os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Mention various facilities available with the latest ppp

Browse source
This commit is contained in:
Brian Somers 1998-08-09 23:41:09 +00:00
parent 76058d36da
commit 05f8165aac
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=3309
1 changed files with 146 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

282
handbook/userppp.sgml
View file

@ -1,4 +1,4 @@
<!-- $Id: userppp.sgml,v 1.29 1998-04-08 11:52:41 cracauer Exp $ -->
<!-- $Id: userppp.sgml,v 1.30 1998-08-09 23:41:09 brian Exp $ -->
<!-- The FreeBSD Documentation Project -->
<sect>Setting up User PPP<label id="userppp">
@ -37,12 +37,19 @@
software such as pppd. Unless otherwise stated, all commands in this
section should be executed as root.
There are a large number of enhancements in version 2 of ppp. You can
discover what version you have by running ppp with no arguments and
typing <tt>show version</tt> at the prompt. It is a simple matter
to upgrade to the latest version of ppp (under any version of FreeBSD)
by downloading the latest archive via
<url url="http://www.Awfulhak.org/ppp.html" name="www.Awfulhak.org">.
<sect1><heading>Before you start</heading>
<p>This document assumes you are in roughly this position:
You have an account with an Internet Service Provider (ISP) which lets you
use PPP. Further, you have a modem (or other device) connected and
use PPP. Further, you have a modem (or other device) connected and
configured correctly which allows you to connect to your ISP.
You are going to need the following information to hand:
@ -54,26 +61,32 @@
unix style login/password pair, or a PPP PAP or CHAP
login/password pair.
<item><p>The IP address of your ISP's gateway. The gateway is the
machine to which you will connect and will
be set up as your <tt>default route</tt>. If your ISP hasn't
given you this number, don't worry. We can make one up and
your ISP's PPP server will tell us when we connect.
<p>This number is known from now on as <tt>HISADDR</tt>.
<item><p>Your ISP's netmask setting. Again, if your ISP hasn't given
you this information, you can safely use a netmask of
255.255.255.0.
<item><p>The IP addresses of one or more nameservers. Normally, you
will be given two IP numbers. You <bf>MUST</bf> have this
information unless you run your own nameserver.
information for ppp version 1.X unless you run your own
nameserver. From version 2 onwards, ppp supports nameserver
address negotiation. If your ISP also supports this, then
using the command <tt>enable dns</tt> in your config file
will tell ppp to set the nameservers up for you.
</itemize>
The following information may have been supplied by your ISP, but
is not strictly necessary:
<itemize>
<item><p>The IP address of your ISP's gateway. The gateway is the
machine to which you will connect and will be set up as your
<tt>default route</tt>. If your ISP hasn't given you this
number, we can make one up and your ISP's PPP server will
tell us the correct value when we connect.
<p>This IP number is referred to as <tt>HISADDR</tt> by ppp.
<item><p>Your ISP's netmask. If your ISP hasn't given you this
information, you can safely use a netmask of 255.255.255.0.
<item><p>If your ISP allocates you a static IP address and hostname
then you will need this information too. If not, you will need
to know from what range of IP addresses your allocated IP address
will belong. If you haven't been given this range, don't worry.
You can configure PPP to accept any IP number (as explained later).
then you can enter this information. Otherwise, we simply
let the peer assign whatever IP number it sees fit.
</itemize>
If you do not have any of the required information, contact your ISP
@ -115,11 +128,14 @@
tun1: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 576
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 203.10.100.1 --> 203.10.100.20 netmask 0xffffffff
tun3: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1500
tun3: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
</verb></tscreen>
which in this case shows four tunnel devices, two of which are
currently configured and being used.
currently configured and being used. It should be noted that
the RUNNING flag above indicates that the interface has been
used as some point - it is not an error if your interface does
not show up as RUNNING.
<p>If you have a kernel without the tun device, and you can not
rebuild it for some reason, all is not lost. You should be
@ -162,6 +178,14 @@
$
</verb></tscreen>
The RUNNING flag may not yet be set, in which case you'll see:
<tscreen><verb>
$ ifconfig tun0
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
$
</verb></tscreen>
<sect1><heading>Name Resolution Configuration</heading>
<p>The resolver is the part of the system that turns IP addresses
@ -181,12 +205,13 @@
<sect2><heading>Edit the /etc/host.conf file</heading>
<p>This file should contain the following two lines:
<p>This file should contain the following two lines (in this order):
<tscreen><verb>
hosts
bind
</verb></tscreen>
which instructs the resolver to first look in the file
<tt>/etc/hosts</tt>, and then to consult the DNS if the
name was not found.
@ -195,7 +220,7 @@
<p>This file should contain the IP addresses and names of machines on your
network. At a bare minimum it should contain entries for the machine
which will be running ppp. Assuming that your machine is called
which will be running ppp. Assuming that your machine is called
foo.bar.com with the IP address 10.0.0.1, <tt>/etc/hosts</tt> should
contain:
@ -230,6 +255,12 @@
is probably unnecessary. Refer to the resolv.conf manual page for details
of other possible entries in this file.
<p>If you're running ppp version 2 or greater, the ``enable dns'' command
will tell ppp to request that your ISP confirms the nameserver values.
If your ISP supplies different addresses (or if there are no nameserver
lines in <tt>/etc/resolv.conf</tt>), ppp will rewrite the file with the
ISP-supplied values.
<sect1><heading>PPP Configuration</heading>
<p>Both user ppp and pppd (the kernel level implementation of PPP)
@ -259,12 +290,11 @@
\\dATDT\\T TIMEOUT 40 CONNECT"
5 provider:
6 set phone "(0123) 456 7890"
7 set login "TIMEOUT 10 gin:-BREAK-gin: foo word: bar col: ppp"
7 set login "TIMEOUT 10 \"\" \"\" gin:--gin: foo word: bar col: ppp"
8 set timeout 300
9 deny lqr
10 set ifaddr x.x.x.x y.y.y.y
11 delete ALL
12 add 0 0 HISADDR
9 set ifaddr x.x.x.x y.y.y.y 255.255.255.0 0.0.0.0
10 add default HISADDR
11 enable dns
</verb></tscreen>
Do not include the line numbers, they are just for reference in
this discussion.
@ -307,8 +337,11 @@
</verb></tscreen>
You will need to alter this script to suit your own needs.
If you're using PAP or CHAP, there will be no login at this
point, so your login string can be left blank. See
When you write this script for the first time, you should
enable ``chat'' logging to ensure that the conversation is
going as expected.
<p>If you're using PAP or CHAP, there will be no login at this
point, so your login string should be left blank. See
<ref id="userppp:PAPnCHAP" name="PAP and CHAP authentication">
for further details.
@ -317,20 +350,7 @@
300 seconds of inactivity. If you never want to timeout,
set this value to zero.
<tag/Line 9:/ Ppp can be configured to exchange Link Quality Report (LQR)
packets. These packets describe how good the physical link
is. Ppp's LQR strategy is to close the connection when a
number of these packets are missed. This is useful when
you have a direct serial link to another machine and the
DSR modem signal is not available to indicate that the line
is up. When data saturates the line, LQR packets are
sometimes ``missed'', causing ppp to close the connection
prematurely. Refusing to negotiate lqr is sometimes prudent
(if you are going through a modem) as it avoids this whole
mess. By default, ppp will not attempt to negotiate LQR,
but will accept LQR negotiation from the peer.
<tag/Line 10:/ Sets the interface addresses. The string x.x.x.x should be
<tag/Line 9:/ Sets the interface addresses. The string x.x.x.x should be
replaced by the IP address that your provider has allocated
to you. The string y.y.y.y should be replaced by the IP
address that your ISP indicated for their gateway (the
@ -339,18 +359,18 @@
use a ``guessed'' address, make sure that you create an entry
in <tt>/etc/ppp/ppp.linkup</tt> as per the instructions for
<ref id="userppp:dynamicIP" name="PPP and Dynamic IP addresses">.
If this line is omitted, ppp cannot run in <tt>-auto</tt> or
<tt>-dynamic</tt> mode.
If this line is omitted, ppp cannot run in <tt>-auto</tt> mode.
<tag/Line 11:/ Deletes all existing routing table entries for the acquired
tun device. This should not normally be necessary, but will
make sure that PPP is starting with a clean bill of health.
<tag/Line 12:/ Adds a default route to your ISPs gateway. The special
<tag/Line 10:/ Adds a default route to your ISPs gateway. The special
word <tt>HISADDR</tt> is replaced with the gateway address
specified on line 9. It is important that this line appears
after line 9, otherwise <tt>HISADDR</tt> will not yet be
initialized.
<tag/Line 11:/ This line tells ppp to ask your ISP to confirm that your
nameserver addresses are correct. If your ISP supports
this facility, ppp can then update <tt>/etc/resolv.conf</tt>
with the correct nameserver entries.
</descrip>
<p>It is not necessary to add an entry to <tt>ppp.linkup</tt> when you have
@ -374,41 +394,35 @@
name="PPP and Static IP addresses">, with the following change:
<tscreen><verb>
10 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0
9 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
</verb></tscreen>
Again, do not include the line numbers, they are just for reference in
this discussion. Indentation of at least one space is required.
<descrip>
<tag/Line 10:/ The number after the ``/'' character is the number of bits of
<tag/Line 9:/ The number after the ``/'' character is the number of bits of
the address that ppp will insist on. You may wish to use
IP numbers more appropriate to your circumstances, but the
above example will almost always work. If it fails, you may
be able to defeat some broken ppp implementations by
supplying an additional <tt>0.0.0.0</tt> argument:
above example will always work.
<tscreen><verb>
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
</verb></tscreen>
This tells ppp to negotiate using address <tt>0.0.0.0</tt>
rather than <tt>10.0.0.1</tt>. Do not use <tt>0.0.0.0/0</tt>
as the first argument to <tt>set ifaddr</tt> as it prevents
ppp from setting up an initial route in <tt>-auto</tt> and
<tt>-ddial</tt> mode.
The last argument (<tt>0.0.0.0</tt>) tells ppp to negotiate
using address <tt>0.0.0.0</tt> rather than <tt>10.0.0.1</tt>.
Do not use <tt>0.0.0.0/0</tt> as the first argument to <tt>set
ifaddr</tt> as it prevents ppp from setting up an initial route
in <tt>-auto</tt> mode.
</descrip>
<p>You will also need to create an entry in <tt>/etc/ppp/ppp.linkup</tt>.
<tt>Ppp.linkup</tt> is used after a connection has been established. At
this point, ppp will know what IP addresses should <bf>really</bf> be
used. The following entry will delete the existing bogus routes, and
create correct ones:
<p>If you are running version 1.X of ppp, you will also need to create an
entry in <tt>/etc/ppp/ppp.linkup</tt>. <tt>Ppp.linkup</tt> is used after
a connection has been established. At this point, ppp will know what IP
addresses should <bf>really</bf> be used. The following entry will delete
the existing bogus routes, and create correct ones:
<tscreen><verb>
1 provider:
2 delete ALL
3 add 0 0 HISADDR
3 add default HISADDR
</verb></tscreen>
<descrip>
@ -431,29 +445,33 @@
<p>See the pmdemand entry in the files <tt>/etc/ppp/ppp.conf.sample</tt> and
<tt>/etc/ppp/ppp.linkup.sample</tt> for a detailed example.
<p>Version 2 of ppp introduces ``sticky routes''. Any <tt>add</tt> or
<tt>delete</tt> lines that contain <tt>MYADDR</tt> or <tt>HISADDR</tt>
will be remembered, and any time the actual values of <tt>MYADDR</tt>
or <tt>HISADDR</tt> change, the routes will be re-applied. This
removes the necessity of repeating these lines in <tt>ppp.linkup</tt>.
<sect2><heading>Receiving incoming calls with PPP</heading>
<p>This section describes setting up ppp in a server role.
<p>When you configure <tt>ppp</tt> to receive incoming calls, you
must decide whether you wish to forward packets for just
<tt>ppp</tt> connections, for all interfaces, or not at all.
To forward for just ppp connections, include the line
<p>When you configure <tt>ppp</tt> to receive incoming calls on a
machine connected to a LAN, you must decide if you wish to forward
packets to the LAN. If you do, you should allocate the peer an IP
number from your LANs subnet, and use the command
<tscreen><verb>
enable proxy
</verb></tscreen>
in your <tt>ppp.conf</tt> file. If you wish to forward packets on all
interfaces, use the
in your <tt>ppp.conf</tt> file. You should also confirm that the
<tt>/etc/rc.conf</tt> file (this file used to be called
<tt>/etc/sysconfig</tt>) contains the following:
<tscreen><verb>
gateway=YES
gateway_enable=YES
</verb></tscreen>
option in <tt>/etc/rc.conf</tt> (this file used to be called
<tt>/etc/sysconfig</tt>).
<sect3><heading>Which getty?</heading>
<p><ref id="dialup" name="Configuring FreeBSD for Dialup Services">
@ -481,6 +499,16 @@
below, that user must be given permission to run ppp by adding them to
the <tt>network</tt> group in <tt>/etc/group</tt>.
<p>You will also need to give them access to one or more sections of the
configuration file using the <tt>allow</tt> command:
<tscreen><verb>
allow users fred mary
</verb></tscreen>
If this command is used in the default section, it gives the specified
users access to everything.
<sect3><heading>Setting up a PPP shell for dynamic-IP users</heading>
<p>Create a file called <tt>/etc/ppp/ppp-shell</tt> containing the
@ -506,7 +534,7 @@
<tt>ppp-dialup</tt> to this script using the following commands:
<tscreen><verb>
# ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-dialup
# ln -s ppp-shell /etc/ppp/ppp-dialup
</verb></tscreen>
<p>You should use this script as the <em>shell</em> for all your dialup
@ -634,24 +662,16 @@
<tscreen><verb>
#!/bin/sh
TTY=`tty`
IDENT=`basename $TTY`
exec /usr/sbin/ppp -direct pap$IDENT
exec /usr/sbin/ppp -direct pap
</verb></tscreen>
<p>For each dialup line enabled in <tt>/etc/ttys</tt> create a corresponding
entry in <tt>/etc/ppp/ppp.conf</tt>. This will happily co-exist with
the definitions we created above.
<p>Now create a single configuration entry in <tt>/etc/ppp/ppp.conf</tt>
that will work for all of your incoming calls:
<tscreen><verb>
papttyd0:
pap:
enable pap
set ifaddr 203.14.100.1 203.14.100.20 255.255.255.255
enable proxy
papttyd1:
enable pap
set ifaddr 203.14.100.1 203.14.100.21 255.255.255.255
set ifaddr 203.14.100.1 203.14.100.20-203.14.100.40
enable proxy
</verb></tscreen>
@ -663,33 +683,40 @@
</verb></tscreen>
option to authenticate users via pap from the <tt>/etc/password</tt>d
file. (*)
file.
<p>(*) Note this option only available in 2.2-961014-SNAP or later, or by
getting the updated ppp code for 2.1.x. (see MS extensions below for details)
<p>If you wish to assign some users a static IP number, you can specify
the number as the third argument in <tt>/etc/ppp/ppp.secret</tt>. See
<tt>/etc/ppp/ppp.secret.sample</tt> for examples.
<sect4><heading>MS extentions</heading>
<p>From 2.2-961014-SNAP onwards it is possible to allow the automatic
negotiation of DNS and NetBIOS name servers with clients supporting
this feature (namely Win95/NT clients). See RFC1877 for more details
on the protocol.
<p>It is possible to configure ppp to supply DNS and NetBIOS nameserver
addresses on demand.
<p>An example of enabling these extensions in your
<tt>/etc/ppp/ppp.conf</tt> file is illustrated below.
<p>To enable these extensions with ppp version 1.X, the following lines
might be added to the relevant section of <tt>/etc/ppp/ppp.conf</tt>:
<tscreen><verb>
default:
set debug phase lcp chat
set timeout 0
enable msext
set ns 203.14.100.1 203.14.100.2
set nbns 203.14.100.5
</verb></tscreen>
or for ppp version 2 and above:
<tscreen><verb>
accept dns
set dns 203.14.100.1 203.14.100.2
set nbns 203.14.100.5
</verb></tscreen>
<p>This will tell the clients the primary and secondary
name server addresses, and a netbios nameserver host.
<p>In version 2 and above, if the ``set dns'' line is omited, ppp will
use the values found in <tt>/etc/resolv.conf</tt>.
<sect2><heading>PAP and CHAP authentication<label id="userppp:PAPnCHAP">
</heading>
@ -711,8 +738,8 @@
<tscreen><verb>
7 set login
.....
13 set authname MyUserName
14 set authkey MyPassword
12 set authname MyUserName
13 set authkey MyPassword
</verb></tscreen>
As always, do not include the line numbers, they are just for reference
@ -723,9 +750,9 @@
server if you're using PAP or CHAP. You must therefore
disable your "set login" string.
<tag/Line 13:/ This line specifies your PAP/CHAP user name. You will need
<tag/Line 12:/ This line specifies your PAP/CHAP user name. You will need
to insert the correct value for <tt>MyUserName</tt>.
<tag/Line 14:/ This line specifies your PAP/CHAP password. You will need
<tag/Line 13:/ This line specifies your PAP/CHAP password. You will need
to insert the correct value for <tt>MyPassword</tt>.
You may want to add an additional line
<tscreen><verb>
@ -736,40 +763,23 @@
15 accept CHAP
</verb></tscreen>
to make it obvious that this is the intention, but PAP
and CHAP are accepted by default.
and CHAP are both accepted by default.
</descrip>
<p><bf>NOTE:</bf> Your <tt>authkey</tt> will be logged if you have
command logging turned on (<tt>set log +command</tt>). Care should be
taken when deciding the ppp log file permissions.
<sect2><heading>Changing your ppp configuration on the fly</heading>
<p>It is possible to talk to the ppp program while it is running in
the background, but only if a suitable password has been set up.
<p>By default, ppp will listen to a TCP port of 3000 + <tt>tunno</tt>,
where <tt>tunno</tt> is the number of the tun device acquired, however,
if a password for the local machine is not set up in
<tt>/etc/ppp/ppp.secret</tt>, no server connection will be created.
To set your password, put the following line in
<tt>/etc/ppp/ppp.secret</tt>:
the background, but only if a suitable diagnostic port has been
set up. To do this, add the following line to your configuration:
<tscreen><verb>
foo MyPassword
set server /var/run/ppp-tun%d DiagnosticPassword 0177
</verb></tscreen>
where <tt>foo</tt> is your local hostname (run <tt>hostname -s</tt> to
determine the correct name), and <tt>MyPassword</tt> is the unencrypted
password that you wish to use. <tt>/etc/ppp/ppp.secret</tt> should
<bf>NOT</bf> be accessable by anyone without user id 0. This means that
<tt>/</tt>, <tt>/etc</tt> and <tt>/etc/ppp</tt> should not be writable,
and <tt>ppp.secret</tt> should be owned by user id 0 and have permissions
0600.
<p>It is also possible to select a specific port number or to have ppp listen
to a local unix domain socket rather than to a TCP socket. Refer to the
<tt>set socket</tt> command in manual page for further details.
This will tell ppp to listen to the specified unix-domain socket,
asking clients for the specified password before allowing access.
The %d in the name is replaced with the tun device number that is
in use.
<p>Once a socket has been set up, the <tt>pppctl(8)</tt> program may be used
in scripts that wish to manipulate the running program.
@ -909,7 +919,7 @@ foo MyPassword
<sect1><heading>Acknowledgments</heading>
<p>This section of the handbook was last updated on Sun Sep 7, 1997
<p>This section of the handbook was last updated on Monday Aug 10, 1998
by &a.brian
<p>Thanks to the following for their input, comments & suggestions: