
37#
38#  Although the PPP protocol is a peer to peer protocol, we normally
39#  consider the side that initiates the connection as the client and
40#  the side that receives the connection as the server.  Authentication
41#  is required by the server either using a unix-style login procedure
42#  or by demanding PAP or CHAP authentication from the client.
43#
44
45# An on demand example where we have dynamic IP addresses and wish to
46# use a unix-style login script:
47#
48#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
49#  can't predict what their IP will be either, take a wild guess at
50#  some IPs that you can't currently route to.  Ppp can change this
51#  when the link comes up.
52#
53#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
54#  specified IP actually being correct, therefore, the other side can assign
55#  any IP number.
56#
57#  The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
58#  IP number, forcing the peer to make the decision.  This is necessary
59#  when negotiating with some (broken) ppp implementations.
60#
61#  This entry also works with static IP numbers or when not in -auto mode.
62#  The ``add'' line adds a `sticky' default route that will be updated if
63#  and when any of the IP numbers are changed in IPCP negotiations.
64#  The "set ifaddr" is required in -auto mode only.
65#  It's better to put the ``add'' line in ppp.linkup when not in -auto mode.
66#
67#  Finally, the ``enable dns'' line tells ppp to ask the peer for the
68#  nameserver addresses that should be used.  This isn't always supported
69#  by the other side, but if it is, ppp will update /etc/resolv.conf with
70#  the correct nameserver values at connection time.
71#
72#  The login script shown says that you're expecting ``ogin:''.  If you
73#  don't receive that, send a ``\n'' and expect ``ogin:'' again.  When
74#  it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
75#  You *MUST* customise this login script according to your local
76#  requirements.
77#
78pmdemand:
79 set phone 1234567
80 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
81 set timeout 120
82 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
83 add default HISADDR
84 enable dns
85
86# If you want to use PAP or CHAP instead of using a unix-style login
87# procedure, do the following.  Note, the peer suggests whether we
88# should send PAP or CHAP.  By default, we send whatever we're asked for.
89#
90# You *MUST* customise ``MyName'' and ``MyKey'' below.
91#
92PAPorCHAPpmdemand:
93 set phone 1234567
94 set login
95 set authname MyName
96 set authkey MyKey
97 set timeout 120
98 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
99 add default HISADDR
100 enable dns
101
102# On demand dialup example with static IP addresses:
103#  Here, the local side uses 192.244.185.226 and the remote side
104#  uses 192.244.176.44.
105#
106#  # ppp -auto ondemand
107#
108#  With static IP numbers, our setup is similar to dynamic:
109#  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
110#  a "ondemand" label, and finally the "MYADDR" label.
111#
112ondemand:
113 set phone 1234567
114 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
115 set timeout 120
116 set ifaddr 192.244.185.226 192.244.176.44
117 add default HISADDR
118 enable dns
119
120#                          Example segments
121#
122# The following lines may be included as part of your configuration
123# section and aren't themselves complete.  They're provided as examples
124# of how to achieve different things.
125
126examples:
127# Multi-phone example.  Numbers separated by a : are used sequentially.
128# Numbers separated by a | are used if the previous dial or login script
129# failed.  Usually, you will prefer to use only one of | or :, but both
130# are allowed.
131#
132    set phone 12345678|12345679:12345670|12345671
133#
134# Ppp can accept control instructions from the ``pppctl'' program.
135# First, you must set up your control socket.  It's safest to use
136# a UNIX domain socket, and watch the permissions:
137#
138    set server /var/tmp/internet MySecretPassword 0177
139#
140# Although a TCP port may be used if you want to allow control
141# connections from other machines:
142#
143    set server 6670 MySecretpassword
144#
145# If you don't like ppp's builtin chat, use an external one:
146#
147    set login "\"!chat \\-f /etc/ppp/ppp.dev.chat\""
148#
149# If we have a ``strange'' modem that must be re-initialized when we
150# hangup:
151#
152    set hangup "\"\" AT OK-AT-OK ATZ OK"
153#
154# To adjust logging without blowing away the setting in default:
155#
156    set log -command +tcp/ip
157#
158# To see log messages on the screen in interactive mode:
159#
160    set log local LCP IPCP CCP
161#
162# If you're seeing a lot of magic number problems and failed connections,
163# try this (see the man page):
164#
165    set openmode active 5
166#
167# For noisy lines, we may want to reconnect (up to 20 times) after loss
168# of carrier, with 3 second delays between each attempt:
169#
170    set reconnect 3 20
171#
172# When playing server for M$ clients, tell them who our NetBIOS name
173# servers are:
174#
175    set nbns 10.0.0.1 10.0.0.2
176#
177# Inform the client if they ask for our DNS IP numbers:
178#
179    enable dns
180#
181# If you don't want to tell them what's in your /etc/resolv.conf file
182# with `enable dns', override the values:
183#
184    set dns 10.0.0.1 10.0.0.2
185#
186# Some people like to prioritize DNS packets:
187#
188   set urgent udp +53
189#
190# If we're using the -nat switch, redirect ftp and http to an internal
191# machine:
192#
193    nat port tcp 10.0.0.2:ftp ftp
194    nat port tcp 10.0.0.2:http http
195#
196# or don't trust the outside at all
197#
198    nat deny_incoming yes
199#
200# I trust user brian to run ppp, so this goes in the `default' section:
201#
202    allow user brian
203#
204# But label `internet' contains passwords that even brian can't have, so
205# I empty out the user access list in that section so that only root can
206# have access:
207#
208    allow users
209#
210# I also may wish to set up my ppp login script so that it asks the client
211# for the label they wish to use.  I may only want user ``dodgy'' to access
212# their own label in direct mode:
213#
214dodgy:
215    allow user dodgy
216    allow mode direct
217#
218# We don't want certain packets to keep our connection alive
219#
220    set filter alive 0 deny udp src eq 520         # routed
221    set filter alive 1 deny udp dst eq 520         # routed
222    set filter alive 2 deny udp src eq 513         # rwhod
223    set filter alive 3 deny udp src eq 525         # timed
224    set filter alive 4 deny udp src eq 137         # NetBIOS name service
225    set filter alive 5 deny udp src eq 138         # NetBIOS datagram service
226    set filter alive 6 deny udp src eq 139         # NetBIOS session service
227    set filter alive 7 deny udp dst eq 137         # NetBIOS name service
228    set filter alive 8 deny udp dst eq 138         # NetBIOS datagram service
229    set filter alive 9 deny udp dst eq 139         # NetBIOS session service
230    set filter alive 10 deny 0/0 MYADDR icmp       # Ping to us from outside
231    set filter alive 11 permit 0/0 0/0
232#
233# And in auto mode, we don't want certain packets to cause a dialup
234#
235    set filter dial 0 deny udp src eq 513          # rwhod
236    set filter dial 1 deny udp src eq 525          # timed
237    set filter dial 2 deny udp src eq 137          # NetBIOS name service
238    set filter dial 3 deny udp src eq 138          # NetBIOS datagram service
239    set filter dial 4 deny udp src eq 139          # NetBIOS session service
240    set filter dial 5 deny udp dst eq 137          # NetBIOS name service
241    set filter dial 6 deny udp dst eq 138          # NetBIOS datagram service
242    set filter dial 7 deny udp dst eq 139          # NetBIOS session service
243    set filter dial 8 deny tcp finrst              # Badly closed TCP channels
244    set filter dial 9 permit 0 0
245#
246# Once the line's up, allow these connections
247#
248    set filter in  0 permit tcp dst eq 113            # ident
249    set filter out 0 permit tcp src eq 113            # ident
250    set filter in  1 permit tcp src eq 23 estab       # telnet
251    set filter out 1 permit tcp dst eq 23             # telnet
252    set filter in  2 permit tcp src eq 21 estab       # ftp
253    set filter out 2 permit tcp dst eq 21             # ftp
254    set filter in  3 permit tcp src eq 20 dst gt 1023 # ftp-data
255    set filter out 3 permit tcp dst eq 20             # ftp-data
256    set filter in  4 permit udp src eq 53             # DNS
257    set filter out 4 permit udp dst eq 53             # DNS
258    set filter in  5 permit 192.244.191.0/24 0/0      # Where I work
259    set filter out 5 permit 0/0 192.244.191.0/24      # Where I work
260    set filter in  6 permit icmp                      # pings
261    set filter out 6 permit icmp                      # pings
262    set filter in  7 permit udp dst gt 33433          # traceroute
263    set filter out 7 permit udp dst gt 33433          # traceroute
264
265#
266# ``dodgynet'' is an example intended for an autodial configuration which
267# is connecting a local network to a host on an untrusted network.
268dodgynet:
269    set log Phase                               # Log link uptime
270    allow mode auto                             # For autoconnect only
271    set device /dev/cuaa1                       # Define modem device and speed
272    set speed 115200
273    deny lqr                                    # Don't support LQR
274    set phone 0W1194                            # Remote system phone number,
275    set authname pppLogin                       # login
276    set authkey MyPassword                      # and password
277    set dial "ABORT BUSY ABORT NO\\sCARRIER \   # Chat script to dial the peer
278              TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
279              ATE1Q0M0 OK \\dATDT\\T \
280              TIMEOUT 40 CONNECT"
281    set login "TIMEOUT 10 \"\" \"\" \           # And to login to remote system
282               gin:--gin: \\U word: \\P"
283
284    # Drop the link after 15 minutes of inactivity
285    # Inactivity is defined by the `set filter alive' line below
286    set timeout 900
287
288    # Hard-code remote system to appear within local subnet and use proxy arp
289    # to make this system the gateway for the rest of the local network
290    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
291    enable proxy
292
293    # Allow any TCP packet to keep the link alive
294    set filter alive 0 permit tcp
295
296    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
297    # private TCP ports 24 and 4000
298    set filter dial  0 7      0 0 tcp dst eq http
299    set filter dial  1 7      0 0 tcp dst eq login
300    set filter dial  2 7      0 0 tcp dst eq shell
301    set filter dial  3 7      0 0 tcp dst eq telnet
302    set filter dial  4 7      0 0 tcp dst eq ftp
303    set filter dial  5 7      0 0 tcp dst eq 24
304    set filter dial  6 deny ! 0 0 tcp dst eq 4000
305
306    # From hosts on a couple of local subnets to the remote peer
307    # If the remote host allowed IP forwarding and we wanted to use it, the
308    # following rules could be split into two groups to separately validate
309    # the source and destination addresses.
310    set filter dial  7 permit 172.17.16.0/20  172.17.20.248 
311    set filter dial  8 permit 172.17.36.0/22  172.17.20.248 
312    set filter dial  9 permit 172.17.118.0/26 172.17.20.248 
313    set filter dial 10 permit 10.123.5.0/24   172.17.20.248 
314
315    # Once the link's up, limit outgoing access to the specified hosts
316    set filter out  0 4      172.17.16.0/20  172.17.20.248 
317    set filter out  1 4      172.17.36.0/22  172.17.20.248 
318    set filter out  2 4      172.17.118.0/26 172.17.20.248 
319    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248 
320
321    # Allow established TCP connections
322    set filter out  4 permit 0 0 tcp estab
323
324    # And new connections to http, rlogin, rsh, telnet, ftp and ports
325    # 24 and 4000
326    set filter out  5 permit 0 0 tcp dst eq http
327    set filter out  6 permit 0 0 tcp dst eq login
328    set filter out  7 permit 0 0 tcp dst eq shell
329    set filter out  8 permit 0 0 tcp dst eq telnet
330    set filter out  9 permit 0 0 tcp dst eq ftp
331    set filter out 10 permit 0 0 tcp dst eq 24
332    set filter out 11 permit 0 0 tcp dst eq 4000
333
334    # And outgoing icmp
335    set filter out 12 permit 0 0 icmp
336
337    # Once the link's up, limit incoming access to the specified hosts
338    set filter in   0 4      172.17.20.248  172.17.16.0/20
339    set filter in   1 4      172.17.20.248  172.17.36.0/22
340    set filter in   2 4      172.17.20.248  172.17.118.0/26
341    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
342
343    # Established TCP connections and non-PASV FTP
344    set filter in   4 permit 0/0  0/0  tcp estab
345    set filter in   5 permit 0/0  0/0  tcp src eq 20
346
347    # Useful ICMP messages
348    set filter in   6 permit 0/0  0/0  icmp src eq 3
349    set filter in   7 permit 0/0  0/0  icmp src eq 4
350    set filter in   8 permit 0/0  0/0  icmp src eq 11
351    set filter in   9 permit 0/0  0/0  icmp src eq 12
352
353    # Echo reply (local systems can ping the remote host)
354    set filter in  10 permit 0/0  0/0  icmp src eq 0
355
356    # And the remote host can ping the local gateway (only)
357    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8
358
359
360# Server side PPP
361#
362#  If you want the remote system to authenticate itself, you must insist
363#  that the peer uses CHAP or PAP with the "enable" keyword.  Both CHAP and
364#  PAP are disabled by default.  You may enable either or both.  If both
365#  are enabled, CHAP is requested first.  If the client doesn't agree, PAP
366#  will then be requested.
367#
368#  Note:  If you use the getty/login process to authenticate users, you
369#         don't need to enable CHAP or PAP, but the user that has logged
370#         in *MUST* be a member of the ``network'' group (in /etc/group).
371#
372#  Note:  Chap80 and chap81 are Microsoft variations of standard chap (05).
373#
374#  If you wish to allow any user in the passwd database ppp access, you
375#  can ``enable passwdauth'', but this will only work with PAP.
376#
377#  When the peer authenticates itself, we use ppp.secret for verification
378#  (although refer to the ``set radius'' command below for an alternative).
379#
380#  Note:  We may supply a third field in ppp.secret specifying the IP
381#         address for that user, a forth field to specify the
382#         ppp.link{up,down} label to use and a fifth field to specify
383#         callback characteristics.
384#
385#  The easiest way to allow transparent LAN access to your dialin users
386#  is to assign them a number from your local LAN and tell ppp to make a
387#  ``proxy'' arp entry for them.  In this example, we have a local LAN
388#  with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
389#  ppp clients between 10.0.0.100 and 10.0.0.199.  It is possible to
390#  override the dynamic IP number with a static IP number specified in
391#  ppp.secret.
392#
393#  Ppp is launched with:
394#   # ppp -direct server
395#
396server:
397 enable chap chap80 chap81 pap passwdauth
398 enable proxy
399 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
400 accept dns
401
402# Example of a RADIUS configuration:
403#  If there are one or more radius servers available, we can use them
404#  instead of the ppp.secret file.  Simply put then in a radius
405#  configuration file (usually /etc/radius.conf) and give ppp the
406#  file name.
407#  Ppp will use the FRAMED characteristics supplied by the radius server
408#  to configure the link.
409
410radius-server:
411 load server			# load in the server config from above
412 set radius /etc/radius.conf
413
414
415# Example to connect using a null-modem cable:
416#  The important thing here is to allow the lqr packets on both sides.
417#  Without them enabled, we can't tell if the line's dropped - there
418#  should always be carrier on a direct connection.
419#  Here, the server sends lqr's every 10 seconds and quits if five in a
420#  row fail.
421#
422#  Make sure you don't have "deny lqr" in your default: on the client !
423#  If the peer denies LQR, we still send ECHO LQR packets at the given
424#  lqrperiod interval (ppp-style-pings).
425#
426direct-client:
427 set dial
428 set device /dev/cuaa0
429 set sp 115200
430 set timeout 900
431 set lqrperiod 10
432 set log Phase Chat LQM
433 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
434 set ifaddr 10.0.4.2 10.0.4.1
435 enable lqr
436 accept lqr
437 
438direct-server:
439 set timeout 0
440 set lqrperiod 10
441 set log Phase LQM
442 set ifaddr 10.0.4.1 10.0.4.2
443 enable lqr
444 accept lqr
445
446
447# Example to connect via compuserve
448#  Compuserve insists on 7 bits even parity during the chat phase.  Modem
449#  parity is always reset to ``none'' after the link has been established.
450#
451compuserve:
452 set phone 1234567
453 set parity even
454 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
455            word: XXXXXXXX PPP"
456 set timeout 300
457 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
458 delete ALL
459 add default HISADDR
460
461
462# Example for PPP over TCP.
463#  We assume that inetd on tcpsrv.mynet has been
464#  configured to run "ppp -direct tcp-server" when it gets a connection on
465#  port 1234 with an entry something like this in /etc/inetd.conf.:
466#
467#    ppp stream tcp nowait root /usr/sbin/ppp ppp -direct tcp-server
468#
469#  with this in /etc/services:
470#
471#    ppp 6671/tcp
472#
473#  Read the man page for further details.
474#
475#  Note, we assume we're using a binary-clean connection.  If something
476#  such as `rlogin' is involved, you may need to ``set escape 0xff''
477#
478tcp-client:
479 set device tcpsrv.mynet:1234
480 set dial
481 set login
482 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
483
484tcp-server:
485 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
486
487
488# Using UDP is also possible with this in /etc/inetd.conf:
489#
490#   ppp dgram udp wait root /usr/sbin/ppp ppp -direct udp-server
491#
492# and this in /etc/services:
493#
494#    ppp 6671/tcp
495#
496udp-client:
497 set device udpsrv.mynet:1234/udp
498 set dial
499 set login
500 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
501
502udp-server:
503 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
504
505
506# Example for PPP testing.
507#  If you want to test ppp, do it through the loopback interface:
508#
509#  Requires a line in /etc/services:
510#    ppploop 6671/tcp # loopback ppp daemon
511#
512#  and a line in /etc/inetd.conf:
513#    ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
514#
515loop:
516 set timeout 0
517 set log phase chat connect lcp ipcp command
518 set device localhost:ppploop
519 set dial
520 set login
521 set ifaddr 127.0.0.2 127.0.0.3
522 set server /var/tmp/loop "" 0177
523 
524loop-in:
525 set timeout 0
526 set log phase lcp ipcp command
527 allow mode direct
528
529# Example of a VPN.
530#  If you're going to create a tunnel through a public network, your VPN
531#  should be set up something like this:
532#
533#  You should already have set up ssh using ssh-agent & ssh-add.
534#
535sloop:
536 load loop
537 # Passive mode allows ssh plenty of time to establish the connection
538 set openmode passive
539 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
540
541
542# or a better VPN solution (which doesn't run IP over a reliable
543# protocol like tcp) may be:
544#
545vpn-client:
546 set device udpsrv.mynet:1234/udp               # PPP over UDP
547 set dial
548 set login
549 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
550 disable deflate pred1
551 deny deflate pred1
552 enable MPPE                                    # With encryption
553 accept MPPE
554
555vpn-server:
556 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
557 disable deflate pred1
558 deny deflate pred1
559 enable MPPE
560 accept MPPE
561 enable chap81                                  # Required for MPPE
562
563# Example of non-PPP callback.
564#  If you wish to connect to a server that will dial back *without* using
565#  the ppp callback facility (rfc1570), take advantage of the fact that
566#  ppp doesn't look for carrier 'till `set login' is complete:
567#
568#  Here, we expect the server to say DIALBACK then disconnect after
569#  we've authenticated ourselves.  When this has happened, we wait
570#  60 seconds for a RING.
571#
572#  Note, it's important that we tell ppp not to expect carrier, otherwise
573#  we'll drop out at the ``NO CARRIER'' stage.
574#
575dialback:
576 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
577           ATDT\\T TIMEOUT 60 CONNECT"
578 set cd off
579 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
580           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
581
582# Example of PPP callback.
583#  Alternatively, if the peer is using the PPP callback protocol, we're
584#  happy either with ``auth'' style callback where the server dials us
585#  back based on what we authenticate ourselves with, ``cbcp'' style
586#  callback (invented by Microsoft but not agreed by the IETF) where
587#  we negotiate callback *after* authentication or E.164 callback where
588#  we specify only a phone number.  I would recommend only ``auth'' and/or
589#  ``cbcp'' callback methods.
590#  For ``cbcp'', we insist that we choose ``1234567'' as the number that
591#  the server must call back.
592#
593callback:
594 load pmdemand                                    # load in the pmdemand config
595 set callback auth cbcp e.164 1234567
596 set cbcp 1234567
597
598# If we're running a ppp server that wants to only call back microsoft
599# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
600#
601callback-server:
602 load server
603 set callback cbcp
604 set cbcp
605 set log +cbcp
606 set redial 3 1
607 set device /dev/cuaa0
608 set speed 115200
609 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
610
611# Or if we want to allow authenticated clients to specify their own
612# callback number:
613#
614callback-server-client-decides:
615 load callback-server
616 set cbcp *
617
618# Multilink mode is available (rfc1990).
619#  To enable multi-link capabilities, you must specify a MRRU.  1500 is
620#  a reasonable value.  To create new links, use the ``clone'' command
621#  to duplicate an existing link.  If you already have more than one
622#  link, you must specify which link you wish to run the command on via
623#  the ``link'' command.
624#
625#  It's worth increasing your MTU and MRU slightly in multi-link mode to
626#  prevent full packets from being fragmented.
627#
628#  See ppp.conf.isdn for an example of how to do multi-link isdn.
629#
630#  You can now ``dial'' specific links, or even dial all links at the
631#  same time.  The `dial' command may also be prefixed with a specific
632#  link that should do the dialing.
633#
634mloop:
635 load loop
636 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2   # Use any of these devices
637 set mode interactive
638 set mrru 1500
639 set mru 1504                                  # Room for the MP header
640 clone 1 2 3
641 link deflink remove
642 # dial
643 # link 2 dial 
644 # link 3 dial 
645
646mloop-in:
647 set timeout 0                                 # No idle timer
648 set log tun phase
649 allow mode direct
650 set mrru 1500
651 set mru 1504                                  # Room for the MP header
652
653# User supplied authentication:
654#  It's possible to run ppp in the background while specifying a
655#  program to use to obtain authentication details on demand.
656#  This program would usually be a simple GUI that presents a
657#  prompt to a known user.  The ``chap-auth'' program is supplied
658#  as an example (and requires tcl version 8.0).
659#
660CHAPprompt:
661 load PAPorCHAPpmdemand
662 set authkey !/usr/share/examples/ppp/chap-auth
663
664#  It's possible to do the same sort of thing at the login prompt.
665#  Here, after sending ``brian'' in response to the ``name'' prompt,
666#  we're prompted with ``code:''.  A window is then displayed on the
667#  ``keep:0.0'' display and the typed response is sent to the peer
668#  as the password.  We then expect to see ``MTU'' and ``.'' in the
669#  servers response.
670#
671loginprompt:
672 load pmdemand
673 set authname brian
674 set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
675            code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
676                    AUTHNAME\" MTU \\c ."
677
678# ppp supports ppp over ethernet (PPPoE).  Beware, many PPP servers cache
679# the MAC address that connects to them, making it impossible to switch
680# your PPPoE connection between machines.
681#
682# The current implementation requires Netgraph, so it doesn't work with
683# OpenBSD or NetBSD.
684#
685# The client should be something like this:
686#
687pppoe:
688 set device PPPoE:de0:pppoe-in
689 set mru 1492
690 set mtu 1492
691 set speed sync   
692 enable lqr
693 set cd 5
694 set dial
695 set login
696 set redial 0 0
697
698# And the server should be running
699#
700#   /usr/libexec/pppoed -p pppoe-in fxp0
701#
702# See rc.conf(5)
703#
704pppoe-in:
705 allow mode direct				# Only for use on server-side
706 set mru 1492					# Max allowed by the PPPoE spec
707 set mtu 1492					# Max allowed by the PPPoE spec
708 set speed sync					# PPPoE is always synchronous
709 enable lqr proxy				# Enable LQR and proxy-arp
710 enable chap pap passwdauth			# Force client authentication
711 set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199	# Hand out up to 100 IP numbers
712 accept dns					# Allow DNS negotiation
713