os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
doc/en/tutorials/ppp/ppp.sgml
Jordan K. Hubbard 87e55266d8 Clean up some punctuation hair I noticed. 
<code> seems to be not-liked by our HTML conversion right now, so I've
switched over to <tscreen><verb> sections which should accomplish the
same effect (and also look consistent with other examples).
1997-01-21 05:49:54 +00:00

1736 lines
61 KiB
Text
Raw Blame History

<!DOCTYPE linuxdoc PUBLIC "-//FreeBSD//DTD linuxdoc//EN">
<!-- $Id: ppp.sgml,v 1.3 1997-01-21 05:49:54 jkh Exp $ -->
<article>
<title>PPP - Pedantic PPP Primer
<author>Maintainer: Steve Sims <tt><htmlurl
url="mailto:SimsS@IBM.NET"
name="&lt;SimsS@IBM.NET&gt;"></tt>
<date>$Date: 1997-01-21 05:49:54 $
<abstract>
This is a step-by-step guide for configuring FreeBSD systems to act as
a dial-up router/gateway in a Local Area Environment. All entries may
be assumed to be relevant to FreeBSD 2.2+, unless otherwise noted.
</abstract>
<toc>
<sect>
<heading>Overview:</heading>
<p>The User-Mode PPP dialer in FreeBSD Version 2.2 (also known as:
<it>"IIJ-PPP"</it> ) now supports Packet Aliasing for dial up
connections to the Internet. This feature, also known as
"<IT/Masquerading/", "<IT/IP Aliasing/", or "<IT/Network Address
Translation/", allows a FreeBSD system to act as a dial- on-demand
router between an Ethernet-based Local Area Network and an Internet
Service Provider. Systems on the LAN can use the FreeBSD system to
forward information between the Internet by means of a single
dial-connection.
<sect1>
<heading>Purpose of this Guide.</heading>
<p>
This guide explains how to:
<itemize>
<item>Configure the FreeBSD system to support dial-out connections,
<item>Share a dial-out connection with other systems in a network,
<item>Configure Windows platforms to use the FreeBSD system as a gateway to the Internet.
</itemize>
<p>
While the focus of this guide is to assist in configuring IP Aliasing,
it also includes specific examples of the configuration steps necessary
to configure and install each individual component; each section stands
alone and may be used to assist in the configuration of various aspects
of FreeBSD internetworking.
</sect>
<sect>
<heading>Building the Local Area Network</heading>
<p> While the ppp program can, and usually is, be configured to provide
services to <em/only/ the local FreeBSD box it can also be used to serve as a
"Gateway" (or "router") between other LAN-connected resources and the Internet or
other Dial-Up service.
<sect1>
<heading>Typical Network Topology</heading>
<p>This guide assumes a typical Local Area Network lashed together as
follows:
<verb>
+---------+ ----&gt; Dial-Up Internet Connection
| FreeBSD | \ (i.e.: NetCom, AOL, AT&amp;T, EarthLink,
etc)
| |--------
| "Curly" |
| |
+----+----+
|
|----+-------------+-------------+----| &lt;-- Ethernet Network
| | |
| | |
+----+----+ +----+----+ +----+----+
| | | | | |
| Win95 | | WFW | | WinNT |
| "Larry" | | "Moe" | | "Shemp" |
| | | | | |
+---------+ +---------+ +---------+
</verb>
<sect1>
<heading>Assumptions about the Local Area Network</heading>
<p>Some specific assumptions about this sample network are:
<p>Three workstations and a Server are connected with Ethernet
cabling:
<itemize>
<item>a FreeBSD Server ("Curly") with an NE-2000 adapter configured as
'ed0'
<item>a Windows-95 workstation ("Larry") with Microsoft's "native"
32-bit TCP/IP drivers
<item>a Windows for Workgroups workstation ("Moe") with Microsoft's
16-bit TCP/IP extensions
<item>a Windows NT workstation ("Shemp") with Microsoft's "native"
32-bit TCP/IP drivers
</itemize>
<p>The IP Addresses on the Ethernet side of this sample LAN have been
taken from the pool of "reserved" addresses proposed in RFC-1597.
IP addresses are assigned as follows:
<verb>Name IP Address
"Curly" 192.168.1.1 # The FreeBSD box
"Larry" 192.168.1.2 # The Win'95 box
"Moe" 192.168.1.3 # The WfW box
"Shemp" 192.168.1.4 # The Windows NT box
</VERB>
<p>This guide assumes that the modem on the FreeBSD box is connected
to the first serial port ('<tt>/dev/cuaa0</tt>' or '<tt>COM1:</tt>' in
DOS-terms).
<p>Finally, we'll also assume that your Internet Service Provider (ISP)
automatically provides the IP addresses of both your PPP/FreeBSD side
as well as the ISP's side. (i.e.: Dynamic IP Addresses on both ends
of the link.) Specific details for configuring the Dial-Out side of
PPP will be addressed in Section 2, "Configuring the FreeBSD System".
</sect>
<sect>
<heading>FreeBSD System Configuration</heading>
<p>There are three basic pieces of information that must be known to
the FreeBSD box before you can proceed with integrating the sample
Local Area Network:
<itemize>
<item>The Host Name of the FreeBSD system; in our example it's "Curly",
<item>The Network configuration,
<item>The <tt>/etc/hosts</tt> file (which lists the names and IP addresses of
the other systems in your network)
</itemize>
<p>If you performed the installation of FreeBSD over a network
connection some of this information may already be configured into
your FreeBSD system.
<p>Even if you believe that the FreeBSD system was properly configured
when it was installed you should at least verify each of these bits of
information to prevent trouble in subsequent steps.
<sect1>
<heading>Verifying the FreeBSD Host Name</heading>
<p>It's possible that the FreeBSD host name was specified and saved
when the system was initially installed. To verify that it was, enter
the following command at a prompt:<p>
<tscreen><verb>
# hostname
</verb></tscreen>
<p>The name of the host FreeBSD system will be displayed on a single
line. If the name looks correct (this is very subjective :-) skip
ahead to Section 3.2, "Verifying the Ethernet Interface
Configuration".
<p>For example, in our sample network, we would see 'curly.my.domain'
as a result of the `hostname` command if the name had been set
correctly during, or after, installation. (At this point, don't worry
too much about the ".my.domain" part, we'll sort this out later. The
important part is the name up to the first dot.)
<p>If a host name wasn't specified when FreeBSD was installed you'll
probably see 'myname.my.domain` as a response. You'll need to edit
<tt>/etc/sysconfig</tt> to set the name of the machine.
<sect2><heading>Configuring the FreeBSD Host Name</heading>
<p><em><bf>Reminder: You must be logged in as 'root' to edit the
system configuration files!</bf></em>
<em><bf>CAUTION: If you mangle the system configuration files,
chances are your system WILL NOT BOOT correctly! Be careful!</bf></em>
<p>The configuration file that specifies the FreeBSD system's host
name when the system boots is in <tt>/etc/sysconfig</tt>. Use the
default text editor ('<tt/ee/') to edit this file.
<p>Logged in as user 'root' load <tt>/etc/sysconfig</tt> into the
editor with the following command:
<tscreen><verb>
# ee /etc/sysconfig
</verb></tscreen>
<p>Using the arrow keys, scroll down until you find the line that
specifies the host name of the FreeBSD system. By default, this
section says:
<tscreen><verb>
---
# Set to the name of your host - this is pretty important!
hostname=myname.my.domain
---
</verb></tscreen>
Change this section to say (in our example):
<tscreen><verb>
---
# Set to the name of your host - this is pretty important!
hostname=curly.my.domain
---
</verb></tscreen>
Once the change to the host name has been made, press the 'Esc' key to
access the command menu. Select "leave editor" and make sure to
specify "save changes" when prompted.
<sect1>
<heading>Verifying the Ethernet Interface Configuration</heading>
<p>To reiterate our basic assumption, this guide assumes that the
Ethernet Interface in the FreeBSD system is named '<tt/ed0/'. This is
the default for NE-1000, NE-2000, WD/SMC models 8003, 8013 and Elite
Ultra (8216) network adapters.
<p>Other models of network adapters may have different device names in
FreeBSD. Check the FAQ for specifics about your network adapter. If
you're not sure of the device name of your adapter, check the FreeBSD
FAQ to determine the device name for the card you have and substitute
that name (i.e.: '<tt/de0/', '<tt/zp0/', or similar) in the following
steps.
<p>As was the case with the host name, the configuration for the
FreeBSD system's Ethernet Interface may have been specified when the
system was installed.
To display the configuration for the interfaces in your
FreeBSD system (Ethernet and others), enter the following command:
<tscreen><verb>
# ifconfig -a
</verb></tscreen>
(In layman's terms: "Show me the <BF/I/nter<BF/F/ace <BF/CONFIG/uration
for my network devices.")
<p>An example:
<tscreen><verb>
# ifconfig -a
ed0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu
1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
ether 01:02:03:04:05:06
lp0: flags=8810&lt;POINTOPOINT,SIMPLEX,MULTICAST&gt; mtu 1500
tun0: flags=8050&lt;POINTOPOINT,RUNNING, MULTICAST&gt; mtu 1500
sl0: flags=c010&lt;POINTOPOINT,LINK2,MULTICAST&gt; mtu 552
ppp0: flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500
lo0: flags=8049&lt;UP,LOOPBACK,RUNNING,MULTICAST&gt; mtu 16384
inet 127.0.0.1 netmask 0xff000000
# _
</verb></tscreen>
<p>In this example, the following devices were displayed:<p>
<tt/ed0:/ The Ethernet Interface<p>
<tt/lp0:/ The Parallel Port Interface (ignored in this guide)<p>
<tt/tun0:/ The "tunnel" device; <em/This is the one user-mode ppp uses!/<p>
<tt/sl0:/ The SL/IP device (ignored in this guide)<p>
<tt/ppp0:/ Another PPP device (for kernel ppp; ignored in this guide)<p>
<tt/lo0:/ The "Loopback" device (ignored in this guide)<p>
In this example, the 'ed0' device is up and running. The key
indicators are:
<enum>
<item>Its status is "<tt/UP/",
<item>It has an Internet ("<tt/inet/") address, (in this case, 192.168.1.1)
<item>It has a valid Subnet Mask ("netmask"; 0xffffff00 is the same as
255.255.255.0), and
<item>It has a valid broadcast address (in this case, 192.168.1.255).
</enum>
<p>If the line for the Ethernet card had shown something similar to:
<tscreen><verb>
ed0: flags=8802&lt;BROADCAST,SIMPLEX,MULTICAST&gt; mtu 1500
ether 01:02:03:04:05:06
</verb></tscreen>
then the Ethernet card hasn't been configured yet.
<p>If the configuration for the Ethernet interface is correct you can
skip forward to Section 3.4, "Creating the list of other LAN hosts".
Otherwise, proceed with the next section.
<sect2>
<heading>Configuring your Ethernet Interface</heading>
<p><em><bf>Reminder: You must be logged in as 'root' to edit the
system configuration files!</bf></em>
<em><bf>CAUTION: If you mangle the system configuration files,
chances are your system WILL NOT BOOT correctly! Be careful!</bf></em>
<p>The configuration file that specifies settings for the network
interfaces when the system boots is in <tt>/etc/sysconfig</tt>. Use
the default text editor ('ee') to edit this file.
<p>Logged in as user 'root' load <tt>/etc/sysconfig</tt> into the
editor with the following command:
<p>
<tt> # ee /etc/sysconfig</tt>
<p>
About 100 lines from the top of <tt>/etc/sysconfig</tt> is the section
that describes which network interfaces should be activated when the
system boots. In the default configuration file the specific line
that controls this is:
<tscreen><verb>
network_interfaces="lo0"
</verb></tscreen>
<p>You'll need to amend this line to tell FreeBSD that you want to add
another device, namely the '<tt/ed0/' device. Change this line to
read:
<tscreen><verb>
network_interfaces="lo0 ed0"
</verb></tscreen>
<p>(Note the space between the definition for the loopback device
("lo0")
and the Ethernet device ("<tt/ed0/")!
<p><em><bf> Reminder: If your Ethernet card isn't named '<tt/ed0/', specify
the correct device name here instead.</bf></em>
<p>If you performed the installation of FreeBSD over a network
connection then the '<tt/network_interfaces=/' line may already
include a reference to your Ethernet adapter. If it is, verify that
it is the correct device name.
<p>Specify the Interface Settings for the Ethernet device
('<tt/ed0/'):
<p>Beneath the line that specifies which interfaces should be
activated are the lines that specify the actual settings for each
interface. In the default <tt>/etc/sysconfig</tt> file is a single
line that says:
<tscreen><verb>
ifconfig_lo0="inet localhost"
</verb></tscreen>
<p>You'll need to add another line after that to specify the settings
for your '<tt/ed0/' device.
<p>If you performed the installation of FreeBSD over a network
connection then there may already be an '<tt>ifconfig_ed0=</tt>' line
after the loopback definition. If so, verify that it has the correct
values.
<p>For our sample configuration we'll insert a line immediately after
the loopback device definition that says:
<tscreen><verb>
ifconfig_ed0="inet 192.168.1.1 netmask 255.255.255.0"
</verb></tscreen>
<p>When you've finished editing <tt>/etc/sysconfig</tt> to specify and
configure the network interfaces the section should look really close
to:
<tscreen><verb>
---
network_interfaces="lo0 ed0"
ifconfig_lo0="inet localhost"
ifconfig_ed0="inet 192.168.1.1 netmask 0xffffff00"
---
</verb></tscreen>
<p>Once all of the necessary changes to <tt>/etc/sysconfig</tt> have
been made, press the 'Esc' key to invoke the control menu. Select
"leave editor" and be sure to select "save changes" when prompted.
<sect1>
<heading>Enabling Packet Forwarding</heading>
<p>By default the FreeBSD system will not forward IP packets between
various network interfaces. In other words, routing functions (also
known as gateway functions) are disabled.
<p>If your intent is to use a FreeBSD system as stand-alone Internet
workstation and not as a gateway between LAN nodes and your ISP you
should skip forward to Section 3.4, "Creating the List of Other
LAN Hosts".
<p>If you intend for the PPP program to service the local FreeBSD box
as well as LAN workstations (as a router) you'll need to enable IP
forwarding.
<p>To enable IP Packet forwarding you'll need to edit the
<tt>/etc/sysconfig</tt> file.
Load this file into your editor with the following command:
<tscreen><verb>
# ee /etc/sysconfig
</verb></tscreen>
<p>About 250 lines down from the top of the file will be the
configuration
section which controls IP forwarding, which will look like:
<tscreen><verb>
=====
# If you want this host to be a gateway, set to YES.
gateway=NO
=====
</verb></tscreen>
<p>Change this line to read:
<tscreen><verb>
=====
# If you want this host to be a gateway, set to YES.
gateway=YES
=====
</verb></tscreen>
and exit the editor (saving the changes!).
<p><em><bf>NOTE: This line may already be set to '<tt/gateway=YES/' if IP
forwarding was enabled when the FreeBSD system was installed.</bf></em>
<sect1>
<heading>Creating the List of other LAN Hosts(<tt>/etc/hosts</tt>)</heading>
<p>The final step in configuring the LAN side of the FreeBSD system is
to create a list of the names and TCP/IP addresses of the various
systems that are connected to the Local Area Network. This list is
stored in the '<tt>/etc/hosts</tt>' file.
<p>The default version of this file has only a single host name
listing in it: the name and address of the loopback device ('lo0').
By networking convention, this device is always named "localhost" and
always has an IP address of 127.0.0.1. (See the interface
configuration example in Section 3.2.)
<p>To edit the <tt>/etc/hosts</tt> file enter the following command:
<tscreen><verb> # ee /etc/hosts </verb></tscreen>
<p>Scroll all the way to the bottom of the file (paying attention to
the comments along the way; there's some good information there!) and
enter (assuming our sample network) the following IP addresses and
host names:
<tscreen><verb>
192.168.1.1 curly curly.my.domain # FreeBSD System
192.168.1.2 larry larry.my.domain # Windows '95 System
192.168.1.3 moe moe.my.domain # Windows for Workgroups
System
192.168.1.4 shemp shemp.my.domain # Windows NT System
</verb></tscreen>
<p>(No changes are needed to the line for the '<tt>127.0.0.1
localhost</tt>' entry.)
<p>Once you've entered these lines, press the 'Esc' key to invoke the
control menu. Select "leave editor" and be sure to select "save
changes" when prompted.
<sect1>
<heading>Testing the FreeBSD system</heading>
<p>Congratulations! Once you've made it to this point, the FreeBSD
system is configured as a network-connected UNIX system! If you made
any changes to the <tt>/etc/sysconfig</tt> file you should probably
re-boot your FreeBSD system. This will accomplish two important
objectives:
<itemize>
<item>Allow the changes to the interface configurations to be applied, and
<item>Verify that the system restarts without any glaring configuration errors.
</itemize>
Once the system has been rebooted you should test the network
interfaces.
<p>
<sect2>
<heading>Verifying the operation of the loopback device</heading>
<p>To verify that the loopback device is configured correctly, log in as
'root' and enter:
<tscreen><verb>
# ping localhost
</verb></tscreen>
<p>You should see:
<tscreen><verb>
# ping localhost
PING localhost.my.domain. (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.219 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.287 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.214 m
[...]
</verb></tscreen>
messages scroll by until you hit Ctrl-C to stop the madness.
<sect2>
<heading>Verifying the operation of the Ethernet Device</heading>
<p>To verify that the Ethernet device is configured correctly, enter:
<tscreen><verb>
# ping curly
</verb></tscreen>
You should see:
<tscreen><verb>
# ping curly
PING curly.my.domain. (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.219 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.200 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.187 ms
[...]
</verb></tscreen>
messages.
<p>One important thing to look at in these two examples is that the
names (loopback and curly) correctly correlate to their IP addresses
(127.0.0.1 and 192.168.1.1). This verifies that the
<tt>/etc/hosts</tt> files is correct.
<p>If the IP address for "curly" isn't 192.168.1.1 or the address for
"localhost" isn't 127.0.0.1, return to Section 3.4 and review your
entries in '<tt>/etc/hosts</tt>'.
<p>If the names and addresses are indicated correctly in the result of
the ping command but there are errors displayed then something is
amiss with the interface configuration(s). Return to Section 3.1 and
verify everything again.
<p>If everything here checks out, proceed with the next section.
</sect>
<sect>
<heading>Configuring the PPP Dial-Out Connection</heading>
<p>There are two basic modes of operation of the ppp driver:
"Interactive" and "Automatic".
In Interactive mode you:<p>
<itemize>
<item>Manually establish a connection to your ISP,
<item>Browse, surf, transfer files and mail, etc...,
<item>Manually disconnect from your ISP.
</itemize>
<p>In Automatic mode, the PPP program silently watches what goes on
inside the FreeBSD system and automagically connects and disconnects
with your ISP as required to make the Internet a seamless element of
your network.
<p>In this section we'll address the configuration(s) for both modes
with emphasis on configuring your `ppp` environment to operate in
"Automatic" mode.
<sect1>
<heading>Backing up the original PPP configuration files</heading>
<p>Before making any changes to the files which are used by PPP you
should make a copy of the default files that were created when the
FreeBSD system was installed.
Log in as the 'root' user and perform the following steps:
Change to the '<tt>/etc</tt> directory:
<p><tt># cd /etc</tt>
Make a backup copy the original files in the 'ppp' directory:
<p><tt># cp -R ppp ppp.ORIGINAL</TT>
<p>You should now be able to see both a '<tt>ppp</tt>' and a
'<tt>ppp.ORIGINAL</tt>' subdirectory
in the '<tt>/etc</tt>' directory.
<sect1>
<heading>Create your own PPP configuration files</heading>
<p>By default, the FreeBSD installation process creates a number of
sample configuration files in the /etc/ppp directory. Please take
some time to review these files; they were derived from working
systems and represent the features and capabilities of the PPP
program.
<p>I <em/strongly/ encourage you to learn from these sample files and
apply them to your own configuration as necessary.
<p>For detailed information about the `ppp` program, read the ppp
manpage:
<tscreen><verb>
# man ppp
</verb></tscreen>
<p>For detailed information about the `chat` scripting language used by
the PPP dialer, read the chat manpage:
<tscreen><verb>
# man chat
</verb></tscreen>
<p>The remainder of this section describes the recommended contents of
the PPP configuration files.
<sect2>
<heading>The '<tt>/etc/ppp/ppp.conf</tt>' file</heading>
<p>The '<tt>/etc/ppp/ppp.conf</tt>' file contains the information and
settings required to set up a dial-out PPP connection. More than one
configuration may be contained in this file. The FreeBSD handbook
(XXX URL? XXX) describes the contents and syntax of this file in
detail.
<p>This section will describe only the minimal configuration to get a
dial-out connection working.
<p>Below is the /etc/ppp/ppp.conf file that we'll be using to provide a
dial-out Internet gateway for our example LAN:
<tscreen><verb>
################################################################
# PPP Configuration File ('/etc/ppp/ppp.conf')
#
# Default settings; These are always executed always when PPP
# is invoked and apply to all system configurations.
################################################################
default:
set device /dev/cuaa0
set speed 57600
disable pred1
deny pred1
disable lqr
deny lqr
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0
OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT"
set redial 3 10
#
#
################################################################
#
# For interactive mode use this configuration:
#
# Invoke with `ppp -alias interactive`
#
################################################################
interactive:
set authname Your_User_ID_On_Remote_System
set authkey Your_Password_On_Remote_System
set phone 1-800-123-4567
set timeout 300
set openmode active
accept chap
#
################################################################
#
# For demand-dial (automatic) mode we'll use this configuration:
#
# Invoke with: 'ppp -auto -alias demand'
#
################################################################
demand:
set authname Your_User_ID_On_Remote_System
set authkey Your_Password_On_Remote_System
set phone 1-800-123-4567
set timeout 300
set openmode active
accept chap
set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0
add 0 0 127.2.2.2
################################################################
# End of /etc/ppp/ppp.conf
</verb></tscreen>
This file, taken verbatim from a working system, has three relevant
configuration sections:
<sect3>
<heading>The "<tt>default</tt>" Section</heading>
<p>The '<tt>default:</tt>' section contains the values and settings
used by every other section in the file. Essentially, this section is
implicitly added to the configuration lines to each other section.
<p>This is a good place to put "global defaults" applicable to all
dial-up sessions; especially modem settings and dialing prefixes which
typically don't change based on which destination system you're
connecting to.
<p>Following are the descriptions of each line in the "default" section
of the sample '<tt>/etc/ppp/ppp.conf</tt>' file:
<tscreen><verb>
set device /dev/cuaa0
</verb></tscreen>
This statement informs the PPP program that it should use the first
serial port.
Under FreeBSD the '<tt>/dev/cuaa0</tt>' device is the same port that's
known as "<tt>COM1:</tt>" under DOS, Windows, Windows 95, etc....
<p>If your modem is on <tt>COM2:</tt> you should specify
'<tt>/dev/cua01</tt>; <tt>COM3:</tt> would be '<tt>/dev/cua02</tt>'.
<tscreen><verb>
set speed 57600
</verb></tscreen>
This line sets the transmit and receive speed for the connection
between the serial port and the modem. While the modem used for this
configuration is only a 28.8 device, setting this value to 57600 lets
the serial link run at a higher rate to accommodate higher throughput
as a result of the data compression built into late-model modems.
If you have trouble communicating with your modem, try setting this
value to 38400 or even as low as 19200.
<tscreen><verb>
disable pred1
deny pred1
</verb></tscreen>
These two lines disable the "CCP/Predictor type 1" compression
features of the PPP program. The current version of `ppp` supports
data compression in accordance with draft Internet standards.
Unfortunately many ISPs use equipment that does not support this
capability. Since most modems try to perform on-the-fly compression
anyway you're probably not losing much performance by disabling this
feature on the FreeBSD side and denying the remote side from forcing
it on you.
<tscreen><verb>
disable lqr
deny lqr
</verb></tscreen>
These two lines control the "Line Quality Reporting" functions which
are part of the complete Point-to-Point (PPP) protocol specification.
(See RFC-1989 for details.)
The first line, "disable lqr", instructs the PPP program to not
attempt to report line quality status to the device on the remote end.
The second line, "deny lqr", instructs the PPP program to deny any
attempts by the remote end to reports line quality.
As most modern dial-up modems have automatic error correction and
detection and LQR reporting is not fully implemented in many vendor's
products it's generally a safe bet to include these two lines in the
default configuration.
<tscreen><verb>
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0
OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT"
</verb></tscreen>
<em>NOTE: (This statement should appear on a single line; ignore any
line wrapping that may appear in this document.)</em>
This line instructs the PPP program how to dial the modem and
specifies some rudimentary guidelines for doing so:
<itemize>
<item>Attempts to dial should fail if the modem returns a "BUSY" result code,
<item>Attempts to dial should also fail if the modem returns a "NO CARRIER" result code,
<item>The PPP program should expect each of the following events to complete within a
5-second timeout period:
<itemize>
<item>The PPP program will initially expect nothing (specified above
by the \"\" portion of the statement) from the modem <item>The program
will send the modem initialization string "ATE1Q0M0" to the modem and
await a response of "OK". If a response is not received, the program
should send an attention command to the modem ("AT") and look again
for a response of "OK", <item>The program should delay for one second
(specified by the "\\d" part of the statement, and send the dialing
string to the modem. The "ATDT" portion of the statement is the
standard modem prefix to dial using tone-dialing; if you do not have
touch-tone service on your local phone line, replace the "ATDT" with
"ATDP". The "\\T" string is a placeholder for the actual phone number
(which will be automatically inserted as specified by the "set dial
123-4567").
</itemize>
<item>Finally, before a (maximum) timeout of 40 seconds, the PPP
program should expect to see a "CONNECT" result code returned from the
modem.
</itemize>
A failure at any point in this dialog will be interpreted as a dialing
failure and the PPP program will fail to connect.
(For a detailed description of the mini-scripting language used by the
PPP dialer, refer to the "chat" manpage.)
<tscreen><verb>
set redial 3 10
</verb></tscreen>
This line specifies that if a dial connection cannot immediately be made
the PPP program should retry (up to 3 times if necessary) with a delay of 10 seconds
between redialing attempts.
<sect3>
<heading>The "<tt>interactive</tt>" Section</heading>
<p>The '<tt>interactive:</tt>' section contains the values and
settings used to set up an "interactive" PPP session with a specific
remote system. Settings in this section will have the lines included
in the "default" section included automatically.
<p>The example cited in this section of the guide presumes that you'll
be connecting to a remote system that understands how to authenticate
a user without any fancy scripting language. That is, this sample
uses the CHAP protocol to set up the connection.
<p>A good rule of thumb is that if the Windows '95 dialer can set up a
connection by just clicking the "Connect" button this sample
configuration should work OK.
<p>If, on the other hand, when you connect to your ISP using Microsoft
Windows '95 Dial-Up Networking you need to resort to using the "Dial
Up Scripting Tool" from the Microsoft Plus! pack or you have to select
"Bring up a terminal windows after dialing" in the Windows '95
connection options then you'll need to look at the sample PPP
configuration files and the ppp manpage for examples of "expect /
response" scripting to make your ISP connection.
<p>Or even better, find an ISP who knows how to provide PAP or CHAP
authentication!
<p>The configuration examples shown here have been successfully used to
connect to:
<itemize>
<item>Various Shiva LanRovers
<item>The IBM Network (<url url="http://www.ibm.net">)
<item>AT&amp;T WorldNet (<url url="http://att.com/worldnet">)
<item>Erol's (<url url="http://www.erols.com">)
</itemize>
Following are descriptions for each line in the "interactive" section
of the sample '<tt>/etc/ppp/ppp.conf</tt>' file:
<tscreen><verb>
set authname Your_User_ID_On_Remote_System
</verb></tscreen>
This line specifies the name you would use to log in to the remote
system.
<tscreen><verb>
set authkey Your_Password_On_Remote_System
</verb></tscreen>
This is the password you'd use to log in to the remote system.
<tscreen><verb>
set phone 1-800-123-4567
</verb></tscreen>
This is the phone number of the remote system. If you're inside a PBX
you can
prepend '<tt>9, </tt>' to the number here.
<tscreen><verb>
set timeout 300
</verb></tscreen>
This tells the PPP program that it should automatically hang up the
phone if no data has
be exchanged for 300 seconds (5 minutes). You may wish to tailor this
number to your
specific requirements.
<tscreen><verb>
set openmode active
</verb></tscreen>
This tells the PPP program that once the modems are connected it
should immediately attempt to negotiate the connection. Some remote
sites do this automatically, some don't. This instructs your side of
the link to take the initiative and try to set up the connection.
<tscreen><verb>
accept chap
</verb></tscreen>
This tells the PPP program to use the "Challenge-Handshake
Authentication Protocol" to authenticate you. The values exchanged
between the local and remote side for UserID and password are taken
from the 'authname' and 'authkey' entries above.
<sect3>
<heading>The "<tt>demand</tt>" Section</heading>
<p>The "<tt>demand</tt>" section contains the values and settings used
to set up a "Dial-on-demand" PPP session with a specific remote
system. Settings in this section will also have the lines included in
the "default" section included automatically.
<p>Except for the last two lines in this section it is identical to
the configuration section which defines the "interactive"
configuration.
<p>As noted in Paragraph ???, the examples cited in this section of
the guide presume that you'll be connecting to a remote system that
understands how to use the CHAP protocol to set up the connection.
<p>Following are descriptions for each line in the "demand" section of
the sample '<tt>/etc/ppp/ppp.conf</tt>' file:
<tscreen><verb>
set authname Your_User_ID_On_Remote_System
</verb></tscreen>
This line specifies the name you would use to log in to the remote
system.
<tscreen><verb>
set authkey Your_Password_On_Remote_System
</verb></tscreen>
This is the password you'd use to log in to the remote system.
<tscreen><verb>
set phone 1-800-123-4567
</verb></tscreen>
This is the phone number of the remote system.
<tscreen><verb>
set timeout 300
</verb></tscreen>
This tells the PPP program that it should automatically hang up the
phone if no data has be exchanged for 300 seconds (5 minutes). You
may wish to tailor this number to your specific requirements.
<tscreen><verb>
set openmode active
</verb></tscreen>
This tells the PPP program that once the modems are connected it
should immediately attempt to negotiate the connection. Some remote
sites do this automatically, some don't. This instructs your side of
the link to take the initiative and try to set up the connection.
<tscreen><verb>
accept chap
</verb></tscreen>
This tells the PPP program to use the "Challenge-Handshake
Authentication Protocol" to authenticate you. The values exchanged
between the local and remote side for UserID and password are taken
from the 'authname' and 'authkey' entries above.
<tscreen><verb>
set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0
</verb></tscreen>
This command sets up a pair of "fake" IP addresses for the local and
remote sides of the PPP link. It instructs the PPP program to create
an IP address of 127.1.1.1 for the local side of the '<tt/tun0/'
(tunnel) device (refer back to section ?? for a description of this
device) and 127.2.2.2 for the remote side. Appending '<tt>/0</tt>' to
each address tells the PPP program that zero of the bits that make up
these addresses are significant and can (in fact, must!) be negotiated
between the local and remote systems when the link is established.
The 255.255.255.0 string tells the PPP program what Subnet mask to
apply to these pseudo-interfaces.
<p>Remember, we've assumed that your ISP provides the IP addresses for
both ends of the link! If your ISP assigned you a specific IP address
that you should use on your side when configuring your system, enter
that IP address here <em/instead/ of <tt>127.1.1.1</tt>.
Conversly, if your ISP gave you a specific IP address that he uses on
his end you should enter that IP address here <em/instead/ of
<tt>127.2.2.2</tt>.
In both cases, it's probably a good idea to leave the '<tt>/0</tt>' on
the end of each address. This gives the PPP program the opportunity
to change the address(es) of the link if it <em/has/ to.
<tscreen><verb>
add 0 0 127.2.2.2
</verb></tscreen>
This last line tells the PPP program that it should add a default
route for IP traffic that points to the (fake) IP address of the ISP's
system.
<em><bf>Note: If you used an ISP-specified address instead of
<tt>127.2.2.2</tt> on the preceeding line, use the same number here
instead of <tt>127.2.2.2</tt></bf></em>.
<p>By adding this "fake" route for IP traffic, the PPP program can,
while idle:
<itemize>
<item>Accept packets that FreeBSD doesn't already know how to forward,
<item>Establish a connection to the ISP "<em/on-the-fly/",
<item>Reconfigure the IP addresses of the local and remote side of the link,
<item>Forward packets between your workstation and the ISP.
</itemize>
automatically!
<p>Once the number of seconds specified by the timeout value in the
"default" section have elapsed without any TCP/IP traffic the PPP
program will automatically close the dial-up connection and the
process will begin again.
<sect2>
<heading>The '<tt>/etc/ppp/ppp.linkup</tt>' file</heading>
<p>The other file needed to complete the PPP configuration is found in
'<tt>/etc/ppp/ppp.linkup</tt>'. This file contains instructions for
the PPP program on what actions to take after a dial-up link is
established.
In the case of dial-on-demand configurations the PPP program will need
to delete the default route that was created to the fake IP address of
the remote side (127.2.2.2 in our example in the previous section) and
install a new default route that points the actual IP address of the
remote end (discovered during the dial-up connection setup).
A representative '<tt>/etc/ppp/ppp.linkup</tt>' file:
<tscreen><verb>
#########################################################################=
# PPP Link Up File ('/etc/ppp/ppp.linkup')
#
# This file is checked after PPP establishes a network connection.
#
# This file is searched in the following order.
#
# 1) First, the IP address assigned to us is searched and
# the associated command(s) are executed.
#
# 2) If the IP Address is not found, then the label name specified at
# PPP startup time is searched and the associated command(s)
# are executed.
#
# 3) If neither of the above are found then commands under the label
# 'MYADDR:' are executed.
#
#########################################################################=
#
# This section is used for the "demand" configuration in
# /etc/ppp/ppp.conf:
demand:
delete ALL
add 0 0 HISADDR
#
# All other configurations in /etc/ppp/ppp.conf use this:
#
MYADDR:
add 0 0 HISADDR
########################################################################
# End of /etc/ppp/ppp.linkup
</verb></tscreen>
Notice that there is a section in this file named "demand:", identical
to the configuration name used in the '<tt>/etc/ppp/ppp.conf</tt>'
file. This section instructs the PPP program that once a link is
established using this configuration, it must:
<enum>
<item>Remove any IP routing information that the PPP program has created
<item>Add a default route the remote end's actual address.
</enum>
<p>It's critical that those configurations in
'<tt>/etc/ppp/ppp.conf</tt>' which include the '<tt/set ifaddr/' and
'<tt/add 0 0/' statements (i.e.: those configurations used for
Dial-on-Demand configurations) execute the "delete ALL" and "add 0 0
HISADDR" commands in <tt>/etc/ppp/ppp.linkup</tt>.
<p><em><bf>This is the mechanism that controls the actual on-demand
configuration of the link.</bf></em>
<p>All configurations not explicitly named in
<tt>/etc/ppp/ppp.linkup</tt> will use whatever commands are in the
"MYADDR:" section of the file. This is where non-Demand-Dial
configurations (such as our "interactive:" sample) will fall through
to. This section simply adds a default route to the ISP's IP address
(at the remote end).
<sect1>
<heading>IP Aliasing</heading>
<p>All of the configuration steps described thus far are relevant to
any FreeBSD system which will be used to connect to an ISP via dial-up
connection.
<p>If your sole objective in reading this guide is to connect your
FreeBSD box to the Internet using dial-out ppp you can proceed to
Section 6, "Testing the Network".
One very attractive feature of the PPP program in on-demand mode is
its ability to route IP traffic between other systems on the Local
Area Network automatically. This feature is known by various names,
"<em/IP Aliasing/", "<em/Network Address Translation/", "<em/Address
Masquerading/" or "<em/Transparent Proxying/".
<p>Regardless of the terminology used, this mode is not, however,
automatic. If the PPP program is started normally then the program
will not forward packets between LAN interface(s) and the dial-out
connection. In effect, only the FreeBSD system is connected to the
ISP; other workstations cannot "share" the same connection.
For example, if the program is started with either of the following
command lines:
<p><tt># ppp interactive (Interactive mode)</tt><p> or
<p><tt># ppp -auto demand (Dial-on-Demand mode)</tt>
<p>then the system will function as an Internet-connected workstation
<em/only/ for the
FreeBSD box.
To start the PPP program as a gateway between LAN resources and the
Internet, one of the following command lines would be used instead:
<p><tt># ppp -alias interactive (Interactive mode)</tt><p> or
<p><tt># ppp -auto -alias demand (Dial-on-Demand mode)</tt>
<p>Keep this in mind if you intend to proceed with Section 5,
"Configuring Windows Systems".
</sect>
<sect>
<heading>Configuring Windows Systems</heading>
<p>As indicated in Section 1, our example network consists of a
FreeBSD system ("Curly") which acts as a gateway (or router) between a
Local Area Network consisting of two different flavors of Windows
Workstations. In order for the LAN nodes to use Curly as a router
they need to be properly configured. Note that this section does not
explain how to configure the Windows workstations for Dial-Up
networking. If you need a good explanation of that procedure, I
recommend <url url="http://www.aladdin.co.uk/techweb">.
<sect1>
<heading> Configuring Windows 95</heading>
<p>Configuring Windows 95 to act as an attached resource on your LAN
is relatively simple. The Windows 95 network configuration must be
slightly modified to use the FreeBSD system as the default gateway to
the ISP. Perform the following steps:
<p><bf>Create the Windows 95 "hosts" file:</bf>
<p>In order to connect to the other TCP/IP systems on the LAN you'll
need to create an identical copy of the "hosts" file that you
installed on the FreeBSD system in Section 3.4.
<itemize>
<item>Click the "Start" button; select "Run..."; enter "notepad
\WINDOWS\HOSTS" (without the quotes) and click "OK"
<item>In the editor, enter the addresses and system names from the hosts
file shown in Section 3.4.
<item>When finished editing, close the notepad application (making sure
that you save the file!).
</itemize>
<p><bf>Configure the Windows 95 TCP/IP Network Configuation
settings</bf>:
<itemize>
<item>Click the "Start" button on the taskbar; select "Settings" and
"Control Panel".
<item>Double-click the "Network" icon to open it.<p>
The settings for all Network Elements are displayed.
<item>With the "Configuration" tab selected, scroll down the list of
installed components and highlight the "TCP/IP-><em/YourInterfaceType/" line
(where "<em/YourInterfaceType/" is the name or type of Ethernet adapter in your system).
<p>If TCP/IP is not listed in the list of installed network
components, click the "Add" button and install it before proceeding.
<p>(Hint: "Add | Protocol | Microsoft | TCP/IP | OK")
<item>Click on the "Properties" button to display a list of the
settings associated with the TCP component.
</itemize>
<p><bf>Configure the IP Address Information:</bf>
<itemize>
<item>Click the "IP Address" tab
<item>Click the "Specify an IP address" radio button.
<p>(In our example LAN the Windows 95 system is the one we've called "Larry".)
<item>In the "IP Address" field enter "192.168.1.2".
<item>Enter 255.255.255.0 in the "Subnet Mask" field.
</itemize>
<p><bf>Configure the Gateway information:</bf>
<itemize>
<item>Click on the "Gateway" tab
<p>For our example network the FreeBSD box will be acting as our
gateway to the Internet (routing packets between the Ethernet LAN and
the PPP dial-up connection. Enter the IP address of the FreeBSD
Ethernet interface, 192.168.1.1, in the "New gateway" field and click
the "Add" button. If any other gateways are defined in the "Installed
gateways" list you may wish to consider removing them.
</itemize>
<p><bf>Configure the DNS Information:</bf>
<p>This guide assumes that your Internet Service Provider has given
you a list of Domain Name Servers (or "DNS Servers") that you should
use. If you wish to run a DNS server on your local FreeBSD system,
refer to Section 6, "Exercise for the Interested Student" for tips on
setting up DNS on your FreeBSD system.
<itemize>
<item>Click the "DNS Configuration" tab
<item>Make sure that the "Enable DNS" radio button is selected.
<p>(If this button is not selected only the entries that
we put in the host file(s) will be available and your Net-Surfing
will not work as you expect!)
<item>In the "Host" field enter the name of the Windows 95 box, in this
case: "Larry".
<item>In the "Domain" field enter the name of our local network, in this
case: "my.domain"
<item>In the "DNS Server Search Order" section, enter the IP address
of the DNS server(s) that your ISP provided, clicking the "Add" button
after every address is entered. Repeat this step as many times as
necessary to add all of the addresses that your ISP provided.
</itemize>
<p><bf>Other Windows 95 TCP/IP options:</bf>
<p>For our purposes the settings under the "Advanced", "WINS
Configuration" and "Bindings" tabs are not necessary.
<p>If you wish to use the Windows Internet Naming Service ("WINS")
your attention is invited to <url url="http://www.localnet.org"> for
more information about WINS settings, specifically regarding sharing
files transparently across the Internet.
<p><bf>Mopping up:</bf>
<itemize>
<item>Click on the "OK" button to close the TCP/IP Properties window.
<item>Click on the "OK" button to close the Network Control Panel.
<item>Reboot your computer if prompted to do so.
</itemize>
<p> That's it!
<sect1>
<heading>Configuring Windows NT</heading>
<p>Configuring Windows NT to act as a LAN resource is also relatively
straightforward. The procedures for configuring Windows NT are
similar to Windows 95 with minor exceptions in the user interface.
<p>The steps shown here are appropriate for a Windows NT 4.0
Workstation, but the principles are the same for NT 3.5x. You may
wish to refer to the "Configuring Windows for Workgroups" section if
you're configuring Windows NT 3.5<it/x/, since the user interface is
the same for NT 3.5 and WfW.
<p>Perform the following steps:
<p><bf>Create the Windows NT "hosts" file:</bf>
<p>In order to connect to the other TCP/IP systems on the LAN you'll
need to create an identical copy of the "hosts" file that you
installed on the FreeBSD system in Section 3.4
<itemize>
<item>Click the "Start" button; select "Run..."; enter "notepad
\WINDOWS\SYSTEM\DRIVERS\ETC\HOSTS" (without the quotes) and click
"OK"
<item>In the editor, enter the addresses and system names from Section
3.4.
<item>When finished editing, close the notepad application (making sure
that you save the file!).
</itemize>
<p><bf>Configure the Windows NT TCP/IP Network Configuation
settings</bf>:
<itemize>
<item>Click the "Start" button on the taskbar; select "Settings" and
"Control Panel".
<item>Double-click the "Network" icon to open it.
<item>With the "Identification" tab selected, verify the "Computer Name"
and "Workgroup" fields. In this example we'll use "Shemp" for the name
and "Stooges" for the workgroup. Click the "Change" button and amend
these entries as necessary.
<item>Select the "Protocols" tab.
<p>The installed Network Protocols will be displayed. There may be a
number of protocols listed but the one of interest to this guide is
the "TCP/IP Protocol". If "TCP/IP Protocol" is not listed, click the
"Add" button to load it.
<p>(Hint: "Add | TCP/IP Protocol | OK") <item>Highlight "TCP/IP
Protocol" and click the "Properties" button.
<p>Tabs for specifying various settings for TCP/IP will be displayed.
</itemize>
<p><bf>Configuring the IP Address:</bf>
<p>Make sure that the Ethernet Interface is shown in the "Adapter"
box; if not, scroll through the list of adapters until the correct
interface is shown.
<itemize>
<item>Click the "Specify an IP address" radio button to enable the three
text boxes.
<p>In our example LAN the Windows NT system is the one we've called
"Shemp"
<item>In the "IP Address" field enter "192.168.1.4".
<item>Enter 255.255.255.0 in the "Subnet Mask" field.
</itemize>
<p><bf>Configure the Gateway information:</bf>
<p>For our example network the FreeBSD box will be acting as our gateway
to the Internet (routing packets between the Ethernet LAN and the PPP dial-up
connection.
<itemize>
<item>Enter the IP address of the FreeBSD Ethernet interface,
192.168.1.1, in the "New gateway" field and click the "Add" button.
<p>If any other gateways are defined in the "Installed gateways" list
you may wish to consider removing them.
</itemize>
<p><bf>Configuring DNS:</bf>
<p>Again, this guide assumes that your Internet Service Provider has
given you a list of Domain Name Servers (or "DNS Servers") that you
should use.
If you wish to run a DNS server on your local FreeBSD system, refer to
Section 6, "Exercise for the Interested Student" for tips on setting
up DNS on your FreeBSD system.
<itemize>
<item>Click the "DNS" tab
<item>In the "Host Name" field enter the name of the Windows NT box, in
this case: "Shemp".
<item>In the "Domain" field enter the name of our local network, in this
case: "my.domain"
<item>In the "DNS Server Search Order" section, enter the IP address of
the DNS server that your ISP provided, clicking the "Add" button after
every address is entered. Repeat this step as many times as necessary
to add all of the addresses that your ISP provided.
</itemize>
<p><bf>Other Windows NT TCP/IP options:</bf>
<p>For our purposes the settings under the "WINS Address" and
"Routing" tabs are not used.
<p>If you wish to use the Windows Internet Naming Service ("WINS")
your attention is invited to <url url="http://www.localnet.org"> for
more information about WINS settings, specifically regarding sharing
files transparently across the Internet.
<p><bf>Mopping up:</bf>
<itemize>
<item>Click on the "OK" button to close the TCP/IP Properties section.
<item>Click on the "Close" button to close the Network Control Panel.
<item>Restart your computer if prompted to do so.
</itemize>
<p>That's it!
<sect1>
<heading>Configuring Windows for Workgroups</heading>
<p>Configuring Windows for Workgroups to act as a network client
requires that the Microsoft TCP/IP-32 driver diskette has been
installed on the workstation. The TCP/IP drivers are not included
with the WfW CD or diskettes; if you need a copy they're available at
<url url="ftp://ftp.microsoft.com:/peropsys/windows/public/tcpip">.
<p>Once the TCP/IP drivers have been loaded, perform the following
steps:
<p><bf>Create the Windows for Workgroups "hosts" file:</bf>
<p>In order to connect to the other TCP/IP systems on the LAN you'll
need to create an identical copy of the "hosts" file that you
installed on the FreeBSD system in Section 3.4.
<itemize>
<item>In Program Manager, click the "File" button; select "Run"; and
enter: "notepad \WINDOWS\HOSTS" (without the quotes) and click "OK"
<item>In the editor, enter the addresses and system names from the hosts
file shown in Section 3.4.
<item>When finished editing, close the notepad application (making sure
that you save the file!).
</itemize>
<p><bf>Configure the Windows 95 TCP/IP Network Configuation
settings</bf>
<itemize>
<item>In the main window of Program Manager, open the "Network" group by
double-clicking the icon.
<item>Double click on the "Network Setup" icon.
<item>In the "Network Drivers Box" double-click the "Microsoft
TCP/IP-32" entry.
</itemize>
<p><bf>Configure the Windows for Workgroups IP Address:</bf> <p>Ensure
the correct Ethernet Interface is selected in the "Adapter" list. If
not, scroll down until it is displayed and select it by clicking on
it.
<itemize>
<item>Ensure that the "Enable Automatic DHCP Configuration" check box is
blank. If it is checked, click it to remove the "X".
<item>In our example LAN the Windows for Workgroups system is the one
we've called "Moe"; in the "IP Address" field enter "192.168.1.3".
<item>Enter 255.255.255.0 in the "Subnet Mask" field.
</itemize>
<p><bf>Configure the Gateway information:</bf>
<p>For our example network the FreeBSD box will be acting as our
gateway to the Internet (routing packets between the Ethernet LAN and
the PPP dial-up connection).
<itemize>
<item>Enter the IP address of the FreeBSD system, 192.168.1.1, in the
"Default Gateway" field.
</itemize>
<p><bf>Configuring DNS:</bf>
<p>Again, this guide assumes that your Internet Service Provider has
given you a list of Domain Name Servers (or "DNS Servers") that you
should use. If you wish to run a DNS server on your local FreeBSD
system, refer to Section 6, "Exercise for the Interested Student" for
tips on setting up DNS on your FreeBSD system.
<itemize>
<item>Click the "DNS" button.
<item>In the "Host Name" field enter the name of the Windows for
Workgroups box, in this case: "Moe".
<item>In the "Domain" field enter the name of our local network, in this
case: "my.domain"
<item>In the "Domain Name Service (DNS) Search Order" section, enter the
IP address of the DNS server that your ISP provided, clicking the "Add"
button after each address is entered. Repeat this step as many times as
necessary to add all of the addresses that your ISP provided.
<item>Click on the "OK" button to close the DNS Configuration window.
</itemize>
<p><bf>Mopping up:</bf>
<itemize>
<item>Click on the "OK" button to close the TCP/IP Configuration window.
<item>Click on the "OK" button to close the Network Setup window.
<item>Reboot your computer if prompted.
</itemize>
<p>That's it!
<sect>
<heading>Testing the Network</heading>
<p> Once you've completed that appropriate tasks above you should have
a functioning PPP gateway to the Internet.
<sect1>
<heading>Testing the Dial-Up link:</heading>
<p> The first thing to test is that the connection is being made
between your modem and the ISP.
<sect1>
<heading>Testing the Ethernet LAN</heading>
<p> *** TBD ***
</sect>
<sect>
<heading>Exercises for the Interested Student</heading>
<p>
<sect1>
<heading>Creating a mini-DNS system</heading>
<p>While managing a Domain Name Service (DNS) hierarchy can be a black
art, it is possible to set up a Mini-DNS server on the FreeBSD system
that also acts as your gateway to your ISP.
<p>Building on the files in <tt>/etc/namedb</tt> when the FreeBSD
system was installed it's possible to create a name server that is
both authoritative for the example network shown here as well as a
front-door to the Internet DNS architecture.
<p>In this minimal DNS configuration, only three files are necessary:
<tscreen><verb>
/etc/namedb/named.boot
/etc/namedb/named.root
/etc/namedb/mydomain.db
</verb></tscreen>
<p>The <tt>/etc/namedb/named.root</tt> file is automatically installed
as part of the FreeBSD base installation; the other two files must be
created manually.
<sect2>
<heading>The <tt>/etc/namedb/named.boot</tt> file</heading>
<p>The <tt>/etc/namedb/named.boot</tt> file controls the startup
settings of the DNS server.
Esentially, it tells the Name Server:
<enum>
<item>Where to find configuration files,
<item>What "domain names" it's responsible for, and
<item>Where to find other DNS servers.
</enum>
<p>Using the '<tt/ee/' editor, create a
<tt>/etc/namedb/named.boot</tt> with the following contents:
<tscreen><verb>
; boot file for mini-name server
directory /etc/namedb
; type domain source host/file backup file
cache . named.root
primary my.domain. mydomain.db
</verb></tscreen>
<p>Lines that begin with a semi-colon are comments. The significant
lines in this file are:
<itemize>
<item><tt>directory /etc/namedb</tt>
<p>Tells the Name Server where to find the configuration files
referenced in the remaining sections of the
'<tt>/etc/namedb/named.boot</tt>' file.
<item><tt>cache . named.root</tt>
<p>Tells the Name Server that the list of "Top-Level" DNS servers for
the Internet can be found in a file called '<tt>named.root</tt>'.
(This file is included in the base installation and its
contents are not described in this document.)
<item><tt>primary my.domain. mydomain.db</tt>
<p>Tells the Name Server that it will be "authoritative" for a DNS
domain called "my.domain" and that a list of names and IP addresses
for the systems in "my.domain" (the local network)
can be found in a file named '<tt>mydomain.db</tt>'.
</itemize>
<p>Once the <tt>/etc/namedb/named.boot</tt> file has been created and
saved, proceed to the next section to create the
<tt>/etc/namedb/mydomain.db</tt> file.
<sect2>
<heading>The <tt>/etc/namedb/mydomain.db</tt> file</heading>
<p>The <tt>/etc/namedb/mydomain.db</tt> file lists the names and IP
addresses of <em/every/ system in the Local Area Network.
<p><em>For a detailed description of the statements used in this file,
refer to the <tt/named/ manpage.</em>
<p>The <tt>/etc/namedb/mydomain.db</tt> file for our minimal DNS
server has the following contents:
<tscreen><verb>
@ IN SOA my.domain. root.my.domain. (
961230 ; Serial
3600 ; Refresh
300 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS curly.my.domain.
curly.my.domain. IN A 192.168.1.1 # The FreeBSD box
larry.my.domain. IN A 192.168.1.2 # The Win'95 box
moe.my.domain. IN A 192.168.1.3 # The WfW box
shemp.my.domain. IN A 192.168.1.4 # The Windows NT box
$ORIGIN 1.168.192.IN-ADDR.ARPA
IN NS curly.my.domain.
1 IN PTR curly.my.domain.
2 IN PTR larry.my.domain.
3 IN PTR moe.my.domain.
4 IN PTR shemp.my.domain.
$ORIGIN 0.0.127.IN-ADDR.ARPA
IN NS curly.my.domain.
1 IN PTR localhost.my.domain.
</verb></tscreen>
<p>In simple terms, this file declares that the local DNS server is:
<itemize>
<item>The Start of Authority for ("SOA") for a domain called
'my.domain',
<item>The Name Server ("NS") for 'my.domain',
<item>Responsible for the reverse-mapping for all IP addresses that
start with '192.168.1.' and
'127.0.0.' ("$ORIGIN ...")
</itemize>
<p>To add workstation entries to this file you'll need to add two
lines for each system; one in the top section where the name(s) are
mapped into Internet Addresses ("IN A"), and another line that maps
the addresses back into names in the <tt>$ORIGIN
1.168.192.IN-ADDR.ARPA</tt> section.
<sect2>
<heading>Starting the DNS Server</heading>
<p>By default the DNS server ('<tt>/usr/sbin/named</tt>') is not
started when the system boots. You can modify this behavior by
changing a single line in '<tt>/etc/sysconfig</tt>' as follows:
<p> Using the '<tt/ee/' editor, load <tt>/etc/sysconfig</tt>. Scroll
down approximately 200 lines until you come to the section that says:
<tscreen><verb>
---
# Set to appropriate flags for named, if you have a full-time
# connection to the Internet.
# For most hosts, flags should be "-b /etc/namedb/named.boot"
namedflags="NO"
---
</verb></tscreen>
Change this section to read:
<tscreen><verb>
---
# Set to appropriate flags for named, if you have a full-time
# connection to the Internet.
# For most hosts, flags should be "-b /etc/namedb/named.boot"
namedflags="-b /etc/namedb/named.boot"
---
</verb></tscreen>
Save the file and reboot.
Alternatively, start the Name Server daemon by entering the following
command:
<tscreen><verb>
# named -b /etc/namedb/named.boot
</verb></tscreen>
<p>Whenever you modify any of the files in <tt>/etc/namedb</tt> you'll
need to kick-start the Name Server process to make it pick up the
modifications. This is performed with the following system command:
<tscreen><verb>
# kill -HUP `cat /var/run/named.pid`
</verb></tscreen>
<sect1>
<heading>Playing with PPP filters</heading>
<p>The PPP program has the ability to apply selected filtering rules
to the traffic it routes. While this is not nearly as secure as a
formal firewall it does provide some access control as to how the link
is used.
<p>('<tt>man ipfw</tt>' for information on setting up a more secure
FreeBSD system.)
<p>The complete documentation for the various filters and rules under
PPP are availabe in the PPP manpage.
<p>There are four distinct classes of rules which may be applied to
the PPP program:
<itemize>
<item><tt/afilter/ - Access Counter (or "Keep Alive") filters
<p>These control which events are ignored by the <tt/set timeout=/
statement in the configuration file.
<item><tt/dfilter/ - Dialing filters
<p>These filtering rules control which events are ignored by the
demand-dial mode of PPP.
<item><tt/ifilter/ - Input filters
<p>Control whether incoming packets should be discarded or passed into
the system.
<item><tt/ofilter/ - Output filters
<p>Control whether outgoing packets should be discarded or passed into
the system.
</itemize>
<p>
What follows is a snippet from an operating system which provides a
good foundation for "normal" Internet operations while preventing PPP
from pumping <em/all/ data over the dial-up connection. Comments
briefly describe the logic of each rule set:
<tscreen><verb>
#
# KeepAlive filters
# Don't keep Alive with ICMP,DNS and RIP packet
#
set afilter 0 deny icmp
set afilter 1 deny udp src eq 53
set afilter 2 deny udp dst eq 53
set afilter 3 deny udp src eq 520
set afilter 4 deny udp dst eq 520
set afilter 5 permit 0/0 0/0
#
# Dial Filters:
# Note: ICMP will trigger a dial-out in this configuration!
#
set dfilter 0 permit 0/0 0/0
#
# Allow ident packet pass through
#
set ifilter 0 permit tcp dst eq 113
set ofilter 0 permit tcp src eq 113
#
# Allow telnet connection to the Internet
#
set ifilter 1 permit tcp src eq 23 estab
set ofilter 1 permit tcp dst eq 23
#
# Allow ftp access to the Internet
#
set ifilter 2 permit tcp src eq 21 estab
set ofilter 2 permit tcp dst eq 21
set ifilter 3 permit tcp src eq 20 dst gt 1023
set ofilter 3 permit tcp dst eq 20
#
# Allow access to DNS lookups
#
set ifilter 4 permit udp src eq 53
set ofilter 4 permit udp dst eq 53
#
# Allow DNS Zone Transfers
#
set ifilter 5 permit tcp src eq 53
set ofilter 5 permit tcp dst eq 53
#
# Allow access from/to local network
#
set ifilter 6 permit 0/0 192.168.1.0/24
set ofilter 6 permit 192.168.1.0/24 0/0
#
# Allow ping and traceroute response
#
set ifilter 7 permit icmp
set ofilter 7 permit icmp
set ifilter 8 permit udp dst gt 33433
set ofilter 9 permit udp dst gt 33433
#
# Allow cvsup
#
set ifilter 9 permit tcp src eq 5998
set ofilter 9 permit tcp dst eq 5998
set ifilter 10 permit tcp src eq 5999
set ofilter 10 permit tcp dst eq 5999
#
# Allow NTP for Time Synchronization
#
set ifilter 11 permit tcp src eq 123 dst eq 123
set ofilter 11 permit tcp src eq 123 dst eq 123
set ifilter 12 permit udp src eq 123 dst eq 123
set ofilter 12 permit udp src eq 123 dst eq 123
#
# SMTP'd be a good idea!
#
set ifilter 13 permit tcp src eq 25
set ofilter 13 permit tcp dst eq 25
#
#
# We use a lot of `whois`, let's pass that
#
set ifilter 14 permit tcp src eq 43
set ofilter 14 permit tcp dst eq 43
set ifilter 15 permit udp src eq 43
set ofilter 15 permit udp dst eq 43
#
# If none of above rules matches, then packet is blocked.
#-------
</verb></tscreen>
<p>Up to 20 distinct filtering rules can be applied to each class of
filter. Rules in each class are number sequentially from 0 to 20
<em/but none of the rules for a particular filter class take affect
until ruleset '0' is defined!/
<p>If you choose <em/not/ to use Filtering Rules in the PPP
configuration then <em/ALL/ traffic will be permitted both into and
out of your system while it's connected to your ISP.
If you decide that you want to implement filtering rules, add the
above lines to your <tt>/etc/ppp/ppp.conf</tt> file in either the
"default:", "demand:", or "interactive:" section (or all of them - the
choice is yours).
</sect>
</article>
Reference in a new issue View git blame Copy permalink