This document assumes you have the following:
An account with an Internet Service Provider (ISP) which you connect to using PPP.
A modem or other device connected to your system and properly configured to allow you to connect to your ISP.
The dial-up number(s) of your ISP.
Your login name and password. (Either a regular UNIX® style login and password pair, or a PAP or CHAP login and password pair).
The IP address of one or more name servers.
Normally, you will be given two IP addresses by your
ISP to use for this. If they have not given you at
least one, then you can use the enable
dns
command in ppp.conf
and ppp will set the name
servers for you. This feature depends on your ISPs
PPP implementation supporting DNS negotiation.
The following information may be supplied by your ISP, but is not completely necessary:
The IP address of your ISP's gateway. The gateway is the machine to which you will connect and will be set up as your default route. If you do not have this information, we can make one up and your ISP's PPP server will tell us the correct value when we connect.
This IP number is referred to as
HISADDR
by
ppp.
The netmask you should use. If your ISP has not
provided you with one, you can safely use 255.255.255.255
.
If your ISP provides you with a static IP address and hostname, you can enter it. Otherwise, we simply let the peer assign whatever IP address it sees fit.
If you do not have any of the required information, contact your ISP.
Throughout this section, many of the examples showing the contents of configuration files are numbered by line. These numbers serve to aid in the presentation and discussion only and are not meant to be placed in the actual file. Proper indentation with tab and space characters is also important.
Both ppp
and pppd
(the kernel level implementation of PPP, FreeBSD 7.X only)
use the configuration files located in the /etc/ppp
directory.
Examples for user ppp can be found in /usr/share/examples/ppp/
.
Configuring ppp
requires that you
edit a number of files, depending on your requirements.
What you put in them depends to some extent on whether your
ISP allocates IP addresses statically (i.e., you get given
one IP address, and always use that one) or dynamically
(i.e., your IP address changes each time you connect to
your ISP).
You will need to edit the
/etc/ppp/ppp.conf
configuration file.
It should look similar to the example below.
Lines that end in a :
start in
the first column (beginning of the line)— all
other lines should be indented as shown using spaces
or tabs.
x.x.x.x
y.y.y.y
255.255.255.255 0.0.0.0
18 add default HISADDRIdentifies the default entry. Commands in this entry are executed automatically when ppp is run.
Enables logging parameters. When the configuration is working satisfactorily, this line should be reduced to saying:
in order to avoid excessive log file sizes.
Tells PPP how to identify itself to the peer. PPP identifies itself to the peer if it has any trouble negotiating and setting up the link, providing information that the peers administrator may find useful when investigating such problems.
Identifies the device to which the modem is
connected. COM1
is
/dev/cuau0
and
COM2
is
/dev/cuau1
.
Sets the speed you want to connect at. If 115200 does not work (it should with any reasonably new modem), try 38400 instead.
The dial string. User PPP uses an expect-send syntax similar to the chat(8) program. Refer to the manual page for information on the features of this language.
Note that this command continues onto the next
line for readability. Any command in
ppp.conf
may do this if the
last character on the line is a \
character.
Sets the idle timeout for the link. 180 seconds is the default, so this line is purely cosmetic.
Tells PPP to ask the peer to confirm the local resolver settings. If you run a local name server, this line should be commented out or removed.
A blank line for readability. Blank lines are ignored by PPP.
Identifies an entry for a provider called
“provider”. This could be changed
to the name of your ISP so
that later you can use the load
to start
the connection.ISP
Sets the phone number for this provider.
Multiple phone numbers may be specified using the
colon (:
) or pipe character
(|
) as a separator. The
difference between the two separators is described
in ppp(8). To summarize, if you want to rotate
through the numbers, use a colon. If you want to
always attempt to dial the first number first and
only use the other numbers if the first number
fails, use the pipe character. Always quote the
entire set of phone numbers as shown.
You must enclose the phone number in quotation
marks ("
) if there is any
intention on using spaces in the phone number.
This can cause a simple, yet subtle error.
Identifies the user name and password. When
connecting using a UNIX® style login prompt, these
values are referred to by the set
login
command using the \U and \P
variables. When connecting using PAP or CHAP, these
values are used at authentication time.
If you are using PAP or CHAP, there will be no login at this point, and this line should be commented out or removed. See PAP and CHAP authentication for further details.
The login string is of the same chat-like syntax as the dial string. In this example, the string works for a service whose login session looks like this:
foo
password: bar
protocol: pppYou will need to alter this script to suit your own needs. When you write this script for the first time, you should ensure that you have enabled “chat” logging so you can determine if the conversation is going as expected.
Sets the default idle timeout (in seconds) for
the connection. Here, the connection will be closed
automatically after 300 seconds of inactivity. If
you never want to timeout, set this value to zero
or use the -ddial
command line
switch.
Sets the interface addresses. The string
x.x.x.x
should be
replaced by the IP address that your provider has
allocated to you. The string
y.y.y.y
should be
replaced by the IP address that your ISP indicated
for their gateway (the machine to which you
connect). If your ISP has not given you a gateway
address, use 10.0.0.2/0
. If you need to
use a “guessed” address, make sure that
you create an entry in
/etc/ppp/ppp.linkup
as per the
instructions for PPP and Dynamic IP
addresses. If this line is omitted,
ppp
cannot run in
-auto
mode.
Adds a default route to your ISP's gateway. The
special word HISADDR
is replaced
with the gateway address specified on line 17. It
is important that this line appears after line 17,
otherwise HISADDR
will not yet
be initialized.
If you do not wish to run ppp in
-auto
, this line should be moved
to the ppp.linkup
file.
It is not necessary to add an entry to
ppp.linkup
when you have a static
IP address and are running ppp in -auto
mode as your routing table entries are already correct
before you connect. You may however wish to create an
entry to invoke programs after connection. This is
explained later with the sendmail example.
Example configuration files can be found in the
/usr/share/examples/ppp/
directory.
If your service provider does not assign static IP
addresses, ppp
can be configured to
negotiate the local and remote addresses. This is done by
“guessing” an IP address and allowing
ppp
to set it up correctly using the IP
Configuration Protocol (IPCP) after connecting. The
ppp.conf
configuration is the same as
PPP and Static IP
Addresses, with the following change:
Again, do not include the line number, it is just for reference. Indentation of at least one space is required.
The number after the /
character is the number of bits of the address that
ppp will insist on. You may wish to use IP numbers
more appropriate to your circumstances, but the
above example will always work.
The last argument (0.0.0.0
)
tells PPP to start negotiations using address
0.0.0.0
rather than
10.0.0.1
and is
necessary for some ISPs. Do not use
0.0.0.0
as the first argument
to set ifaddr
as it prevents
PPP from setting up an initial route in
-auto
mode.
If you are not running in -auto
mode,
you will need to create an entry in
/etc/ppp/ppp.linkup
.
ppp.linkup
is used after a connection
has been established. At this point,
ppp
will have assigned the interface
addresses and it will now be possible to add the routing
table entries:
On establishing a connection,
ppp
will look for an entry in
ppp.linkup
according to the
following rules: First, try to match the same label
as we used in ppp.conf
. If
that fails, look for an entry for the IP address of
our gateway. This entry is a four-octet IP style
label. If we still have not found an entry, look
for the MYADDR
entry.
This line tells ppp
to add a
default route that points to
HISADDR
.
HISADDR
will be replaced with the
IP number of the gateway as negotiated by the
IPCP.
See the pmdemand
entry in the files
/usr/share/examples/ppp/ppp.conf.sample
and
/usr/share/examples/ppp/ppp.linkup.sample
for a detailed example.
When you configure ppp to
receive incoming calls on a machine connected to a LAN,
you must decide if you wish to forward packets to the LAN.
If you do, you should allocate the peer an IP number from
your LAN's subnet, and use the command enable
proxy
in your
/etc/ppp/ppp.conf
file. You should
also confirm that the /etc/rc.conf
file contains the following:
Configuring FreeBSD for Dial-up Services provides a good description on enabling dial-up services using getty(8).
An alternative to getty
is mgetty (from
comms/mgetty+sendfax
port), a smarter version of getty
designed with dial-up lines in mind.
The advantages of using mgetty
is
that it actively talks to modems,
meaning if port is turned off in
/etc/ttys
then your modem will not
answer the phone.
Later versions of mgetty
(from
0.99beta onwards) also support the automatic detection of
PPP streams, allowing your clients script-less access to
your server.
Refer to Mgetty and
AutoPPP for more information on
mgetty
.
The ppp
command must normally be
run as the root
user. If however,
you wish to allow ppp
to run in
server mode as a normal user by executing
ppp
as described below, that user
must be given permission to run ppp
by adding them to the network
group in /etc/group
.
You will also need to give them access to one or more
sections of the configuration file using the
allow
command:
If this command is used in the
default
section, it gives the specified
users access to everything.
Create a file called
/etc/ppp/ppp-shell
containing the
following:
This script should be executable. Now make a
symbolic link called ppp-dialup
to
this script using the following commands:
#
ln -s ppp-shell /etc/ppp/ppp-dialup
You should use this script as the
shell for all of your dialup users.
This is an example from /etc/passwd
for a dialup PPP user with username
pchilds
(remember do not directly
edit the password file, use vipw(8)).
Create a /home/ppp
directory that
is world readable containing the following 0 byte
files:
which prevents /etc/motd
from
being displayed.
Create the ppp-shell
file as
above, and for each account with statically assigned
IPs create a symbolic link to
ppp-shell
.
For example, if you have three dialup customers,
fred
, sam
,
and mary
, that you route /24 CIDR
networks for, you would type the following:
#
ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-fred
#
ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-sam
#
ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-mary
Each of these users dialup accounts should have
their shell set to the symbolic link created above (for
example, mary
's shell should be
/etc/ppp/ppp-mary
).
The /etc/ppp/ppp.conf
file
should contain something along the lines of:
The indenting is important.
The default:
section is loaded
for each session. For each dialup line enabled in
/etc/ttys
create an entry similar
to the one for ttyu0:
above. Each
line should get a unique IP address from your pool of
IP addresses for dynamic users.
Along with the contents of the sample
/usr/share/examples/ppp/ppp.conf
above you should add a section for each of the
statically assigned dialup users. We will continue with
our fred
, sam
,
and mary
example.
The file /etc/ppp/ppp.linkup
should also contain routing information for each static
IP user if required. The line below would add a route
for the 203.14.101.0/24
network via the client's ppp link.
By default the comms/mgetty+sendfax
port
comes with the AUTO_PPP
option enabled
allowing mgetty
to detect the LCP
phase of PPP connections and automatically spawn off a
ppp shell. However, since the default login/password
sequence does not occur it is necessary to authenticate
users using either PAP or CHAP.
This section assumes the user has successfully
compiled, and installed the comms/mgetty+sendfax
port on
his system.
Make sure your
/usr/local/etc/mgetty+sendfax/login.config
file has the following in it:
This will tell mgetty
to run the
ppp-pap-dialup
script for detected
PPP connections.
Create a file called
/etc/ppp/ppp-pap-dialup
containing
the following (the file should be executable):
For each dialup line enabled in
/etc/ttys
, create a corresponding
entry in /etc/ppp/ppp.conf
. This
will happily co-exist with the definitions we created
above.
Each user logging in with this method will need to
have a username/password in
/etc/ppp/ppp.secret
file, or
alternatively add the following option to authenticate
users via PAP from the /etc/passwd
file.
If you wish to assign some users a static IP number,
you can specify the number as the third argument in
/etc/ppp/ppp.secret
. See
/usr/share/examples/ppp/ppp.secret.sample
for examples.
It is possible to configure PPP to supply DNS and NetBIOS nameserver addresses on demand.
To enable these extensions with PPP version 1.x, the
following lines might be added to the relevant section
of /etc/ppp/ppp.conf
.
And for PPP version 2 and above:
This will tell the clients the primary and secondary name server addresses, and a NetBIOS nameserver host.
In version 2 and above, if the
set dns
line is omitted, PPP will
use the values found in
/etc/resolv.conf
.
Some ISPs set their system up so that the
authentication part of your connection is done using
either of the PAP or CHAP authentication mechanisms. If
this is the case, your ISP will not give a
login:
prompt when you connect, but will
start talking PPP immediately.
PAP is less secure than CHAP, but security is not normally an issue here as passwords, although being sent as plain text with PAP, are being transmitted down a serial line only. There is not much room for crackers to “eavesdrop”.
Referring back to the PPP and Static IP addresses or PPP and Dynamic IP addresses sections, the following alterations must be made:
MyUserName
14 set authkey MyPassword
15 set loginThis line specifies your PAP/CHAP user name.
You will need to insert the correct value for
MyUserName
.
This line specifies your PAP/CHAP password.
You will need to insert the correct value for
MyPassword
. You may
want to add an additional line, such as:
or
to make it obvious that this is the intention, but PAP and CHAP are both accepted by default.
Your ISP will not normally require that you log into the server if you are using PAP or CHAP. You must therefore disable your “set login” string.
It is possible to talk to the ppp
program while it is running in the background, but only
if a suitable diagnostic port has been set up. To do
this, add the following line to your configuration:
%d
DiagnosticPassword 0177This will tell PPP to listen to the specified
UNIX® domain socket, asking clients for the specified
password before allowing access. The
%d
in the name is replaced with the
tun
device number that is in
use.
Once a socket has been set up, the pppctl(8) program may be used in scripts that wish to manipulate the running program.
PPP has ability to use internal NAT without kernel
diverting capabilities. This functionality may be enabled
by the following line in
/etc/ppp/ppp.conf
:
Alternatively, PPP NAT may be enabled by command-line
option -nat
. There is also
/etc/rc.conf
knob named
ppp_nat
, which is enabled by
default.
If you use this feature, you may also find useful
the following /etc/ppp/ppp.conf
options
to enable incoming connections forwarding:
or do not trust the outside at all
You now have ppp
configured, but
there are a few more things to do before it is ready to
work. They all involve editing the
/etc/rc.conf
file.
Working from the top down in this file, make sure the
hostname=
line is set, e.g.:
If your ISP has supplied you with a static IP address and name, it is probably best that you use this name as your host name.
Look for the network_interfaces
variable. If you want to configure your system to dial your
ISP on demand, make sure the tun0
device is added to the list, otherwise remove it.
The ifconfig_tun0
variable should
be empty, and a file called
/etc/start_if.tun0
should be created.
This file should contain the line:
This script is executed at network configuration time,
starting your ppp daemon in automatic mode. If you have
a LAN for which this machine is a gateway, you may also
wish to use the -alias
switch. Refer
to the manual page for further details.
Make sure that the router program is set to
NO
with the following line in your
/etc/rc.conf
:
It is important that the routed
daemon is not started, as routed
tends
to delete the default routing table entries created by
ppp
.
It is probably a good idea to ensure that the
sendmail_flags
line does not include the
-q
option, otherwise
sendmail
will attempt to do a network
lookup every now and then, possibly causing your machine
to dial out. You may try:
The downside of this is that you must force
sendmail
to re-examine the mail queue
whenever the ppp link is up by typing:
#
/usr/sbin/sendmail -q
You may wish to use the !bg
command
in ppp.linkup
to do this
automatically:
If you do not like this, it is possible to set up a “dfilter” to block SMTP traffic. Refer to the sample files for further details.
All that is left is to reboot the machine. After rebooting, you can now either type:
#
ppp
and then dial provider
to start the
PPP session, or, if you want ppp
to
establish sessions automatically when there is outbound
traffic (and you have not created the
start_if.tun0
script), type:
#
ppp -auto provider
To recap, the following steps are necessary when setting up ppp for the first time:
Client side:
Ensure that the tun
device
is built into your kernel.
Ensure that the tun
device file is available in the N
/dev
directory.
Create an entry in
/etc/ppp/ppp.conf
. The
pmdemand
example should suffice
for most ISPs.
If you have a dynamic IP address, create an entry in
/etc/ppp/ppp.linkup
.
Update your /etc/rc.conf
file.
Create a start_if.tun0
script
if you require demand dialing.
Server side:
Ensure that the tun
device
is built into your kernel.
Ensure that the
tun
device file is available in the N
/dev
directory.
Create an entry in /etc/passwd
(using the vipw(8) program).
Create a profile in this users home directory that
runs ppp -direct direct-server
or
similar.
Create an entry in
/etc/ppp/ppp.conf
. The
direct-server
example should
suffice.
Create an entry in
/etc/ppp/ppp.linkup
.
Update your /etc/rc.conf
file.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.