xref: /dflybsd-src/share/examples/ppp/ppp.conf.span-isp (revision 86d7f5d305c6adaa56ff4582ece9859d73106103) 
186d7f5d3SJohn Marino# $FreeBSD: src/share/examples/ppp/ppp.conf.span-isp,v 1.3.2.2 2003/05/03 21:35:06 keramida Exp $
286d7f5d3SJohn Marino# $DragonFly: src/share/examples/ppp/ppp.conf.span-isp,v 1.2 2003/06/17 04:36:57 dillon Exp $
386d7f5d3SJohn Marino
486d7f5d3SJohn Marino# This advanced ppp configuration file explains how to implement
586d7f5d3SJohn Marino# the following:
686d7f5d3SJohn Marino#
786d7f5d3SJohn Marino#    -------------       -------------       -------------
886d7f5d3SJohn Marino#    |   host1   |       |   host2   |       |   host3   |
986d7f5d3SJohn Marino#    -------------       -------------       -------------
1086d7f5d3SJohn Marino#          |                       |               |
1186d7f5d3SJohn Marino#     |---------------------- LAN ----------------------|
1286d7f5d3SJohn Marino#                          |
1386d7f5d3SJohn Marino#                        -------------
1486d7f5d3SJohn Marino#                        |  Gateway  |
1586d7f5d3SJohn Marino#                        -------------
1686d7f5d3SJohn Marino#                              |
1786d7f5d3SJohn Marino#             -----------------------------------
1886d7f5d3SJohn Marino#             |          |           |          |
1986d7f5d3SJohn Marino#            isp1       isp2       isp3       ispN
2086d7f5d3SJohn Marino#             |          |           |          |
2186d7f5d3SJohn Marino#             -----------------------------------
2286d7f5d3SJohn Marino#                              |
2386d7f5d3SJohn Marino#                         ------------
2486d7f5d3SJohn Marino#                         | Receiver |
2586d7f5d3SJohn Marino#                         ------------
2686d7f5d3SJohn Marino#                              |
2786d7f5d3SJohn Marino#                          Internet
2886d7f5d3SJohn Marino#
2986d7f5d3SJohn Marino# The connection is implemented so that any ISP connection can go down
3086d7f5d3SJohn Marino# without loss of connectivity between the LAN and the Internet.  It is
3186d7f5d3SJohn Marino# of course also possible to shut down any link manually.
3286d7f5d3SJohn Marino#
3386d7f5d3SJohn Marino# There is a working example in ppp.*.span-isp.working that can be tested
3486d7f5d3SJohn Marino# on a single machine !
3586d7f5d3SJohn Marino#
3686d7f5d3SJohn Marino#
3786d7f5d3SJohn Marino# Prerequisites:
3886d7f5d3SJohn Marino#
3986d7f5d3SJohn Marino# o The Receiver machine must be in the outside world and must be willing
4086d7f5d3SJohn Marino#   to accept a multilink ppp connection over UDP, assigning a routable IP
4186d7f5d3SJohn Marino#   number to the Gateway machine.  This probably means that it must be
4286d7f5d3SJohn Marino#   a *BSD box as I know of no other ppp implementations that can use UDP
4386d7f5d3SJohn Marino#   as a transport.
4486d7f5d3SJohn Marino#
4586d7f5d3SJohn Marino# o The Receiver machine must be multi-homed with at least N+1 addresses
4686d7f5d3SJohn Marino#   where N is the maximun number of ISPs that you wish to use
4786d7f5d3SJohn Marino#   simultaneously.  We assume the IP numbers to be RIP1, RIP2 ... RIPN.
4886d7f5d3SJohn Marino#   REAL-LOCAL-IP is the real IP number of the Receiver machine (and must
4986d7f5d3SJohn Marino#   not be the same as any of the RIP* numbers).
5086d7f5d3SJohn Marino#
5186d7f5d3SJohn Marino# o Both the Gateway and the Receiver machines must have several tun
5286d7f5d3SJohn Marino#   interfaces configured into the kernel (see below).
5386d7f5d3SJohn Marino#
5486d7f5d3SJohn Marino# o Both the Gateway and the Receiver machines must have the following
5586d7f5d3SJohn Marino#   entry in /etc/services:
5686d7f5d3SJohn Marino#
5786d7f5d3SJohn Marino#      ppp 6671/udp
5886d7f5d3SJohn Marino#
5986d7f5d3SJohn Marino#   The port number isn't important, but it must be consistent across
6086d7f5d3SJohn Marino#   machines.
6186d7f5d3SJohn Marino#
6286d7f5d3SJohn Marino# o The Receiver machine must have the following entry in
6386d7f5d3SJohn Marino#   /etc/inetd.conf:
6486d7f5d3SJohn Marino#
6586d7f5d3SJohn Marino#      ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in
6686d7f5d3SJohn Marino#
6786d7f5d3SJohn Marino#   Note: Because inetd ``wait''s for ppp to finish, a single ppp
6886d7f5d3SJohn Marino#         invocation receives all incoming packets.  This creates
6986d7f5d3SJohn Marino#         havoc with LQR magic number checks, so LQR *must not* be
7086d7f5d3SJohn Marino#         enabled.
7186d7f5d3SJohn Marino#         Also, -direct invocations of ppp do sendto()s using the
7286d7f5d3SJohn Marino#         address that was last recvfrom()d.  This means that the
7386d7f5d3SJohn Marino#         returning traffic is a bit unbalanced.  Perhaps ppp should
7486d7f5d3SJohn Marino#         be smart enough to automatically clone an existing link
7586d7f5d3SJohn Marino#         when it detects a new incoming address.... tricky !
7686d7f5d3SJohn Marino#
7786d7f5d3SJohn Marino# If you use ppp to connect to your ISPs, the isp* profiles shold be used,
7886d7f5d3SJohn Marino# resulting in the vpn* profiles being called from ppp.linkup.span-isp.
7986d7f5d3SJohn Marino# These invocations will bond together into a MP ppp invocation.
8086d7f5d3SJohn Marino#
8186d7f5d3SJohn Marino# If the link to your ISP is via another type of interface (cable modem
8286d7f5d3SJohn Marino# etc), simply configure the interface with a netmask of 0xffffffff and
8386d7f5d3SJohn Marino# add a route to RIPN via the interface address (no default).  You can
8486d7f5d3SJohn Marino# then start ppp using the vpn-nic label.
8586d7f5d3SJohn Marino#
8686d7f5d3SJohn Marino# The Receiver machine should have N tun interfaces (where N is the maximum
8786d7f5d3SJohn Marino# number of ISPs that you wish to use simultaneously).  The Gateway machine
8886d7f5d3SJohn Marino# requires N interfaces plus an additional N interfaces (total 2 * N) if
8986d7f5d3SJohn Marino# you're using ppp to talk to the ISPs.
9086d7f5d3SJohn Marino
9186d7f5d3SJohn Marino# Using ppp to connect to your ISPs (PPP over UDP over PPP):
9286d7f5d3SJohn Marino#
9386d7f5d3SJohn Marino# When we connect to our ISPs using ppp, we start the MP ppp invocation
9486d7f5d3SJohn Marino# from ppp.linkup (see ppp.linkup.span-isp) for each link.  We also remove
9586d7f5d3SJohn Marino# the link from ppp.linkdown (see ppp.linkdown.span-isp).  This is necessary
9686d7f5d3SJohn Marino# because relying on our LQR strategy (dropping the link after 5 missing
9786d7f5d3SJohn Marino# replies) is just too slow to be practical in this environment.
9886d7f5d3SJohn Marino#
9986d7f5d3SJohn Marino# This works because the MP invocations are smart enough to recognise that
10086d7f5d3SJohn Marino# another process is already running and to pass the link over to that
10186d7f5d3SJohn Marino# running version.
10286d7f5d3SJohn Marino#
10386d7f5d3SJohn Marino# Only the ISP links should be started manually.  When they come up, they'll
10486d7f5d3SJohn Marino# start the MP invocation.
10586d7f5d3SJohn Marino
10686d7f5d3SJohn Marinodefault:
10786d7f5d3SJohn Marino  set speed 115200
10886d7f5d3SJohn Marino  set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 /dev/cuaa3
10986d7f5d3SJohn Marino  set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \
11086d7f5d3SJohn Marino            \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"
11186d7f5d3SJohn Marino  set login
11286d7f5d3SJohn Marino  set redial 3 5
11386d7f5d3SJohn Marino  set timeout 0
11486d7f5d3SJohn Marino  enable lqr
11586d7f5d3SJohn Marino  set lqrperiod 15
11686d7f5d3SJohn Marino
11786d7f5d3SJohn Marinoisp1:
11886d7f5d3SJohn Marino  set phone "1234567"
11986d7f5d3SJohn Marino  set authname "isp1name"
12086d7f5d3SJohn Marino  set authkey "isp1key"
12186d7f5d3SJohn Marino  add! RIP1/32 HISADDR
12286d7f5d3SJohn Marino
12386d7f5d3SJohn Marinoisp2:
12486d7f5d3SJohn Marino  set phone "2345678"
12586d7f5d3SJohn Marino  set authname "isp2name"
12686d7f5d3SJohn Marino  set authkey "isp2key"
12786d7f5d3SJohn Marino  add! RIP2/32 HISADDR
12886d7f5d3SJohn Marino
12986d7f5d3SJohn MarinoispN:
13086d7f5d3SJohn Marino  set phone "3456789"
13186d7f5d3SJohn Marino  set authname "ispNname"
13286d7f5d3SJohn Marino  set authkey "ispNkey"
13386d7f5d3SJohn Marino  add! RIPN/32 HISADDR
13486d7f5d3SJohn Marino
13586d7f5d3SJohn Marino
13686d7f5d3SJohn Marino# Our MP version of ppp.  vpn is a generic label used by each of the
13786d7f5d3SJohn Marino# other vpn invocations by envoking ppp with both labels (see
13886d7f5d3SJohn Marino# ppp.linkup.span-isp).
13986d7f5d3SJohn Marino# Each ``set device'' command tells ppp to use UDP packets destined for
14086d7f5d3SJohn Marino# the given IP/port as the link (transport).  The routing table will
14186d7f5d3SJohn Marino# ensure that these UDP packets use the correct ISP connection.
14286d7f5d3SJohn Marino
14386d7f5d3SJohn Marinovpn:
14486d7f5d3SJohn Marino  set enddisc LABEL
14586d7f5d3SJohn Marino  set speed sync
14686d7f5d3SJohn Marino  set mrru 1500
14786d7f5d3SJohn Marino  set mru 1504			# Room for the MP header
14886d7f5d3SJohn Marino  nat enable yes
14986d7f5d3SJohn Marino  set authname "vpnname"
15086d7f5d3SJohn Marino  set authkey "vpnkey"
15186d7f5d3SJohn Marino  add! default HISADDR
15286d7f5d3SJohn Marino  disable deflate pred1 lqr
15386d7f5d3SJohn Marino  deny deflate pred1
15486d7f5d3SJohn Marino
15586d7f5d3SJohn Marinovpn1:
15686d7f5d3SJohn Marino  rename 1
15786d7f5d3SJohn Marino  set device RIP1:ppp/udp
15886d7f5d3SJohn Marino
15986d7f5d3SJohn Marinovpn2:
16086d7f5d3SJohn Marino  rename 2
16186d7f5d3SJohn Marino  set device RIP2:ppp/udp
16286d7f5d3SJohn Marino
16386d7f5d3SJohn MarinovpnN:
16486d7f5d3SJohn Marino  rename N
16586d7f5d3SJohn Marino  set device RIPN:ppp/udp
16686d7f5d3SJohn Marino
16786d7f5d3SJohn Marinovpn-nic:
16886d7f5d3SJohn Marino  load vpn
16986d7f5d3SJohn Marino  clone 1 2 N
17086d7f5d3SJohn Marino  link deflink rm
17186d7f5d3SJohn Marino  link 1 set device RIP1:ppp/udp
17286d7f5d3SJohn Marino  link 2 set device RIP2:ppp/udp
17386d7f5d3SJohn Marino  link N set device RIPN:ppp/udp
17486d7f5d3SJohn Marino
17586d7f5d3SJohn Marino# The Receiver profile is a bit more straight forward, as it doesn't need
17686d7f5d3SJohn Marino# to get bogged down with sublinks.  Replace REAL-ASSIGNED-IP with the
17786d7f5d3SJohn Marino# IP number to be assigned to the Gateway machine.  Replace REAL-LOCAL-IP
17886d7f5d3SJohn Marino# with the real IP number of the Receiver machine.
17986d7f5d3SJohn Marino#
18086d7f5d3SJohn Marino# No other entries are required on the Receiver machine, and this entry
18186d7f5d3SJohn Marino# is not required on the Gateway machine.  The Receiver machine also
18286d7f5d3SJohn Marino# requires the contents of ppp.secret.span-isp.
18386d7f5d3SJohn Marino#
18486d7f5d3SJohn Marino# Of course it's simple to assign an IP block to the client with a simple
18586d7f5d3SJohn Marino# ``add'' command, and then have the client use those IP numbers on its
18686d7f5d3SJohn Marino# LAN rather than using ``nat enable yes''.
18786d7f5d3SJohn Marino
18886d7f5d3SJohn Marinovpn-in:
18986d7f5d3SJohn Marino  set enddisc label
19086d7f5d3SJohn Marino  set speed sync
19186d7f5d3SJohn Marino  set mrru 1500
19286d7f5d3SJohn Marino  set mru 1504			# Room for the MP header
19386d7f5d3SJohn Marino  enable chap
19486d7f5d3SJohn Marino  disable lqr
19586d7f5d3SJohn Marino  set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP
196