2 .\" Copyright (c) 2001 Brian Somers <brian@Awfulhak.org>
3 .\" All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
14 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 .Nd Point to Point Protocol (a.k.a. user-ppp)
42 This is a user process
47 is implemented as a part of the kernel (e.g., as managed by
49 and it is thus somewhat hard to debug and/or modify its behaviour.
50 However, in this implementation
52 is done as a user process with the help of the
53 tunnel device driver (tun).
57 flag does the equivalent of a
61 network address translation features.
64 to act as a NAT or masquerading engine for all machines on an internal
68 for details on the technical side of the NAT engine.
70 .Sx NETWORK ADDRESS TRANSLATION (PACKET ALIASING)
71 section of this manual page for details on how to configure NAT in
78 to be silent at startup rather than displaying the mode and interface
85 to only attempt to open
86 .Pa /dev/tun Ns Ar N .
89 will start with a value of 0 for
91 and keep trying to open a tunnel device by incrementing the value of
93 by one each time until it succeeds.
94 If it fails three times in a row
95 because the device file is missing, it gives up.
101 .Bl -tag -width XXX -offset XXX
104 opens the tun interface, configures it then goes into the background.
105 The link is not brought up until outgoing data is detected on the tun
106 interface at which point
108 attempts to bring up the link.
109 Packets received (including the first one) while
111 is trying to bring the link up will remain queued for a default of
121 must be given on the command line (see below) and a
123 must be done in the system profile that specifies a peer IP address to
124 use when configuring the interface.
127 is usually appropriate.
131 .Pa /usr/share/examples/ppp/ppp.conf.sample
136 attempts to establish a connection with the peer immediately.
139 goes into the background and the parent process returns an exit code
143 exits with a non-zero result.
147 attempts to establish a connection with the peer immediately, but never
149 The link is created in background mode.
150 This is useful if you wish to control
152 invocation from another process.
154 This is used for communicating over an already established connection,
155 usually when receiving incoming connections accepted by
160 line and uses descriptor 0 as the link.
162 will also ignore any configured chat scripts unless the
164 option has been enabled.
166 If callback is configured,
170 information when dialing back.
176 will behave slightly differently if descriptor 0 was created by
178 As pipes are not bi-directional, ppp will redirect all writes to descriptor
179 1 (standard output), leaving only reads acting on descriptor 0.
180 No special action is taken if descriptor 0 was created by
183 This option is designed for machines connected with a dedicated
186 will always keep the device open and will ignore any configured
187 chat scripts unless the
189 option has been enabled.
191 This mode is equivalent to
195 will bring the link back up any time it is dropped for any reason.
197 This is a no-op, and gives the same behaviour as if none of the above
198 modes have been specified.
200 loads any sections specified on the command line then provides an
204 One or more configuration entries or systems
206 .Pa /etc/ppp/ppp.conf )
207 may also be specified on the command line.
212 .Pa /etc/ppp/ppp.conf
213 at startup, followed by each of the systems specified on the command line.
216 .It Provides an interactive user interface.
217 Using its command mode, the user can
218 easily enter commands to establish the connection with the remote end, check
219 the status of connection and close the connection.
220 All functions can also be optionally password protected for security.
221 .It Supports both manual and automatic dialing.
222 Interactive mode has a
224 command which enables you to talk to the device directly.
225 When you are connected to the remote peer and it starts to talk
228 detects it and switches to packet mode automatically.
230 determined the proper sequence for connecting with the remote host, you
231 can write a chat script to {define} the necessary dialing and login
232 procedure for later convenience.
233 .It Supports on-demand dialup capability.
238 will act as a daemon and wait for a packet to be sent over the
241 When this happens, the daemon automatically dials and establishes the
243 In almost the same manner
245 mode (direct-dial mode) also automatically dials and establishes the
247 However, it differs in that it will dial the remote site
248 any time it detects the link is down, even if there are no packets to be
250 This mode is useful for full-time connections where we worry less
251 about line charges and more about being connected full time.
254 mode is also available.
255 This mode is targeted at a dedicated link between two machines.
257 will never voluntarily quit from dedicated mode - you must send it the
259 command via its diagnostic socket.
262 will force an LCP renegotiation, and a
264 will force it to exit.
265 .It Supports client callback.
267 can use either the standard LCP callback protocol or the Microsoft
268 CallBack Control Protocol (https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CBCP/[MS-CBCP].pdf).
269 .It Supports NAT or packet aliasing.
270 Packet aliasing (a.k.a.\& IP masquerading) allows computers on a
271 private, unregistered network to access the Internet.
274 host acts as a masquerading gateway.
275 IP addresses as well as TCP and
276 UDP port numbers are NAT'd for outgoing packets and de-NAT'd for
278 .It Supports background PPP connections.
279 In background mode, if
281 successfully establishes the connection, it will become a daemon.
282 Otherwise, it will exit with an error.
283 This allows the setup of
284 scripts that wish to execute certain commands only if the connection
285 is successfully established.
286 .It Supports server-side PPP connections.
289 acts as server which accepts incoming
291 connections on stdin/stdout.
292 .It Supports PAP and CHAP (rfc 1994, 2433 and 2759) authentication.
293 With PAP or CHAP, it is possible to skip the Unix style
295 procedure, and use the
297 protocol for authentication instead.
298 If the peer requests Microsoft CHAP authentication and
300 is compiled with DES support, an appropriate MD4/DES response will be
302 .It Supports RADIUS (rfc 2138 & 2548) authentication.
303 An extension to PAP and CHAP,
310 allows authentication information to be stored in a central or
311 distributed database along with various per-user framed connection
315 is available at compile time,
319 requests when configured to do so.
320 .It Supports Proxy Arp.
322 can be configured to make one or more proxy arp entries on behalf of
324 This allows routing from the peer to the LAN without
325 configuring each machine on that LAN.
326 .It Supports packet filtering.
327 User can {define} four kinds of filters: the
329 filter for incoming packets, the
331 filter for outgoing packets, the
333 filter to {define} a dialing trigger packet and the
335 filter for keeping a connection alive with the trigger packet.
336 .It Tunnel driver supports bpf.
339 to check the packet flow over the
342 .It Supports PPP over TCP and PPP over UDP.
343 If a device name is specified as
344 .Em host Ns No : Ns Em port Ns
349 will open a TCP or UDP connection for transporting data rather than using a
350 conventional serial device.
351 UDP connections force
353 into synchronous mode.
354 .It Supports PPP over Ethernet (rfc 2516).
357 is given a device specification of the format
358 .No PPPoE: Ns Ar iface Ns Xo
359 .Op \&: Ns Ar provider Ns
373 On systems that do not support
375 an external program such as
378 .It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression."
380 supports not only VJ-compression but also Predictor-1 and DEFLATE compression.
381 Normally, a modem has built-in compression (e.g., v42.bis) and the system
382 may receive higher data rates from it as a result of such compression.
383 While this is generally a good thing in most other situations, this
384 higher speed data imposes a penalty on the system by increasing the
385 number of serial interrupts the system has to process in talking to the
386 modem and also increases latency.
387 Unlike VJ-compression, Predictor-1 and DEFLATE compression pre-compresses
389 network traffic flowing through the link, thus reducing overheads to a
391 .It Supports Microsoft's IPCP extensions (rfc 1877).
392 Name Server Addresses and NetBIOS Name Server Addresses can be negotiated
393 with clients using the Microsoft
395 stack (i.e., Win95, WinNT)
396 .It Supports Multi-link PPP (rfc 1990)
397 It is possible to configure
399 to open more than one physical connection to the peer, combining the
400 bandwidth of all links for better throughput.
401 .It Supports MPPE (draft-ietf-pppext-mppe)
402 MPPE is Microsoft Point to Point Encryption scheme.
403 It is possible to configure
405 to participate in Microsoft's Windows VPN.
408 can only get encryption keys from CHAP 81 authentication.
410 must be compiled with DES for MPPE to operate.
411 .It Supports IPV6CP (rfc 2023).
412 An IPv6 connection can be made in addition to or instead of the normal
425 will not run if the invoking user id is not zero.
426 This may be overridden by using the
429 .Pa /etc/ppp/ppp.conf .
430 When running as a normal user,
432 switches to user id 0 in order to alter the system routing table, set up
433 system lock files and read the ppp configuration files.
434 All external commands (executed via the "shell" or "!bg" commands) are executed
435 as the user id that invoked
439 logging facility if you are interested in what exactly is done as user id
444 you may need to deal with some initial configuration details.
447 Make sure that your system has a group named
451 file and that the group contains the names of all users expected to use
455 manual page for details.
456 Each of these users must also be given access using the
459 .Pa /etc/ppp/ppp.conf .
466 A common log file name is
467 .Pa /var/log/ppp.log .
468 To make output go to this file, put the following lines in the
471 .Bd -literal -offset indent
473 *.*<TAB>/var/log/ppp.log
476 It is possible to have more than one
478 log file by creating a link to the
486 .Bd -literal -offset indent
488 *.*<TAB>/var/log/ppp0.log
492 .Pa /etc/syslog.conf .
493 Do not forget to send a
498 .Pa /etc/syslog.conf .
500 Although not strictly relevant to
502 operation, you should configure your resolver so that it works correctly.
503 This can be done by configuring a local DNS
506 or by adding the correct
509 .Pa /etc/resolv.conf .
512 manual page for details.
514 Alternatively, if the peer supports it,
516 can be configured to ask the peer for the nameserver address(es) and to
524 commands below for details.
527 In the following examples, we assume that your machine name is
533 above) with no arguments, you are presented with a prompt:
534 .Bd -literal -offset indent
540 part of your prompt should always be in upper case.
541 If it is in lower case, it means that you must supply a password using the
544 This only ever happens if you connect to a running version of
546 and have not authenticated yourself using the correct password.
548 You can start by specifying the device name and speed:
549 .Bd -literal -offset indent
550 ppp ON awfulhak> set device /dev/cuau0
551 ppp ON awfulhak> set speed 38400
554 Normally, hardware flow control (CTS/RTS) is used.
556 certain circumstances (as may happen when you are connected directly
557 to certain PPP-capable terminal servers), this may result in
559 hanging as soon as it tries to write data to your communications link
560 as it is waiting for the CTS (clear to send) signal - which will never
562 Thus, if you have a direct line and cannot seem to make a
563 connection, try turning CTS/RTS off with
565 If you need to do this, check the
567 description below too - you will probably need to
568 .Dq set accmap 000a0000 .
570 Usually, parity is set to
575 Parity is a rather archaic error checking mechanism that is no
576 longer used because modern modems do their own error checking, and most
577 link-layer protocols (that is what
579 is) use much more reliable checking mechanisms.
580 Parity has a relatively
581 huge overhead (a 12.5% increase in traffic) and as a result, it is always
588 However, some ISPs (Internet Service Providers) may use
589 specific parity settings at connection time (before
592 Notably, Compuserve insist on even parity when logging in:
593 .Bd -literal -offset indent
594 ppp ON awfulhak> set parity even
597 You can now see what your current device settings look like:
598 .Bd -literal -offset indent
599 ppp ON awfulhak> show physical
603 Link Type: interactive
609 Device List: /dev/cuau0
610 Characteristics: 38400bps, cs8, even parity, CTS/RTS on
613 0 octets in, 0 octets out
618 The term command can now be used to talk directly to the device:
619 .Bd -literal -offset indent
620 ppp ON awfulhak> term
626 Password: myisppassword
630 When the peer starts to talk in
633 detects this automatically and returns to command mode.
634 .Bd -literal -offset indent
635 ppp ON awfulhak> # No link has been established
636 Ppp ON awfulhak> # We've connected & finished LCP
637 PPp ON awfulhak> # We've authenticated
638 PPP ON awfulhak> # We've agreed IP numbers
641 If it does not, it is probable that the peer is waiting for your end to
647 configuration packets to the peer, use the
649 command to drop out of terminal mode and enter packet mode.
651 If you never even receive a login prompt, it is quite likely that the
652 peer wants to use PAP or CHAP authentication instead of using Unix-style
653 login/password authentication.
654 To set things up properly, drop back to
655 the prompt and set your authentication name and key, then reconnect:
656 .Bd -literal -offset indent
658 ppp ON awfulhak> set authname myispusername
659 ppp ON awfulhak> set authkey myisppassword
660 ppp ON awfulhak> term
667 You may need to tell ppp to initiate negotiations with the peer here too:
668 .Bd -literal -offset indent
670 ppp ON awfulhak> # No link has been established
671 Ppp ON awfulhak> # We've connected & finished LCP
672 PPp ON awfulhak> # We've authenticated
673 PPP ON awfulhak> # We've agreed IP numbers
676 You are now connected!
679 in the prompt has changed to capital letters to indicate that you have
681 If only some of the three Ps go uppercase, wait until
682 either everything is uppercase or lowercase.
683 If they revert to lowercase, it means that
685 could not successfully negotiate with the peer.
686 A good first step for troubleshooting at this point would be to
687 .Bd -literal -offset indent
688 ppp ON awfulhak> set log local phase lcp ipcp
694 command description below for further details.
695 If things fail at this point,
696 it is quite important that you turn logging on and try again.
698 important that you note any prompt changes and report them to anyone trying
701 When the link is established, the show command can be used to see how
703 .Bd -literal -offset indent
704 PPP ON awfulhak> show physical
705 * Modem related information is shown here *
706 PPP ON awfulhak> show ccp
707 * CCP (compression) related information is shown here *
708 PPP ON awfulhak> show lcp
709 * LCP (line control) related information is shown here *
710 PPP ON awfulhak> show ipcp
711 * IPCP (IP) related information is shown here *
712 PPP ON awfulhak> show ipv6cp
713 * IPV6CP (IPv6) related information is shown here *
714 PPP ON awfulhak> show link
715 * Link (high level) related information is shown here *
716 PPP ON awfulhak> show bundle
717 * Logical (high level) connection related information is shown here *
720 At this point, your machine has a host route to the peer.
722 that you can only make a connection with the host on the other side
724 If you want to add a default route entry (telling your
725 machine to send all packets without another routing entry to the other
728 link), enter the following command:
729 .Bd -literal -offset indent
730 PPP ON awfulhak> add default HISADDR
735 represents the IP address of the connected peer.
738 command fails due to an existing route, you can overwrite the existing
740 .Bd -literal -offset indent
741 PPP ON awfulhak> add! default HISADDR
744 This command can also be executed before actually making the connection.
745 If a new IP address is negotiated at connection time,
747 will update your default route accordingly.
749 You can now use your network applications (ping, telnet, ftp, etc.)
750 in other windows or terminals on your machine.
751 If you wish to reuse the current terminal, you can put
753 into the background using your standard shell suspend and background
761 section for details on all available commands.
762 .Sh AUTOMATIC DIALING
763 To use automatic dialing, you must prepare some Dial and Login chat scripts.
764 See the example definitions in
765 .Pa /usr/share/examples/ppp/ppp.conf.sample
767 .Pa /etc/ppp/ppp.conf
769 Each line contains one comment, inclusion, label or command:
772 A line starting with a
774 character is treated as a comment line.
775 Leading whitespace are ignored when identifying comment lines.
777 An inclusion is a line beginning with the word
779 It must have one argument - the file to {include}.
781 .Dq {!include} ~/.ppp.conf
782 for compatibility with older versions of
785 A label name starts in the first column and is followed by
789 A command line must contain a space or tab in the first column.
791 A string starting with the
793 character is substituted with the value of the environment variable by
795 Likewise, a string starting with the
797 character is substituted with the full path to the home directory of
798 the user account by the same name, and the
800 character by itself is substituted with the full path to the home directory
802 If you want to include a literal
806 character in a command or argument, enclose them in double quotes, e.g.,
807 .Bd -literal -offset indent
808 set password "pa$ss~word"
813 .Pa /etc/ppp/ppp.conf
814 file should consist of at least a
817 This section is always executed.
818 It should also contain
819 one or more sections, named according to their purpose, for example,
821 would represent your ISP, and
823 would represent an incoming
826 You can now specify the destination label name when you invoke
828 Commands associated with the
830 label are executed, followed by those associated with the destination
834 is started with no arguments, the
836 section is still executed.
837 The load command can be used to manually load a section from the
838 .Pa /etc/ppp/ppp.conf
840 .Bd -literal -offset indent
841 ppp ON awfulhak> load MyISP
844 Note, no action is taken by
846 after a section is loaded, whether it is the result of passing a label on
847 the command line or using the
850 Only the commands specified for that label in the configuration
852 However, when invoking
859 switches, the link mode tells
861 to establish a connection.
864 command below for further details.
866 Once the connection is made, the
868 portion of the prompt will change to
870 .Bd -literal -offset indent
873 ppp ON awfulhak> dial
879 The Ppp prompt indicates that
881 has entered the authentication phase.
882 The PPp prompt indicates that
884 has entered the network phase.
885 The PPP prompt indicates that
887 has successfully negotiated a network layer protocol and is in
891 .Pa /etc/ppp/ppp.linkup
892 file is available, its contents are executed
895 connection is established.
899 .Pa /usr/share/examples/ppp/ppp.conf.sample
900 which runs a script in the background after the connection is established
905 commands below for a description of possible substitution strings).
906 Similarly, when a connection is closed, the contents of the
907 .Pa /etc/ppp/ppp.linkdown
909 Both of these files have the same format as
910 .Pa /etc/ppp/ppp.conf .
912 In previous versions of
914 it was necessary to re-add routes such as the default route in the
920 where all routes that contain the
926 literals will automatically be updated when the values of these variables
928 .Sh BACKGROUND DIALING
929 If you want to establish a connection using
931 non-interactively (such as from a
935 job) you should use the
942 attempts to establish the connection immediately.
944 numbers are specified, each phone number will be tried once.
945 If the attempt fails,
947 exits immediately with a non-zero exit code.
950 becomes a daemon, and returns an exit status of zero to its caller.
951 The daemon exits automatically if the connection is dropped by the
952 remote system, or it receives a
956 Demand dialing is enabled with the
961 You must also specify the destination label in
962 .Pa /etc/ppp/ppp.conf
966 command to {define} the remote peers IP address.
968 .Pa /usr/share/examples/ppp/ppp.conf.sample )
969 .Bd -literal -offset indent
979 runs as a daemon but you can still configure or examine its
980 configuration by using the
983 .Pa /etc/ppp/ppp.conf ,
985 .Dq Li "set server +3000 mypasswd" )
986 and connecting to the diagnostic port as follows:
987 .Bd -literal -offset indent
988 # pppctl 3000 (assuming tun0)
990 PPP ON awfulhak> show who
991 tcp (127.0.0.1:1028) *
996 command lists users that are currently connected to
999 If the diagnostic socket is closed or changed to a different
1000 socket, all connections are immediately dropped.
1004 mode, when an outgoing packet is detected,
1006 will perform the dialing action (chat script) and try to connect
1010 mode, the dialing action is performed any time the line is found
1012 If the connect fails, the default behaviour is to wait 30 seconds
1013 and then attempt to connect when another outgoing packet is detected.
1014 This behaviour can be changed using the
1018 .No set redial Ar secs Ns
1020 .Oo - Ns Ar max Ns Oc Oc Ns
1024 .Bl -tag -width attempts -compact
1026 is the number of seconds to wait before attempting
1028 If the argument is the literal string
1030 the delay period is a random value between 1 and 30 seconds inclusive.
1032 is the number of seconds that
1034 should be incremented each time a new dial attempt is made.
1035 The timeout reverts to
1037 only after a successful connection is established.
1038 The default value for
1042 is the maximum number of times
1046 The default value for
1050 is the number of seconds to wait before attempting
1051 to dial the next number in a list of numbers (see the
1054 The default is 3 seconds.
1055 Again, if the argument is the literal string
1057 the delay period is a random value between 1 and 30 seconds.
1059 is the maximum number of times to try to connect for each outgoing packet
1060 that triggers a dial.
1061 The previous value is unchanged if this parameter is omitted.
1062 If a value of zero is specified for
1065 will keep trying until a connection is made.
1069 .Bd -literal -offset indent
1073 will attempt to connect 4 times for each outgoing packet that causes
1074 a dial attempt with a 3 second delay between each number and a 10 second
1075 delay after all numbers have been tried.
1076 If multiple phone numbers
1077 are specified, the total number of attempts is still 4 (it does not
1078 attempt each number 4 times).
1081 .Bd -literal -offset indent
1082 set redial 10+10-5.3 20
1087 to attempt to connect 20 times.
1088 After the first attempt,
1090 pauses for 10 seconds.
1091 After the next attempt it pauses for 20 seconds
1092 and so on until after the sixth attempt it pauses for 1 minute.
1093 The next 14 pauses will also have a duration of one minute.
1096 connects, disconnects and fails to connect again, the timeout starts again
1099 Modifying the dial delay is very useful when running
1103 mode on both ends of the link.
1104 If each end has the same timeout,
1105 both ends wind up calling each other at the same time if the link
1106 drops and both ends have packets queued.
1107 At some locations, the serial link may not be reliable, and carrier
1108 may be lost at inappropriate times.
1109 It is possible to have
1111 redial should carrier be unexpectedly lost during a session.
1112 .Bd -literal -offset indent
1113 set reconnect timeout ntries
1118 to re-establish the connection
1120 times on loss of carrier with a pause of
1122 seconds before each try.
1124 .Bd -literal -offset indent
1130 that on an unexpected loss of carrier, it should wait
1132 seconds before attempting to reconnect.
1133 This may happen up to
1138 The default value of ntries is zero (no reconnect).
1139 Care should be taken with this option.
1140 If the local timeout is slightly
1141 longer than the remote timeout, the reconnect feature will always be
1142 triggered (up to the given number of times) after the remote side
1143 times out and hangs up.
1144 NOTE: In this context, losing too many LQRs constitutes a loss of
1145 carrier and will trigger a reconnect.
1148 flag is specified, all phone numbers are dialed at most once until
1149 a connection is made.
1150 The next number redial period specified with the
1152 command is honoured, as is the reconnect tries value.
1154 value is less than the number of phone numbers specified, not all
1155 the specified numbers will be tried.
1156 To terminate the program, type
1157 .Bd -literal -offset indent
1158 PPP ON awfulhak> close
1159 ppp ON awfulhak> quit all
1164 command will terminate the
1168 connection but not the
1176 .Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1)
1177 To handle an incoming
1179 connection request, follow these steps:
1182 Make sure the modem and (optionally)
1184 is configured correctly.
1185 .Bl -bullet -compact
1187 Use Hardware Handshake (CTS/RTS) for flow control.
1189 Modem should be set to NO echo back (ATE0) and NO results string (ATQ1).
1196 on the port where the modem is attached.
1199 .Dl ttyd1 Qo /usr/libexec/getty std.38400 Qc dialup on secure
1201 Do not forget to send a
1205 process to start the
1210 It is usually also necessary to train your modem to the same DTR speed
1212 .Bd -literal -offset indent
1214 ppp ON awfulhak> set device /dev/cuau1
1215 ppp ON awfulhak> set speed 38400
1216 ppp ON awfulhak> term
1217 deflink: Entering terminal mode on /dev/cuau1
1228 ppp ON awfulhak> quit
1232 .Pa /usr/local/bin/ppplogin
1233 file with the following contents:
1234 .Bd -literal -offset indent
1236 exec /usr/sbin/ppp -direct incoming
1243 work with stdin and stdout.
1246 to connect to a configured diagnostic port, in the same manner as with
1252 section must be set up in
1253 .Pa /etc/ppp/ppp.conf .
1257 section contains the
1259 command as appropriate.
1261 Prepare an account for the incoming user.
1263 ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin
1266 Refer to the manual entries for
1272 Support for IPCP Domain Name Server and NetBIOS Name Server negotiation
1273 can be enabled using the
1278 Refer to their descriptions below.
1280 .Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2)
1281 This method differs in that we use
1283 to authenticate the connection rather than
1287 Configure your default section in
1289 with automatic ppp recognition by specifying the
1294 :pp=/usr/local/bin/ppplogin:\\
1298 Configure your serial device(s), enable a
1301 .Pa /usr/local/bin/ppplogin
1302 as in the first three steps for method 1 above.
1310 .Pa /etc/ppp/ppp.conf
1313 label (or whatever label
1318 .Pa /etc/ppp/ppp.secret
1319 for each incoming user:
1328 detects a ppp connection (by recognising the HDLC frame headers), it runs
1329 .Dq /usr/local/bin/ppplogin .
1333 that either PAP or CHAP are enabled as above.
1334 If they are not, you are
1335 allowing anybody to establish a ppp session with your machine
1337 a password, opening yourself up to all sorts of potential attacks.
1338 .Sh AUTHENTICATING INCOMING CONNECTIONS
1339 Normally, the receiver of a connection requires that the peer
1340 authenticates itself.
1341 This may be done using
1343 but alternatively, you can use PAP or CHAP.
1344 CHAP is the more secure of the two, but some clients may not support it.
1345 Once you decide which you wish to use, add the command
1349 to the relevant section of
1352 You must then configure the
1353 .Pa /etc/ppp/ppp.secret
1355 This file contains one line per possible client, each line
1356 containing up to five fields:
1359 .Ar hisaddr Op Ar label Op Ar callback-number
1366 specify the client username and password.
1371 and PAP is being used,
1373 will look up the password database
1375 when authenticating.
1376 If the client does not offer a suitable response based on any
1377 .Ar name Ns No / Ns Ar key
1380 authentication fails.
1382 If authentication is successful,
1385 is used when negotiating IP numbers.
1388 command for details.
1390 If authentication is successful and
1392 is specified, the current system label is changed to match the given
1394 This will change the subsequent parsing of the
1400 If authentication is successful and
1406 the client will be called back on the given number.
1407 If CBCP is being used,
1409 may also contain a list of numbers or a
1414 The value will be used in
1416 subsequent CBCP phase.
1417 .Sh PPP OVER TCP and UDP (a.k.a Tunnelling)
1420 over a serial link, it is possible to
1421 use a TCP connection instead by specifying the host, port and protocol as the
1424 .Dl set device ui-gate:6669/tcp
1426 Instead of opening a serial device,
1428 will open a TCP connection to the given machine on the given
1430 It should be noted however that
1432 does not use the telnet protocol and will be unable to negotiate
1433 with a telnet server.
1434 You should set up a port for receiving this
1436 connection on the receiving machine (ui-gate).
1437 This is done by first updating
1439 to name the service:
1441 .Dl ppp-in 6669/tcp # Incoming PPP connections over TCP
1447 how to deal with incoming connections on that port:
1449 .Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in
1451 Do not forget to send a
1455 after you have updated
1456 .Pa /etc/inetd.conf .
1457 Here, we use a label named
1460 .Pa /etc/ppp/ppp.conf
1461 on ui-gate (the receiver) should contain the following:
1462 .Bd -literal -offset indent
1465 set ifaddr 10.0.4.1 10.0.4.2
1469 .Pa /etc/ppp/ppp.linkup
1471 .Bd -literal -offset indent
1473 add 10.0.1.0/24 HISADDR
1476 It is necessary to put the
1480 to ensure that the route is only added after
1482 has negotiated and assigned addresses to its interface.
1484 You may also want to enable PAP or CHAP for security.
1485 To enable PAP, add the following line:
1486 .Bd -literal -offset indent
1490 You will also need to create the following entry in
1491 .Pa /etc/ppp/ppp.secret :
1492 .Bd -literal -offset indent
1493 MyAuthName MyAuthPasswd
1500 the password is looked up in the
1505 .Pa /etc/ppp/ppp.conf
1506 on awfulhak (the initiator) should contain the following:
1507 .Bd -literal -offset indent
1510 set device ui-gate:ppp-in/tcp
1513 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun
1514 set ifaddr 10.0.4.2 10.0.4.1
1517 with the route setup in
1518 .Pa /etc/ppp/ppp.linkup :
1519 .Bd -literal -offset indent
1521 add 10.0.2.0/24 HISADDR
1524 Again, if you are enabling PAP, you will also need this in the
1525 .Pa /etc/ppp/ppp.conf
1527 .Bd -literal -offset indent
1528 set authname MyAuthName
1529 set authkey MyAuthKey
1532 We are assigning the address of 10.0.4.1 to ui-gate, and the address
1533 10.0.4.2 to awfulhak.
1534 To open the connection, just type
1536 .Dl awfulhak # ppp -background ui-gate
1538 The result will be an additional "route" on awfulhak to the
1539 10.0.2.0/24 network via the TCP connection, and an additional
1540 "route" on ui-gate to the 10.0.1.0/24 network.
1541 The networks are effectively bridged - the underlying TCP
1542 connection may be across a public network (such as the
1545 traffic is conceptually encapsulated
1546 (although not packet by packet) inside the TCP stream between
1549 The major disadvantage of this mechanism is that there are two
1550 "guaranteed delivery" mechanisms in place - the underlying TCP
1551 stream and whatever protocol is used over the
1553 link - probably TCP again.
1554 If packets are lost, both levels will
1555 get in each others way trying to negotiate sending of the missing
1558 To avoid this overhead, it is also possible to do all this using
1559 UDP instead of TCP as the transport by simply changing the protocol
1560 from "tcp" to "udp".
1561 When using UDP as a transport,
1563 will operate in synchronous mode.
1564 This is another gain as the incoming
1565 data does not have to be rearranged into packets.
1567 Care should be taken when adding a default route through a tunneled
1569 It is quite common for the default route
1571 .Pa /etc/ppp/ppp.linkup )
1572 to end up routing the link's TCP connection through the tunnel,
1573 effectively garrotting the connection.
1574 To avoid this, make sure you add a static route for the benefit of
1576 .Bd -literal -offset indent
1579 set device ui-gate:ppp-in/tcp
1586 is the IP number that your route to
1590 When routing your connection across a public network such as the Internet,
1591 it is preferable to encrypt the data.
1592 This can be done with the help of the MPPE protocol, although currently this
1593 means that you will not be able to also compress the traffic as MPPE is
1594 implemented as a compression layer (thank Microsoft for this).
1595 To enable MPPE encryption, add the following lines to
1596 .Pa /etc/ppp/ppp.conf
1598 .Bd -literal -offset indent
1600 disable deflate pred1
1604 ensuring that you have put the requisite entry in
1605 .Pa /etc/ppp/ppp.secret
1606 (MSCHAPv2 is challenge based, so
1610 MSCHAPv2 and MPPE are accepted by default, so the client end should work
1611 without any additional changes (although ensure you have
1616 .Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING)
1619 command line option enables network address translation (a.k.a.\& packet
1623 host to act as a masquerading gateway for other computers over
1624 a local area network.
1625 Outgoing IP packets are NAT'd so that they appear to come from the
1627 host, and incoming packets are de-NAT'd so that they are routed
1628 to the correct machine on the local area network.
1629 NAT allows computers on private, unregistered subnets to have Internet
1630 access, although they are invisible from the outside world.
1633 operation should first be verified with network address translation disabled.
1636 option should be switched on, and network applications (web browser,
1641 should be checked on the
1644 Finally, the same or similar applications should be checked on other
1645 computers in the LAN.
1646 If network applications work correctly on the
1648 host, but not on other machines in the LAN, then the masquerading
1649 software is working properly, but the host is either not forwarding
1650 or possibly receiving IP packets.
1651 Check that IP forwarding is enabled in
1653 and that other machines have designated the
1655 host as the gateway for the LAN.
1658 with the provided rc script, the default is to
1664 .Pa /etc/defaults/rc.conf .
1665 .Sh PACKET FILTERING
1666 This implementation supports packet filtering.
1667 There are four kinds of
1677 Here are the basics:
1680 A filter definition has the following syntax:
1689 .Ar src_addr Ns Op / Ns Ar width
1690 .Op Ar dst_addr Ns Op / Ns Ar width
1692 .Ar [ proto Op src Ar cmp port
1697 .Op timeout Ar secs ]
1709 is a numeric value between
1713 specifying the rule number.
1714 Rules are specified in numeric order according to
1725 in which case, if a given packet matches the rule, the associated action
1726 is taken immediately.
1728 can also be specified as
1730 to clear the action associated with that particular rule, or as a new
1731 rule number greater than the current rule.
1732 In this case, if a given
1733 packet matches the current rule, the packet will next be matched against
1734 the new rule number (rather than the next rule number).
1738 may optionally be followed with an exclamation mark
1742 to reverse the sense of the following match.
1744 .Op Ar src_addr Ns Op / Ns Ar width
1746 .Op Ar dst_addr Ns Op / Ns Ar width
1747 are the source and destination IP number specifications.
1750 is specified, it gives the number of relevant netmask bits,
1751 allowing the specification of an address range.
1757 may be given the values
1763 (refer to the description of the
1765 command for a description of these values).
1766 When these values are used,
1767 the filters will be updated any time the values change.
1768 This is similar to the behaviour of the
1773 may be any protocol from
1782 meaning less-than, equal and greater-than respectively.
1784 can be specified as a numeric port or by service name from
1792 flags are only allowed when
1796 and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively.
1798 The timeout value adjusts the current idle timeout to at least
1801 If a timeout is given in the alive filter as well as in the in/out
1802 filter, the in/out value is used.
1803 If no timeout is given, the default timeout (set using
1805 and defaulting to 180 seconds) is used.
1808 Each filter can hold up to 40 rules, starting from rule 0.
1809 The entire rule set is not effective until rule 0 is defined,
1810 i.e., the default is to allow everything through.
1812 If no rule in a defined set of rules matches a packet, that packet will
1813 be discarded (blocked).
1814 If there are no rules in a given filter, the packet will be permitted.
1816 It is possible to filter based on the payload of UDP frames where those
1822 .Ar filter-decapsulation
1823 option below for further details.
1826 .Dq set filter Ar name No -1
1831 .Pa /usr/share/examples/ppp/ppp.conf.sample .
1832 .Sh SETTING THE IDLE TIMER
1833 To check/set the idle timer, use the
1838 .Bd -literal -offset indent
1839 ppp ON awfulhak> set timeout 600
1842 The timeout period is measured in seconds, the default value for which
1845 To disable the idle timer function, use the command
1846 .Bd -literal -offset indent
1847 ppp ON awfulhak> set timeout 0
1854 modes, the idle timeout is ignored.
1857 mode, when the idle timeout causes the
1862 program itself remains running.
1863 Another trigger packet will cause it to attempt to re-establish the link.
1864 .Sh PREDICTOR-1 and DEFLATE COMPRESSION
1866 supports both Predictor type 1 and deflate compression.
1869 will attempt to use (or be willing to accept) both compression protocols
1870 when the peer agrees
1872 The deflate protocol is preferred by
1878 commands if you wish to disable this functionality.
1880 It is possible to use a different compression algorithm in each direction
1881 by using only one of
1885 (assuming that the peer supports both algorithms).
1887 By default, when negotiating DEFLATE,
1889 will use a window size of 15.
1892 command if you wish to change this behaviour.
1894 A special algorithm called DEFLATE24 is also available, and is disabled
1895 and denied by default.
1896 This is exactly the same as DEFLATE except that
1897 it uses CCP ID 24 to negotiate.
1900 to successfully negotiate DEFLATE with
1903 .Sh CONTROLLING IP ADDRESS
1906 uses IPCP to negotiate IP addresses.
1907 Each side of the connection
1908 specifies the IP address that it is willing to use, and if the requested
1909 IP address is acceptable then
1911 returns an ACK to the requester.
1914 returns NAK to suggest that the peer use a different IP address.
1916 both sides of the connection agree to accept the received request (and
1917 send an ACK), IPCP is set to the open state and a network level connection
1919 To control this IPCP behaviour, this implementation has the
1921 command for defining the local and remote IP address:
1922 .Bd -ragged -offset indent
1923 .No set ifaddr Oo Ar src_addr Ns
1925 .Oo Ar dst_addr Ns Op / Ns Ar \&nn
1935 is the IP address that the local side is willing to use,
1937 is the IP address which the remote side should use and
1939 is the netmask that should be used.
1941 defaults to the current
1944 defaults to 0.0.0.0, and
1946 defaults to whatever mask is appropriate for
1948 It is only possible to make
1950 smaller than the default.
1951 The usual value is 255.255.255.255, as
1952 most kernels ignore the netmask of a POINTOPOINT interface.
1956 implementations require that the peer negotiates a specific IP
1959 If this is the case,
1961 may be used to specify this IP number.
1962 This will not affect the
1963 routing table unless the other side agrees with this proposed number.
1964 .Bd -literal -offset indent
1965 set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0
1968 The above specification means:
1970 .Bl -bullet -compact
1972 I will first suggest that my IP address should be 0.0.0.0, but I
1973 will only accept an address of 192.244.177.38.
1975 I strongly insist that the peer uses 192.244.177.2 as his own
1976 address and will not permit the use of any IP address but 192.244.177.2.
1977 When the peer requests another IP address, I will always suggest that
1978 it uses 192.244.177.2.
1980 The routing table entry will have a netmask of 0xffffffff.
1983 This is all fine when each side has a pre-determined IP address, however
1984 it is often the case that one side is acting as a server which controls
1985 all IP addresses and the other side should go along with it.
1986 In order to allow more flexible behaviour, the
1988 command allows the user to specify IP addresses more loosely:
1990 .Dl set ifaddr 192.244.177.38/24 192.244.177.2/20
1992 A number followed by a slash
1994 represents the number of bits significant in the IP address.
1995 The above example means:
1997 .Bl -bullet -compact
1999 I would like to use 192.244.177.38 as my address if it is possible, but I will
2000 also accept any IP address between 192.244.177.0 and 192.244.177.255.
2002 I would like to make him use 192.244.177.2 as his own address, but I will also
2003 permit him to use any IP address between 192.244.176.0 and
2006 As you may have already noticed, 192.244.177.2 is equivalent to saying
2009 As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no
2010 preferred IP address and will obey the remote peers selection.
2011 When using zero, no routing table entries will be made until a connection
2014 192.244.177.2/0 means that I will accept/permit any IP address but I will
2015 suggest that 192.244.177.2 be used first.
2018 When negotiating IPv6 addresses, no control is given to the user.
2019 IPV6CP negotiation is fully automatic.
2020 .Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER
2021 The following steps should be taken when connecting to your ISP:
2024 Describe your providers phone number(s) in the dial script using the
2027 This command allows you to set multiple phone numbers for
2028 dialing and redialing separated by either a pipe
2032 .Bd -ragged -offset indent
2033 .No set phone Ar telno Ns
2034 .Oo \&| Ns Ar backupnumber Oc Ns ... Ns Oo : Ns Ar nextnumber Oc Ns ...
2037 Numbers after the first in a pipe-separated list are only used if the
2038 previous number was used in a failed dial or login script.
2040 separated by a colon are used sequentially, irrespective of what happened
2041 as a result of using the previous number.
2043 .Bd -literal -offset indent
2044 set phone "1234567|2345678:3456789|4567890"
2047 Here, the 1234567 number is attempted.
2048 If the dial or login script fails,
2049 the 2345678 number is used next time, but *only* if the dial or login script
2051 On the dial after this, the 3456789 number is used.
2053 number is only used if the dial or login script using the 3456789 fails.
2054 If the login script of the 2345678 number fails, the next number is still the
2056 As many pipes and colons can be used as are necessary
2057 (although a given site would usually prefer to use either the pipe or the
2058 colon, but not both).
2059 The next number redial timeout is used between all numbers.
2060 When the end of the list is reached, the normal redial period is
2061 used before starting at the beginning again.
2062 The selected phone number is substituted for the \\\\T string in the
2064 command (see below).
2066 Set up your redial requirements using
2068 For example, if you have a bad telephone line or your provider is
2069 usually engaged (not so common these days), you may want to specify
2071 .Bd -literal -offset indent
2075 This says that up to 4 phone calls should be attempted with a pause of 10
2076 seconds before dialing the first number again.
2078 Describe your login procedure using the
2085 command is used to talk to your modem and establish a link with your
2087 .Bd -literal -offset indent
2088 set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e
2089 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT"
2092 This modem "chat" string means:
2095 Abort if the string "BUSY" or "NO CARRIER" are received.
2097 Set the timeout to 4 seconds.
2104 If that is not received within the 4 second timeout, send ATZ
2107 Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from
2110 Set the timeout to 60.
2112 Wait for the CONNECT string.
2115 Once the connection is established, the login script is executed.
2116 This script is written in the same style as the dial script, but care should
2117 be taken to avoid having your password logged:
2118 .Bd -literal -offset indent
2119 set authkey MySecret
2120 set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e
2121 word: \\\\P ocol: PPP HELLO"
2124 This login "chat" string means:
2127 Set the timeout to 15 seconds.
2130 If it is not received, send a carriage return and expect
2135 Expect "word:" (the tail end of a "Password:" prompt).
2137 Send whatever our current
2141 Expect "ocol:" (the tail end of a "Protocol:" prompt).
2150 command is logged specially.
2155 logging is enabled, the actual password is not logged;
2159 Login scripts vary greatly between ISPs.
2160 If you are setting one up for the first time,
2161 .Em ENABLE CHAT LOGGING
2162 so that you can see if your script is behaving as you expect.
2168 to specify your serial line and speed, for example:
2169 .Bd -literal -offset indent
2170 set device /dev/cuau0
2174 Cuad0 is the first serial port on
2181 A speed of 115200 should be specified
2182 if you have a modem capable of bit rates of 28800 or more.
2183 In general, the serial speed should be about four times the modem speed.
2187 command to {define} the IP address.
2190 If you know what IP address your provider uses, then use it as the remote
2191 address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below).
2193 If your provider has assigned a particular IP address to you, then use
2194 it as your address (src_addr).
2196 If your provider assigns your address dynamically, choose a suitably
2197 unobtrusive and unspecific IP number as your address.
2198 10.0.0.1/0 would be appropriate.
2199 The bit after the / specifies how many bits of the
2200 address you consider to be important, so if you wanted to insist on
2201 something in the class C network 1.2.3.0, you could specify 1.2.3.1/24.
2203 If you find that your ISP accepts the first IP number that you suggest,
2204 specify third and forth arguments of
2206 This will force your ISP to assign a number.
2207 (The third argument will
2208 be ignored as it is less restrictive than the default mask for your
2212 An example for a connection where you do not know your IP number or your
2213 ISPs IP number would be:
2214 .Bd -literal -offset indent
2215 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
2218 In most cases, your ISP will also be your default router.
2219 If this is the case, add the line
2220 .Bd -literal -offset indent
2225 .Pa /etc/ppp/ppp.conf
2227 .Pa /etc/ppp/ppp.linkup
2228 for setups that do not use
2234 to add a default route to whatever the peer address is
2235 (10.0.0.2 in this example).
2238 meaning that should the value of
2240 change, the route will be updated accordingly.
2242 If your provider requests that you use PAP/CHAP authentication methods, add
2243 the next lines to your
2244 .Pa /etc/ppp/ppp.conf
2246 .Bd -literal -offset indent
2248 set authkey MyPassword
2251 Both are accepted by default, so
2253 will provide whatever your ISP requires.
2255 It should be noted that a login script is rarely (if ever) required
2256 when PAP or CHAP are in use.
2258 Ask your ISP to authenticate your nameserver address(es) with the line
2259 .Bd -literal -offset indent
2265 do this if you are running a local DNS unless you also either use
2270 .Pa /etc/ppp/ppp.linkdown ,
2273 will simply circumvent its use by entering some nameserver lines in
2274 .Pa /etc/resolv.conf .
2278 .Pa /usr/share/examples/ppp/ppp.conf.sample
2280 .Pa /usr/share/examples/ppp/ppp.linkup.sample
2281 for some real examples.
2282 The pmdemand label should be appropriate for most ISPs.
2283 .Sh LOGGING FACILITY
2285 is able to generate the following log info either via
2287 or directly to the screen:
2289 .Bl -tag -width XXXXXXXXX -offset XXX -compact
2291 Enable all logging facilities.
2292 This generates a lot of log.
2293 The most common use of 'all' is as a basis, where you remove some facilities
2294 after enabling 'all' ('debug' and 'timer' are usually best disabled.)
2296 Dump async level packet in hex.
2298 Generate CBCP (CallBack Control Protocol) logs.
2300 Generate a CCP packet trace.
2308 chat script trace logs.
2310 Log commands executed either from the command line or any of the configuration
2313 Log Chat lines containing the string "CONNECT".
2315 Log debug information.
2317 Log DNS QUERY packets.
2319 Log packets permitted by the dial filter and denied by any filter.
2321 Dump HDLC packet in hex.
2323 Log all function calls specifically made as user id 0.
2325 Generate an IPCP packet trace.
2327 Generate an LCP packet trace.
2329 Generate LQR reports.
2331 Phase transition log output.
2333 Dump physical level packet in hex.
2335 Dump RADIUS information.
2336 RADIUS information resulting from the link coming up or down is logged at
2341 This log level is most useful for monitoring RADIUS alive information.
2343 Dump sync level packet in hex.
2345 Dump all TCP/IP packets.
2347 Log timer manipulation.
2349 Include the tun device on each log line.
2351 Output to the terminal device.
2352 If there is currently no terminal,
2353 output is sent to the log file using syslogs
2356 Output to both the terminal device
2357 and the log file using syslogs
2360 Output to the log file using
2366 command allows you to set the logging output level.
2367 Multiple levels can be specified on a single command line.
2368 The default is equivalent to
2371 It is also possible to log directly to the screen.
2372 The syntax is the same except that the word
2374 should immediately follow
2378 (i.e., only the un-maskable warning, error and alert output).
2380 If The first argument to
2381 .Dq set log Op local
2386 character, the current log levels are
2387 not cleared, for example:
2388 .Bd -literal -offset indent
2389 PPP ON awfulhak> set log phase
2390 PPP ON awfulhak> show log
2391 Log: Phase Warning Error Alert
2392 Local: Warning Error Alert
2393 PPP ON awfulhak> set log +tcp/ip -warning
2394 PPP ON awfulhak> set log local +command
2395 PPP ON awfulhak> show log
2396 Log: Phase TCP/IP Warning Error Alert
2397 Local: Command Warning Error Alert
2400 Log messages of level Warning, Error and Alert are not controllable
2402 .Dq set log Op local .
2406 level is special in that it will not be logged if it can be displayed
2410 deals with the following signals:
2411 .Bl -tag -width "USR2"
2413 Receipt of this signal causes the termination of the current connection
2417 to exit unless it is in
2422 .It HUP, TERM & QUIT
2429 to re-open any existing server socket, dropping all existing diagnostic
2431 Sockets that could not previously be opened will be retried.
2435 to close any existing server socket, dropping all existing diagnostic
2438 can still be used to re-open the socket.
2441 If you wish to use more than one physical link to connect to a
2443 peer, that peer must also understand the
2446 Refer to RFC 1990 for specification details.
2448 The peer is identified using a combination of his
2449 .Dq endpoint discriminator
2451 .Dq authentication id .
2452 Either or both of these may be specified.
2453 It is recommended that
2454 at least one is specified, otherwise there is no way of ensuring that
2455 all links are actually connected to the same peer program, and some
2456 confusing lock-ups may result.
2457 Locally, these identification variables are specified using the
2466 must be agreed in advance with the peer.
2468 Multi-link capabilities are enabled using the
2470 command (set maximum reconstructed receive unit).
2471 Once multi-link is enabled,
2473 will attempt to negotiate a multi-link connection with the peer.
2475 By default, only one
2480 To create more links, the
2483 This command will clone existing links, where all
2484 characteristics are the same except:
2487 The new link has its own name as specified on the
2494 Its mode may subsequently be changed using the
2498 The new link is in a
2503 A summary of all available links can be seen using the
2507 Once a new link has been created, command usage varies.
2508 All link specific commands must be prefixed with the
2510 command, specifying on which link the command is to be applied.
2511 When only a single link is available,
2513 is smart enough not to require the
2517 Some commands can still be used without specifying a link - resulting
2518 in an operation at the
2521 For example, once two or more links are available, the command
2523 will show CCP configuration and statistics at the multi-link level, and
2524 .Dq link deflink show ccp
2525 will show the same information at the
2529 Armed with this information, the following configuration might be used:
2530 .Bd -literal -offset indent
2534 set device /dev/cuau0 /dev/cuau1 /dev/cuau2
2535 set phone "123456789"
2536 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e
2537 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT"
2539 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
2541 set authkey ppppassword
2544 clone 1,2,3 # Create 3 new links - duplicates of the default
2545 link deflink remove # Delete the default link (called ``deflink'')
2548 Note how all cloning is done at the end of the configuration.
2549 Usually, the link will be configured first, then cloned.
2550 If you wish all links
2551 to be up all the time, you can add the following line to the end of your
2553 .Bd -literal -offset indent
2554 link 1,2,3 set mode ddial
2557 If you want the links to dial on demand, this command could be used:
2558 .Bd -literal -offset indent
2559 link * set mode auto
2562 Links may be tied to specific names by removing the
2564 line above, and specifying the following after the
2567 .Bd -literal -offset indent
2568 link 1 set device /dev/cuau0
2569 link 2 set device /dev/cuau1
2570 link 3 set device /dev/cuau2
2575 command to see which commands require context (using the
2577 command), which have optional
2578 context and which should not have any context.
2584 mode with the peer, it creates a local domain socket in the
2587 This socket is used to pass link information (including
2588 the actual link file descriptor) between different
2593 ability to be run from a
2599 capability), without needing to have initial control of the serial
2603 negotiates multi-link mode, it will pass its open link to any
2604 already running process.
2605 If there is no already running process,
2607 will act as the master, creating the socket and listening for new
2609 .Sh PPP COMMAND LIST
2610 This section lists the available commands and their effect.
2611 They are usable either from an interactive
2613 session, from a configuration file or from a
2619 .It accept|deny|enable|disable Ar option....
2620 These directives tell
2622 how to negotiate the initial connection with the peer.
2625 has a default of either accept or deny and enable or disable.
2627 means that the option will be ACK'd if the peer asks for it.
2629 means that the option will be NAK'd if the peer asks for it.
2631 means that the option will be requested by us.
2633 means that the option will not be requested by us.
2636 may be one of the following:
2639 Default: Enabled and Accepted.
2640 ACFComp stands for Address and Control Field Compression.
2641 Non LCP packets will usually have an address
2642 field of 0xff (the All-Stations address) and a control field of
2643 0x03 (the Unnumbered Information command).
2645 negotiated, these two bytes are simply not sent, thus minimising
2652 Default: Disabled and Accepted.
2653 CHAP stands for Challenge Handshake Authentication Protocol.
2654 Only one of CHAP and PAP (below) may be negotiated.
2655 With CHAP, the authenticator sends a "challenge" message to its peer.
2656 The peer uses a one-way hash function to encrypt the
2657 challenge and sends the result back.
2658 The authenticator does the same, and compares the results.
2659 The advantage of this mechanism is that no
2660 passwords are sent across the connection.
2661 A challenge is made when the connection is first made.
2662 Subsequent challenges may occur.
2663 If you want to have your peer authenticate itself, you must
2666 .Pa /etc/ppp/ppp.conf ,
2667 and have an entry in
2668 .Pa /etc/ppp/ppp.secret
2671 When using CHAP as the client, you need only specify
2676 .Pa /etc/ppp/ppp.conf .
2677 CHAP is accepted by default.
2680 implementations use "MS-CHAP" rather than MD5 when encrypting the
2682 MS-CHAP is a combination of MD4 and DES.
2685 was built on a machine with DES libraries available, it will respond
2686 to MS-CHAP authentication requests, but will never request them.
2688 Default: Enabled and Accepted.
2689 This option decides if deflate
2690 compression will be used by the Compression Control Protocol (CCP).
2691 This is the same algorithm as used by the
2694 Note: There is a problem negotiating
2700 implementation available under many operating systems.
2702 (version 2.3.1) incorrectly attempts to negotiate
2704 compression using type
2706 as the CCP configuration type rather than type
2712 is actually specified as
2713 .Dq PPP Magna-link Variable Resource Compression
2717 is capable of negotiating with
2724 .Ar accept Ns No ed .
2726 Default: Disabled and Denied.
2727 This is a variance of the
2729 option, allowing negotiation with the
2734 section above for details.
2735 It is disabled by default as it violates
2738 Default: Disabled and Denied.
2739 This option allows DNS negotiation.
2744 will request that the peer confirms the entries in
2745 .Pa /etc/resolv.conf .
2746 If the peer NAKs our request (suggesting new IP numbers),
2747 .Pa /etc/resolv.conf
2748 is updated and another request is sent to confirm the new entries.
2751 .Dq accept Ns No ed,
2753 will answer any DNS queries requested by the peer rather than rejecting
2755 The answer is taken from
2756 .Pa /etc/resolv.conf
2759 command is used as an override.
2761 Default: Enabled and Accepted.
2762 This option allows control over whether we
2763 negotiate an endpoint discriminator.
2764 We only send our discriminator if
2769 We reject the peers discriminator if
2773 Default: Disabled and Accepted.
2774 The use of this authentication protocol
2775 is discouraged as it partially violates the authentication protocol by
2776 implementing two different mechanisms (LANMan & NT) under the guise of
2777 a single CHAP type (0x80).
2779 uses a simple DES encryption mechanism and is the least secure of the
2780 CHAP alternatives (although is still more secure than PAP).
2784 description below for more details.
2786 Default: Disabled and Accepted.
2787 This option decides if Link Quality Requests will be sent or accepted.
2788 LQR is a protocol that allows
2790 to determine that the link is down without relying on the modems
2792 When LQR is enabled,
2798 below) as part of the LCP request.
2799 If the peer agrees, both sides will
2800 exchange LQR packets at the agreed frequency, allowing detailed link
2801 quality monitoring by enabling LQM logging.
2802 If the peer does not agree, and if the
2809 These packets pass no information of interest, but they
2811 be replied to by the peer.
2818 will abruptly drop the connection if 5 unacknowledged packets have been
2819 sent rather than sending a 6th.
2820 A message is logged at the
2822 level, and any appropriate
2824 values are honoured as if the peer were responsible for dropping the
2829 command description for differences in behaviour prior to
2833 Default: Enabled and Accepted.
2834 This is Microsoft Point to Point Encryption scheme.
2835 MPPE key size can be
2836 40-, 56- and 128-bits.
2841 Default: Disabled and Accepted.
2842 It is very similar to standard CHAP (type 0x05)
2843 except that it issues challenges of a fixed 16 bytes in length and uses a
2844 combination of MD4, SHA-1 and DES to encrypt the challenge rather than using the
2845 standard MD5 mechanism.
2847 Default: Disabled and Accepted.
2848 The use of this authentication protocol
2849 is discouraged as it partially violates the authentication protocol by
2850 implementing two different mechanisms (LANMan & NT) under the guise of
2851 a single CHAP type (0x80).
2852 It is very similar to standard CHAP (type 0x05)
2853 except that it issues challenges of a fixed 8 bytes in length and uses a
2854 combination of MD4 and DES to encrypt the challenge rather than using the
2855 standard MD5 mechanism.
2856 CHAP type 0x80 for LANMan is also supported - see
2864 use CHAP type 0x80, when acting as authenticator with both
2865 .Dq enable Ns No d ,
2867 will rechallenge the peer up to three times if it responds using the wrong
2868 one of the two protocols.
2869 This gives the peer a chance to attempt using both protocols.
2873 acts as the authenticatee with both protocols
2874 .Dq accept Ns No ed ,
2875 the protocols are used alternately in response to challenges.
2877 Note: If only LANMan is enabled,
2879 (version 2.3.5) misbehaves when acting as authenticatee.
2881 the NT and the LANMan answers, but also suggests that only the NT answer
2884 Default: Disabled and Accepted.
2885 PAP stands for Password Authentication Protocol.
2886 Only one of PAP and CHAP (above) may be negotiated.
2887 With PAP, the ID and Password are sent repeatedly to the peer until
2888 authentication is acknowledged or the connection is terminated.
2889 This is a rather poor security mechanism.
2890 It is only performed when the connection is first established.
2891 If you want to have your peer authenticate itself, you must
2894 .Pa /etc/ppp/ppp.conf ,
2895 and have an entry in
2896 .Pa /etc/ppp/ppp.secret
2897 for the peer (although see the
2903 When using PAP as the client, you need only specify
2908 .Pa /etc/ppp/ppp.conf .
2909 PAP is accepted by default.
2911 Default: Enabled and Accepted.
2912 This option decides if Predictor 1
2913 compression will be used by the Compression Control Protocol (CCP).
2915 Default: Enabled and Accepted.
2916 This option is used to negotiate
2917 PFC (Protocol Field Compression), a mechanism where the protocol
2918 field number is reduced to one octet rather than two.
2920 Default: Enabled and Accepted.
2921 This option determines if
2923 will request and accept requests for short
2925 sequence numbers when negotiating multi-link mode.
2926 This is only applicable if our MRRU is set (thus enabling multi-link).
2928 Default: Enabled and Accepted.
2929 This option determines if Van Jacobson header compression will be used.
2932 The following options are not actually negotiated with the peer.
2933 Therefore, accepting or denying them makes no sense.
2937 When this option is enabled,
2941 requests to the peer at the frequency defined by
2945 requests will supersede
2947 requests if enabled and negotiated.
2956 was considered enabled if lqr was enabled and negotiated, otherwise it was
2957 considered disabled.
2958 For the same behaviour, it is now necessary to
2962 .It filter-decapsulation
2964 When this option is enabled,
2966 will examine UDP frames to see if they actually contain a
2968 frame as their payload.
2969 If this is the case, all filters will operate on the payload rather
2970 than the actual packet.
2972 This is useful if you want to send PPPoUDP traffic over a
2974 link, but want that link to do smart things with the real data rather than
2977 The UDP frame payload must not be compressed in any way, otherwise
2979 will not be able to interpret it.
2980 It is therefore recommended that you
2981 .Ic disable vj pred1 deflate
2983 .Ic deny vj pred1 deflate
2984 in the configuration for the
2986 invocation with the udp link.
2989 Forces execution of the configured chat scripts in
2998 exchanges low-level LCP, CCP and IPCP configuration traffic, the
3000 field of any replies is expected to be the same as that of the request.
3003 drops any reply packets that do not contain the expected identifier
3004 field, reporting the fact at the respective log level.
3009 will ignore the identifier field.
3014 This option simply tells
3016 to add new interface addresses to the interface rather than replacing them.
3017 The option can only be enabled if network address translation is enabled
3018 .Pq Dq nat enable yes .
3020 With this option enabled,
3022 will pass traffic for old interface addresses through the NAT
3026 resulting in the ability (in
3028 mode) to properly connect the process that caused the PPP link to
3029 come up in the first place.
3039 to attempt to negotiate IP control protocol capabilities and if
3040 successful to exchange IP datagrams with the peer.
3045 to attempt to negotiate IPv6 control protocol capabilities and if
3046 successful to exchange IPv6 datagrams with the peer.
3051 runs as a Multi-link server, a different
3053 instance initially receives each connection.
3054 After determining that
3055 the link belongs to an already existing bundle (controlled by another
3059 will transfer the link to that process.
3061 If the link is a tty device or if this option is enabled,
3063 will not exit, but will change its process name to
3065 and wait for the controlling
3067 to finish with the link and deliver a signal back to the idle process.
3068 This prevents the confusion that results from
3070 parent considering the link resource available again.
3072 For tty devices that have entries in
3074 this is necessary to prevent another
3076 from being started, and for program links such as
3080 from exiting due to the death of its child.
3083 cannot determine its parents requirements (except for the tty case), this
3084 option must be enabled manually depending on the circumstances.
3091 will automatically loop back packets being sent
3092 out with a destination address equal to that of the
3097 will send the packet, probably resulting in an ICMP redirect from
3099 It is convenient to have this option enabled when
3100 the interface is also the default route as it avoids the necessity
3101 of a loopback route.
3104 This option controls whether
3108 attribute to the RADIUS server when RADIUS is in use
3109 .Pq see Dq set radius .
3111 Note, at least one of
3119 prior to version 3.4.1 did not send the
3121 attribute as it was reported to break the Radiator RADIUS server.
3122 As the latest rfc (2865) no longer hints that only one of
3126 should be sent (as rfc 2138 did),
3128 now sends both and leaves it up to the administrator that chooses to use
3129 bad RADIUS implementations to
3130 .Dq disable NAS-IP-Address .
3133 This option controls whether
3137 attribute to the RADIUS server when RADIUS is in use
3138 .Pq see Dq set radius .
3140 Note, at least one of
3147 Enabling this option will tell the PAP authentication
3148 code to use the password database (see
3150 to authenticate the caller if they cannot be found in the
3151 .Pa /etc/ppp/ppp.secret
3153 .Pa /etc/ppp/ppp.secret
3154 is always checked first.
3155 If you wish to use passwords from
3157 but also to specify an IP number or label for a given client, use
3159 as the client password in
3160 .Pa /etc/ppp/ppp.secret .
3163 Enabling this option will tell
3165 to proxy ARP for the peer.
3168 will make an entry in the ARP table using
3172 address of the local network in which
3175 This allows other machines connecteed to the LAN to talk to
3176 the peer as if the peer itself was connected to the LAN.
3177 The proxy entry cannot be made unless
3179 is an address from a LAN.
3182 Enabling this will tell
3184 to add proxy arp entries for every IP address in all class C or
3185 smaller subnets routed via the tun interface.
3187 Proxy arp entries are only made for sticky routes that are added
3191 No proxy arp entries are made for the interface address itself
3199 command is used with the
3205 values, entries are stored in the
3208 Each time these variables change, this list is re-applied to the routing table.
3210 Disabling this option will prevent the re-application of sticky routes,
3213 list will still be maintained.
3214 .It Oo tcp Oc Ns No mssfixup
3218 to adjust TCP SYN packets so that the maximum receive segment
3219 size is not greater than the amount allowed by the interface MTU.
3224 to gather throughput statistics.
3225 Input and output is sampled over
3226 a rolling 5 second window, and current, best and total figures are retained.
3227 This data is output when the relevant
3229 layer shuts down, and is also available using the
3232 Throughput statistics are available at the
3239 Normally, when a user is authenticated using PAP or CHAP, and when
3243 mode, an entry is made in the utmp and wtmp files for that user.
3244 Disabling this option will tell
3246 not to make any utmp or wtmp entries.
3247 This is usually only necessary if
3248 you require the user to both login and authenticate themselves.
3252 .Ar dest Ns Op / Ns Ar nn
3257 is the destination IP address.
3258 The netmask is specified either as a number of bits with
3260 or as an IP number using
3265 with no mask refers to the default route.
3266 It is also possible to use the literal name
3271 is the next hop gateway to get to the given
3276 command for further details.
3278 It is possible to use the symbolic names
3284 as the destination, and
3291 is replaced with the interface IP address,
3293 is replaced with the interface IP destination (peer) address,
3295 is replaced with the interface IPv6 address, and
3297 is replaced with the interface IPv6 destination address,
3304 then if the route already exists, it will be updated as with the
3308 for further details).
3310 Routes that contain the
3318 constants are considered
3320 They are stored in a list (use
3322 to see the list), and each time the value of one of these variables
3323 changes, the appropriate routing table entries are updated.
3324 This facility may be disabled using
3325 .Dq disable sroutes .
3326 .It allow Ar command Op Ar args
3327 This command controls access to
3329 and its configuration files.
3330 It is possible to allow user-level access,
3331 depending on the configuration file label and on the mode that
3334 For example, you may wish to configure
3344 User id 0 is immune to these commands.
3346 .It allow user Ns Xo
3348 .Ar logname Ns No ...
3350 By default, only user id 0 is allowed access to
3352 If this command is used, all of the listed users are allowed access to
3353 the section in which the
3358 section is always checked first (even though it is only ever automatically
3361 commands are cumulative in a given section, but users allowed in any given
3362 section override users allowed in the default section, so it is possible to
3363 allow users access to everything except a given label by specifying default
3366 section, and then specifying a new user list for that label.
3370 is specified, access is allowed to all users.
3371 .It allow mode Ns Xo
3375 By default, access using any
3378 If this command is used, it restricts the access
3380 allowed to load the label under which this command is specified.
3385 command overrides any previous settings, and the
3387 section is always checked first.
3399 When running in multi-link mode, a section can be loaded if it allows
3401 of the currently existing line modes.
3403 .It nat Ar command Op Ar args
3404 This command allows the control of the network address translation (also
3405 known as masquerading or IP aliasing) facilities that are built into
3407 NAT is done on the external interface only, and is unlikely to make sense
3412 If nat is enabled on your system (it may be omitted at compile time),
3413 the following commands are possible:
3415 .It nat enable yes|no
3416 This command either switches network address translation on or turns it off.
3419 command line flag is synonymous with
3420 .Dq nat enable yes .
3421 .It nat addr Op Ar addr_local addr_alias
3422 This command allows data for
3426 It is useful if you own a small number of real IP numbers that
3427 you wish to map to specific machines behind your gateway.
3428 .It nat deny_incoming yes|no
3429 If set to yes, this command will refuse all incoming packets where an
3430 aliasing link does not already exist.
3432 .Sx CONCEPTUAL BACKGROUND
3435 for a description of what an
3439 It should be noted under what circumstances an aliasing link is
3442 It may be necessary to further protect your network from outside
3443 connections using the
3449 This command gives a summary of available nat commands.
3451 This option causes various NAT statistics and information to
3452 be logged to the file
3453 .Pa /var/log/alias.log .
3454 .It nat port Ar proto Ar targetIP Ns Xo
3455 .No : Ns Ar targetPort Ns
3457 .No - Ns Ar targetPort
3460 .No - Ns Ar aliasPort
3461 .Oc Oo Ar remoteIP : Ns
3464 .No - Ns Ar remotePort
3468 This command causes incoming
3482 A range of port numbers may be specified as shown above.
3483 The ranges must be of the same size.
3487 is specified, only data coming from that IP number is redirected.
3491 (indicating any source port)
3492 or a range of ports the same size as the other ranges.
3494 This option is useful if you wish to run things like Internet phone on
3495 machines behind your gateway, but is limited in that connections to only
3496 one interior machine per source machine and target port are possible.
3497 .It nat proto Ar proto localIP Oo
3498 .Ar publicIP Op Ar remoteIP
3502 to redirect packets of protocol type
3506 to the internal address
3511 is specified, only packets destined for that address are matched,
3512 otherwise the default alias address is used.
3516 is specified, only packets matching that source address are matched,
3518 This command is useful for redirecting tunnel endpoints to an internal machine,
3521 .Dl nat proto ipencap 10.0.0.1
3522 .It "nat proxy cmd" Ar arg Ns No ...
3525 to proxy certain connections, redirecting them to a given server.
3526 Refer to the description of
3527 .Fn PacketAliasProxyRule
3530 for details of the available commands.
3531 .It nat punch_fw Op Ar base count
3534 to punch holes in the firewall for FTP or IRC DCC connections.
3535 This is done dynamically by installing temporary firewall rules which
3536 allow a particular connection (and only that connection) to go through
3538 The rules are removed once the corresponding connection terminates.
3542 rules starting from rule number
3544 will be used for punching firewall holes.
3545 The range will be cleared when the
3549 If no arguments are given, firewall punching is disabled.
3550 .It nat skinny_port Op Ar port
3553 which TCP port is used by the Skinny Station protocol.
3555 Cisco IP phones to communicate with Cisco Call Managers to setup voice
3557 The typical port used by Skinny is 2000.
3559 If no argument is given, skinny aliasing is disabled.
3560 .It nat same_ports yes|no
3561 When enabled, this command will tell the network address translation engine to
3562 attempt to avoid changing the port number on outgoing packets.
3564 if you want to support protocols such as RPC and LPD which require
3565 connections to come from a well known port.
3566 .It nat target Op Ar address
3567 Set the given target address or clear it if no address is given.
3568 The target address is used by libalias to specify how to NAT incoming packets
3570 If a target address is not set or if
3572 is given, packets are not altered and are allowed to route to the internal
3575 The target address may be set to
3577 in which case libalias will redirect all packets to the interface address.
3578 .It nat use_sockets yes|no
3579 When enabled, this option tells the network address translation engine to
3580 create a socket so that it can guarantee a correct incoming ftp data or
3582 .It nat unregistered_only yes|no
3583 Only alter outgoing packets with an unregistered source address.
3584 According to RFC 1918, unregistered source addresses
3585 are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
3588 These commands are also discussed in the file
3590 which comes with the source distribution.
3596 is executed in the background with the following words replaced:
3597 .Bl -tag -width COMPILATIONDATE
3599 This is replaced with the local
3605 .It Li COMPILATIONDATE
3606 In previous software revisions, this was replaced with the date on which
3609 This is no longer supported as it breaks the ability to recompile the same
3610 code to produce an exact duplicate of a previous compilation.
3612 These are replaced with the primary and secondary nameserver IP numbers.
3613 If nameservers are negotiated by IPCP, the values of these macros will change.
3615 This is replaced with the local endpoint discriminator value.
3620 This is replaced with the peers IP number.
3622 This is replaced with the peers IPv6 number.
3624 This is replaced with the name of the interface that is in use.
3626 This is replaced with the number of IP bytes received since the connection
3629 This is replaced with the number of IP bytes sent since the connection
3632 This is replaced with the number of IP packets received since the connection
3635 This is replaced with the number of IP packets sent since the connection
3638 This is replaced with the number of IPv6 bytes received since the connection
3640 .It Li IPV6OCTETSOUT
3641 This is replaced with the number of IPv6 bytes sent since the connection
3643 .It Li IPV6PACKETSIN
3644 This is replaced with the number of IPv6 packets received since the connection
3646 .It Li IPV6PACKETSOUT
3647 This is replaced with the number of IPv6 packets sent since the connection
3650 This is replaced with the last label name used.
3651 A label may be specified on the
3653 command line, via the
3661 This is replaced with the IP number assigned to the local interface.
3663 This is replaced with the IPv6 number assigned to the local interface.
3665 This is replaced with the number of bytes received since the connection
3668 This is replaced with the number of bytes sent since the connection
3671 This is replaced with the number of packets received since the connection
3674 This is replaced with the number of packets sent since the connection
3677 This is replaced with the value of the peers endpoint discriminator.
3679 This is replaced with the current process id.
3681 This is replaced with the name of the diagnostic socket.
3683 This is replaced with the bundle uptime in HH:MM:SS format.
3685 This is replaced with the username that has been authenticated with PAP or
3687 Normally, this variable is assigned only in -direct mode.
3688 This value is available irrespective of whether utmp logging is enabled.
3690 This is replaced with the current version number of
3694 These substitutions are also done by the
3701 If you wish to pause
3703 while the command executes, use the
3706 .It clear physical|ipcp|ipv6 Op current|overall|peak...
3707 Clear the specified throughput values at either the
3715 is specified, context must be given (see the
3718 If no second argument is given, all values are cleared.
3719 .It clone Ar name Ns Xo
3720 .Op \&, Ns Ar name Ns
3723 Clone the specified link, creating one or more new links according to the
3726 This command must be used from the
3728 command below unless you have only got a single link (in which case that
3729 link becomes the default).
3730 Links may be removed using the
3734 The default link name is
3736 .It close Op lcp|ccp Ns Op !\&
3737 If no arguments are given, the relevant protocol layers will be brought
3738 down and the link will be closed.
3741 is specified, the LCP layer is brought down, but
3743 will not bring the link offline.
3744 It is subsequently possible to use
3747 to talk to the peer machine if, for example, something like
3752 is specified, only the relevant compression layer is closed.
3755 is used, the compression layer will remain in the closed state, otherwise
3756 it will re-enter the STOPPED state, waiting for the peer to initiate
3757 further CCP negotiation.
3758 In any event, this command does not disconnect the user from
3769 This command deletes the route with the given
3776 all non-direct entries in the routing table for the current interface,
3779 entries are deleted.
3784 the default route is deleted.
3792 will not complain if the route does not already exist.
3793 .It dial|call Oo Ar label Oc Ns Xo
3796 This command is the equivalent of
3800 and is provided for backwards compatibility.
3801 .It down Op Ar lcp|ccp
3802 Bring the relevant layer down ungracefully, as if the underlying layer
3803 had become unavailable.
3804 It is not considered polite to use this command on
3805 a Finite State Machine that is in the OPEN state.
3807 supplied, the entire link is closed (or if no context is given, all links
3813 layer is terminated but the device is not brought offline and the link
3817 is specified, only the relevant compression layer(s) are terminated.
3818 .It help|? Op Ar command
3819 Show a list of available commands.
3822 is specified, show the usage string for that command.
3823 .It ident Op Ar text Ns No ...
3824 Identify the link to the peer using
3828 is empty, link identification is disabled.
3829 It is possible to use any of the words described for the
3834 command for details of when
3836 identifies itself to the peer.
3837 .It iface Ar command Op args
3838 This command is used to control the interface used by
3841 may be one of the following:
3845 .Ar addr Ns Op / Ns Ar bits
3856 combination to the interface.
3857 Instead of specifying
3861 (with no space between it and
3863 If the given address already exists, the command fails unless the
3865 is used - in which case the previous interface address entry is overwritten
3866 with the new one, allowing a change of netmask or peer address.
3877 .Dq 255.255.255.255 .
3878 This address (the broadcast address) is the only duplicate peer address that
3881 .It iface clear Op INET | INET6
3882 If this command is used while
3884 is in the OPENED state or while in
3886 mode, all addresses except for the NCP negotiated address are deleted
3890 is not in the OPENED state and is not in
3892 mode, all interface addresses are deleted.
3894 If the INET or INET6 arguments are used, only addresses for that address
3896 .It iface delete Ns Xo
3901 This command deletes the given
3906 is used, no error is given if the address is not currently assigned to
3907 the interface (and no deletion takes place).
3908 .It iface name Ar name
3909 Renames the interface to
3911 .It iface description Ar description
3912 Sets the interface description to
3914 Useful if you have many interfaces on your system.
3916 Shows the current state and current addresses for the interface.
3917 It is much the same as running
3918 .Dq ifconfig INTERFACE .
3919 .It iface help Op Ar sub-command
3920 This command, when invoked without
3922 will show a list of possible
3924 sub-commands and a brief synopsis for each.
3927 only the synopsis for the given sub-command is shown.
3929 .It Oo data Oc Ns Xo
3931 .Ar name Ns Oo , Ns Ar name Oc Ns ... Ar command Op Ar args
3933 This command may prefix any other command if the user wishes to
3934 specify which link the command should affect.
3935 This is only applicable after multiple links have been created in Multi-link
3941 specifies the name of an existing link.
3944 is a comma separated list,
3946 is executed on each link.
3952 is executed on all links.
3953 .It load Oo Ar label Oc Ns Xo
3976 will not attempt to make an immediate connection.
3977 .It log Ar word Ns No ...
3978 Send the given word(s) to the log file with the prefix
3980 Word substitutions are done as explained under the
3983 .It open Op lcp|ccp|ipcp
3984 This is the opposite of the
3987 All closed links are immediately brought up apart from second and subsequent
3989 links - these will come up based on the
3991 command that has been used.
3995 argument is used while the LCP layer is already open, LCP will be
3997 This allows various LCP options to be changed, after which
3999 can be used to put them into effect.
4000 After renegotiating LCP,
4001 any agreed authentication will also take place.
4005 argument is used, the relevant compression layer is opened.
4006 Again, if it is already open, it will be renegotiated.
4010 argument is used, the link will be brought up as normal, but if
4011 IPCP is already open, it will be renegotiated and the network
4012 interface will be reconfigured.
4014 It is probably not good practice to re-open the PPP state machines
4015 like this as it is possible that the peer will not behave correctly.
4018 however useful as a way of forcing the CCP or VJ dictionaries to be reset.
4020 Specify the password required for access to the full
4023 This password is required when connecting to the diagnostic port (see the
4034 logging is active, instead, the literal string
4040 is executed from the controlling connection or from a command file,
4041 ppp will exit after closing all connections.
4042 Otherwise, if the user
4043 is connected to a diagnostic socket, the connection is simply dropped.
4049 will exit despite the source of the command after closing all existing
4052 This command removes the given link.
4053 It is only really useful in multi-link mode.
4054 A link must be in the
4056 state before it is removed.
4057 .It rename|mv Ar name
4058 This command renames the given link to
4062 is already used by another link.
4064 The default link name is
4071 may make the log file more readable.
4072 .It resolv Ar command
4073 This command controls
4080 starts up, it loads the contents of this file into memory and retains this
4081 image for future use.
4083 is one of the following:
4084 .Bl -tag -width readonly
4087 .Pa /etc/resolv.conf
4093 will still attempt to negotiate nameservers with the peer, making the results
4099 This is the opposite of the
4104 .Pa /etc/resolv.conf
4106 This may be necessary if for example a DHCP client overwrote
4107 .Pa /etc/resolv.conf .
4110 .Pa /etc/resolv.conf
4111 with the version originally read at startup or with the last
4114 This is sometimes a useful command to put in the
4115 .Pa /etc/ppp/ppp.linkdown
4119 .Pa /etc/resolv.conf
4121 This command will work even if the
4123 command has been used.
4124 It may be useful as a command in the
4125 .Pa /etc/ppp/ppp.linkup
4126 file if you wish to defer updating
4127 .Pa /etc/resolv.conf
4128 until after other commands have finished.
4133 .Pa /etc/resolv.conf
4138 successfully negotiates a DNS.
4139 This is the opposite of the
4144 This option is not (yet) implemented.
4148 to identify itself to the peer.
4149 The link must be in LCP state or higher.
4150 If no identity has been set (via the
4156 When an identity has been set,
4158 will automatically identify itself when it sends or receives a configure
4159 reject, when negotiation fails or when LCP reaches the opened state.
4161 Received identification packets are logged to the LCP log (see
4163 for details) and are never responded to.
4168 This option allows the setting of any of the following variables:
4170 .It set accmap Ar hex-value
4171 ACCMap stands for Asynchronous Control Character Map.
4173 negotiated with the peer, and defaults to a value of 00000000 in hex.
4174 This protocol is required to defeat hardware that depends on passing
4175 certain characters from end to end (such as XON/XOFF etc).
4177 For the XON/XOFF scenario, use
4178 .Dq set accmap 000a0000 .
4179 .It set Oo auth Oc Ns Xo
4182 This sets the authentication key (or password) used in client mode
4183 PAP or CHAP negotiation to the given value.
4184 It also specifies the
4185 password to be used in the dial or login scripts in place of the
4187 sequence, preventing the actual password from being logged.
4192 logging is in effect,
4196 for security reasons.
4198 If the first character of
4200 is an exclamation mark
4203 treats the remainder of the string as a program that must be executed
4215 it is treated as a single literal
4217 otherwise, ignoring the
4220 is parsed as a program to execute in the same was as the
4222 command above, substituting special names in the same manner.
4225 will feed the program three lines of input, each terminated by a newline
4229 The host name as sent in the CHAP challenge.
4231 The challenge string as sent in the CHAP challenge.
4237 Two lines of output are expected:
4242 to be sent with the CHAP response.
4246 which is encrypted with the challenge and request id, the answer being sent
4247 in the CHAP response packet.
4252 in this manner, it is expected that the host challenge is a series of ASCII
4253 digits or characters.
4254 An encryption device or Secure ID card is usually
4255 required to calculate the secret appropriate for the given challenge.
4256 .It set authname Ar id
4257 This sets the authentication id used in client mode PAP or CHAP negotiation.
4261 mode with CHAP enabled,
4263 is used in the initial authentication challenge and should normally be set to
4264 the local machine name.
4266 .Ar min-percent max-percent period
4268 These settings apply only in multi-link mode and default to zero, zero and
4274 mode link is available, only the first link is made active when
4276 first reads data from the tun device.
4279 link will be opened only when the current bundle throughput is at least
4281 percent of the total bundle bandwidth for
4284 When the current bundle throughput decreases to
4286 percent or less of the total bundle bandwidth for
4290 link will be brought down as long as it is not the last active link.
4292 Bundle throughput is measured as the maximum of inbound and outbound
4295 The default values cause
4297 links to simply come up one at a time.
4299 Certain devices cannot determine their physical bandwidth, so it
4300 is sometimes necessary to use the
4302 command (described below) to make
4305 .It set bandwidth Ar value
4306 This command sets the connection bandwidth in bits per second.
4308 must be greater than zero.
4309 It is currently only used by the
4312 .It set callback Ar option Ns No ...
4313 If no arguments are given, callback is disabled, otherwise,
4317 mode, will accept) one of the given
4318 .Ar option Ns No s .
4319 In client mode, if an
4323 will request a different
4325 until no options remain at which point
4327 will terminate negotiations (unless
4329 is one of the specified
4333 will accept any of the given protocols - but the client
4335 request one of them.
4336 If you wish callback to be optional, you must {include}
4342 are as follows (in this order of preference):
4345 The callee is expected to decide the callback number based on
4349 is the callee, the number should be specified as the fifth field of
4351 .Pa /etc/ppp/ppp.secret .
4353 Microsoft's callback control protocol is used.
4358 If you wish to negotiate
4360 in client mode but also wish to allow the server to request no callback at
4361 CBCP negotiation time, you must specify both
4365 as callback options.
4367 .Ar number Ns Op , Ns Ar number Ns
4370 The caller specifies the
4376 should be either a comma separated list of allowable numbers or a
4378 meaning any number is permitted.
4381 is the caller, only a single number should be specified.
4383 Note, this option is very unsafe when used with a
4385 as a malicious caller can tell
4387 to call any (possibly international) number without first authenticating
4390 If the peer does not wish to do callback at all,
4392 will accept the fact and continue without callback rather than terminating
4394 This is required (in addition to one or more other callback
4395 options) if you wish callback to be optional.
4398 .No *| Ns Ar number Ns Oo
4399 .No , Ns Ar number Ns ...\& Oc
4400 .Op Ar delay Op Ar retry
4402 If no arguments are given, CBCP (Microsoft's CallBack Control Protocol)
4403 is disabled - ie, configuring CBCP in the
4405 command will result in
4407 requesting no callback in the CBCP phase.
4410 attempts to use the given phone
4411 .Ar number Ns No (s).
4416 will insist that the client uses one of these numbers, unless
4418 is used in which case the client is expected to specify the number.
4422 will attempt to use one of the given numbers (whichever it finds to
4423 be agreeable with the peer), or if
4427 will expect the peer to specify the number.
4429 .No off| Ns Ar seconds Ns Op !\&
4433 checks for the existence of carrier depending on the type of device
4434 that has been opened:
4435 .Bl -tag -width XXX -offset XXX
4436 .It Terminal Devices
4437 Carrier is checked one second after the login script is complete.
4440 assumes that this is because the device does not support carrier (which
4443 NULL-modem cables), logs the fact and stops checking
4446 As ptys do not support the TIOCMGET ioctl, the tty device will switch all
4447 carrier detection off when it detects that the device is a pty.
4448 .It PPPoE (netgraph) Devices
4449 Carrier is checked once per second for 5 seconds.
4450 If it is not set after
4451 the fifth second, the connection attempt is considered to have failed and
4452 the device is closed.
4453 Carrier is always required for PPPoE devices.
4456 All other device types do not support carrier.
4457 Setting a carrier value will
4458 result in a warning when the device is opened.
4460 Some modems take more than one second after connecting to assert the carrier
4462 If this delay is not increased, this will result in
4464 inability to detect when the link is dropped, as
4466 assumes that the device is not asserting carrier.
4470 command overrides the default carrier behaviour.
4472 specifies the maximum number of seconds that
4474 should wait after the dial script has finished before deciding if
4475 carrier is available or not.
4481 will not check for carrier on the device, otherwise
4483 will not proceed to the login script until either carrier is detected
4486 has elapsed, at which point
4488 assumes that the device will not set carrier.
4490 If no arguments are given, carrier settings will go back to their default
4495 is followed immediately by an exclamation mark
4501 If carrier is not detected after
4503 seconds, the link will be disconnected.
4504 .It set choked Op Ar timeout
4505 This sets the number of seconds that
4507 will keep a choked output queue before dropping all pending output packets.
4510 is less than or equal to zero or if
4512 is not specified, it is set to the default value of
4515 A choked output queue occurs when
4517 has read a certain number of packets from the local network for transmission,
4518 but cannot send the data due to link failure (the peer is busy etc.).
4520 will not read packets indefinitely.
4521 Instead, it reads up to
4527 packets in multi-link mode), then stops reading the network interface
4530 seconds have passed or at least one packet has been sent.
4534 seconds pass, all pending output packets are dropped.
4535 .It set ctsrts|crtscts on|off
4536 This sets hardware flow control.
4537 Hardware flow control is
4540 .It set deflate Ar out-winsize Op Ar in-winsize
4541 This sets the DEFLATE algorithms default outgoing and incoming window
4547 must be values between
4555 will insist that this window size is used and will not accept any other
4556 values from the peer.
4557 .It set dns Op Ar primary Op Ar secondary
4558 This command specifies DNS overrides for the
4563 command description above for details.
4564 This command does not affect the IP numbers requested using
4566 .It set device|line Xo
4569 This sets the device(s) to which
4571 will talk to the given
4574 All serial device names are expected to begin with
4576 Serial devices are usually called
4583 it must either begin with an exclamation mark
4586 .No PPPoE: Ns Ar iface Ns Xo
4587 .Op \&: Ns Ar provider Ns
4591 enabled systems), or be of the format
4593 .Ar host : port Op /tcp|udp .
4596 If it begins with an exclamation mark, the rest of the device name is
4597 treated as a program name, and that program is executed when the device
4599 Standard input, output and error are fed back to
4601 and are read and written as if they were a regular device.
4604 .No PPPoE: Ns Ar iface Ns Xo
4605 .Op \&: Ns Ar provider Ns
4607 specification is given,
4609 will attempt to create a
4611 over Ethernet connection using the given
4619 will attempt to load it using
4621 If this fails, an external program must be used such as the
4623 program available under
4627 is passed as the service name in the PPPoE Discovery Initiation (PADI)
4629 If no provider is given, an empty value will be used.
4631 When a PPPoE connection is established,
4633 will place the name of the Access Concentrator in the environment variable
4640 for further details.
4643 .Ar host Ns No : Ns Ar port Ns Oo
4646 specification is given,
4648 will attempt to connect to the given
4656 suffix is not provided, the default is
4658 Refer to the section on
4659 .Em PPP OVER TCP and UDP
4660 above for further details.
4666 will attempt to open each one in turn until it succeeds or runs out of
4668 .It set dial Ar chat-script
4669 This specifies the chat script that will be used to dial the other
4676 and to the example configuration files for details of the chat script
4678 It is possible to specify some special
4680 in your chat script as follows:
4683 When used as the last character in a
4685 string, this indicates that a newline should not be appended.
4687 When the chat script encounters this sequence, it delays two seconds.
4689 When the chat script encounters this sequence, it delays for one quarter of
4692 This is replaced with a newline character.
4694 This is replaced with a carriage return character.
4696 This is replaced with a space character.
4698 This is replaced with a tab character.
4700 This is replaced by the current phone number (see
4704 This is replaced by the current
4710 This is replaced by the current
4717 Note that two parsers will examine these escape sequences, so in order to
4720 see the escape character, it is necessary to escape it from the
4721 .Sq command parser .
4722 This means that in practice you should use two escapes, for example:
4723 .Bd -literal -offset indent
4724 set dial "... ATDT\\\\T CONNECT"
4727 It is also possible to execute external commands from the chat script.
4728 To do this, the first character of the expect or send string is an
4731 If a literal exclamation mark is required, double it up to
4733 and it will be treated as a single literal
4735 When the command is executed, standard input and standard output are
4736 directed to the open device (see the
4738 command), and standard error is read by
4740 and substituted as the expect or send string.
4743 is running in interactive mode, file descriptor 3 is attached to
4746 For example (wrapped for readability):
4747 .Bd -literal -offset indent
4748 set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e
4749 word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e
4750 \\"!/bin/echo in\\" HELLO"
4753 would result in the following chat sequence (output using the
4754 .Sq set log local chat
4755 command before dialing):
4756 .Bd -literal -offset indent
4761 Chat: Expecting: login:--login:
4762 Chat: Wait for (5): login:
4764 Chat: Expecting: word:
4765 Chat: Wait for (5): word:
4767 Chat: Expecting: !sh \\-c "echo \\-n label: >&2"
4768 Chat: Exec: sh -c "echo -n label: >&2"
4769 Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label:
4770 Chat: Exec: /bin/echo in
4772 Chat: Expecting: HELLO
4773 Chat: Wait for (5): HELLO
4777 Note (again) the use of the escape character, allowing many levels of
4779 Here, there are four parsers at work.
4780 The first parses the original line, reading it as three arguments.
4781 The second parses the third argument, reading it as 11 arguments.
4782 At this point, it is
4785 signs are escaped, otherwise this parser will see them as constituting
4786 an expect-send-expect sequence.
4789 character is seen, the execution parser reads the first command as three
4792 itself expands the argument after the
4794 As we wish to send the output back to the modem, in the first example
4795 we redirect our output to file descriptor 2 (stderr) so that
4797 itself sends and logs it, and in the second example, we just output to stdout,
4798 which is attached directly to the modem.
4800 This, of course means that it is possible to execute an entirely external
4802 command rather than using the internal one.
4805 for a good alternative.
4807 The external command that is executed is subjected to the same special
4808 word expansions as the
4811 .It set enddisc Op label|IP|MAC|magic|psn value
4812 This command sets our local endpoint discriminator.
4813 If set prior to LCP negotiation, and if no
4815 command has been used,
4817 will send the information to the peer using the LCP endpoint discriminator
4819 The following discriminators may be set:
4820 .Bl -tag -width indent
4822 The current label is used.
4824 Our local IP number is used.
4825 As LCP is negotiated prior to IPCP, it is
4826 possible that the IPCP layer will subsequently change this value.
4828 it does, the endpoint discriminator stays at the old value unless manually
4831 This is similar to the
4833 option above, except that the MAC address associated with the local IP
4835 If the local IP number is not resident on any Ethernet
4836 interface, the command will fail.
4838 As the local IP number defaults to whatever the machine host name is,
4840 is usually done prior to any
4844 A 20 digit random number is used.
4845 Care should be taken when using magic numbers as restarting
4847 or creating a link using a different
4849 invocation will also use a different magic number and will therefore not
4850 be recognised by the peer as belonging to the same bundle.
4851 This makes it unsuitable for
4859 should be set to an absolute public switched network number with the
4863 If no arguments are given, the endpoint discriminator is reset.
4864 .It set escape Ar value...
4865 This option is similar to the
4868 It allows the user to specify a set of characters that will be
4870 as they travel across the link.
4871 .It set filter dial|alive|in|out Ar rule-no Xo
4872 .No permit|deny|clear| Ns Ar rule-no
4875 .Ar src_addr Ns Op / Ns Ar width
4876 .Op Ar dst_addr Ns Op / Ns Ar width
4878 .Op src lt|eq|gt Ar port
4879 .Op dst lt|eq|gt Ar port
4883 .Op timeout Ar secs ]
4886 supports four filter sets.
4889 filter specifies packets that keep the connection alive - resetting the
4893 filter specifies packets that cause
4900 filter specifies packets that are allowed to travel
4901 into the machine and the
4903 filter specifies packets that are allowed out of the machine.
4905 Filtering is done prior to any IP alterations that might be done by the
4906 NAT engine on outgoing packets and after any IP alterations that might
4907 be done by the NAT engine on incoming packets.
4908 By default all empty filter sets allow all packets to pass.
4909 Rules are processed in order according to
4911 (unless skipped by specifying a rule number as the
4913 Up to 40 rules may be given for each set.
4914 If a packet does not match
4915 any of the rules in a given set, it is discarded.
4920 filters, this means that the packet is dropped.
4923 filters it means that the packet will not reset the idle timer (even if
4925 .Ar in Ns No / Ns Ar out
4928 value) and in the case of
4930 filters it means that the packet will not trigger a dial.
4931 A packet failing to trigger a dial will be dropped rather than queued.
4934 .Sx PACKET FILTERING
4935 above for further details.
4936 .It set hangup Ar chat-script
4937 This specifies the chat script that will be used to reset the device
4938 before it is closed.
4939 It should not normally be necessary, but can
4940 be used for devices that fail to reset themselves properly on close.
4941 .It set help|? Op Ar command
4942 This command gives a summary of available set commands, or if
4944 is specified, the command usage is shown.
4945 .It set ifaddr Oo Ar myaddr Ns
4947 .Oo Ar hisaddr Ns Op / Ns Ar \&nn
4952 This command specifies the IP addresses that will be used during
4954 Addresses are specified using the format
4960 is the preferred IP, but
4962 specifies how many bits of the address we will insist on.
4965 is omitted, it defaults to
4967 unless the IP address is 0.0.0.0 in which case it defaults to
4970 If you wish to assign a dynamic IP number to the peer,
4972 may also be specified as a range of IP numbers in the format
4973 .Bd -ragged -offset indent
4974 .Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Oc Ns Oo , Ns Ar \&IP Ns
4975 .Oo \&- Ns Ar \&IP Ns Oc Oc Ns ...
4980 .Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20
4984 as the local IP number, but may assign any of the given 10 IP
4985 numbers to the peer.
4986 If the peer requests one of these numbers,
4987 and that number is not already in use,
4989 will grant the peers request.
4990 This is useful if the peer wants
4991 to re-establish a link using the same IP number as was previously
4992 allocated (thus maintaining any existing tcp or udp connections).
4994 If the peer requests an IP number that is either outside
4995 of this range or is already in use,
4997 will suggest a random unused IP number from the range.
5001 is specified, it is used in place of
5003 in the initial IPCP negotiation.
5004 However, only an address in the
5006 range will be accepted.
5007 This is useful when negotiating with some
5009 implementations that will not assign an IP number unless their peer
5013 It should be noted that in
5017 will configure the interface immediately upon reading the
5019 line in the config file.
5020 In any other mode, these values are just
5021 used for IPCP negotiations, and the interface is not configured
5022 until the IPCP layer is up.
5026 argument may be overridden by the third field in the
5028 file once the client has authenticated itself
5032 .Sx AUTHENTICATING INCOMING CONNECTIONS
5033 section for details.
5035 In all cases, if the interface is already configured,
5037 will try to maintain the interface IP numbers so that any existing
5038 bound sockets will remain valid.
5039 .It set ifqueue Ar packets
5040 Set the maximum number of packets that
5042 will read from the tunnel interface while data cannot be sent to any of
5043 the available links.
5044 This queue limit is necessary to flow control outgoing data as the tunnel
5045 interface is likely to be far faster than the combined links available to
5050 is set to a value less than the number of links,
5052 will read up to that value regardless.
5053 This prevents any possible latency problems.
5055 The default value for
5059 .It set ccpretry|ccpretries Oo Ar timeout
5060 .Op Ar reqtries Op Ar trmtries
5062 .It set chapretry|chapretries Oo Ar timeout
5065 .It set ipcpretry|ipcpretries Oo Ar timeout
5066 .Op Ar reqtries Op Ar trmtries
5068 .It set ipv6cpretry|ipv6cpretries Oo Ar timeout
5069 .Op Ar reqtries Op Ar trmtries
5071 .It set lcpretry|lcpretries Oo Ar timeout
5072 .Op Ar reqtries Op Ar trmtries
5074 .It set papretry|papretries Oo Ar timeout
5077 These commands set the number of seconds that
5079 will wait before resending Finite State Machine (FSM) Request packets.
5082 for all FSMs is 3 seconds (which should suffice in most cases).
5086 is specified, it tells
5088 how many configuration request attempts it should make while receiving
5089 no reply from the peer before giving up.
5090 The default is 5 attempts for
5091 CCP, LCP and IPCP and 3 attempts for PAP and CHAP.
5095 is specified, it tells
5097 how many terminate requests should be sent before giving up waiting for the
5099 The default is 3 attempts.
5100 Authentication protocols are
5101 not terminated and it is therefore invalid to specify
5105 In order to avoid negotiations with the peer that will never converge,
5107 will only send at most 3 times the configured number of
5109 in any given negotiation session before giving up and closing that layer.
5115 This command allows the adjustment of the current log level.
5116 Refer to the Logging Facility section for further details.
5117 .It set login Ar chat-script
5120 compliments the dial-script.
5121 If both are specified, the login
5122 script will be executed after the dial script.
5123 Escape sequences available in the dial script are also available here.
5124 .It set logout Ar chat-script
5125 This specifies the chat script that will be used to logout
5126 before the hangup script is called.
5127 It should not normally be necessary.
5128 .It set lqrperiod|echoperiod Ar frequency
5129 This command sets the
5136 The default is 30 seconds.
5137 You must also use the
5141 commands if you wish to send
5145 requests to the peer.
5146 .It set mode Ar interactive|auto|ddial|background
5147 This command allows you to change the
5149 of the specified link.
5150 This is normally only useful in multi-link mode,
5151 but may also be used in uni-link mode.
5153 It is not possible to change a link that is
5158 Note: If you issue the command
5160 and have network address translation enabled, it may be useful to
5161 .Dq enable iface-alias
5165 to do the necessary address translations to enable the process that
5166 triggers the connection to connect once the link is up despite the
5167 peer assigning us a new (dynamic) IP address.
5168 .It set mppe Op 40|56|128|* Op stateless|stateful|*
5169 This option selects the encryption parameters used when negotiation
5171 MPPE can be disabled entirely with the
5174 If no arguments are given,
5176 will attempt to negotiate a stateful link with a 128 bit key, but
5177 will agree to whatever the peer requests (including no encryption
5180 If any arguments are given,
5184 on using MPPE and will close the link if it is rejected by the peer (Note;
5185 this behaviour can be overridden by a configured RADIUS server).
5187 The first argument specifies the number of bits that
5189 should insist on during negotiations and the second specifies whether
5191 should insist on stateful or stateless mode.
5192 In stateless mode, the
5193 encryption dictionary is re-initialised with every packet according to
5194 an encryption key that is changed with every packet.
5196 the encryption dictionary is re-initialised every 256 packets or after
5197 the loss of any data and the key is changed every 256 packets.
5198 Stateless mode is less efficient but is better for unreliable transport
5200 .It set mrru Op Ar value
5201 Setting this option enables Multi-link PPP negotiations, also known as
5202 Multi-link Protocol or MP.
5203 There is no default MRRU (Maximum Reconstructed Receive Unit) value.
5204 If no argument is given, multi-link mode is disabled.
5209 The default MRU (Maximum Receive Unit) is 1500.
5210 If it is increased, the other side *may* increase its MTU.
5211 In theory there is no point in decreasing the MRU to below the default as the
5213 protocol says implementations *must* be able to accept packets of at
5220 will refuse to negotiate a higher value.
5221 The maximum MRU can be set to 2048 at most.
5222 Setting a maximum of less than 1500 violates the
5224 rfc, but may sometimes be necessary.
5227 imposes a maximum of 1492 due to hardware limitations.
5229 If no argument is given, 1500 is assumed.
5230 A value must be given when
5237 The default MTU is 1500.
5238 At negotiation time,
5240 will accept whatever MRU the peer requests (assuming it is
5241 not less than 296 bytes or greater than the assigned maximum).
5244 will not accept MRU values less than
5246 When negotiations are complete, the MTU is used when writing to the
5247 interface, even if the peer requested a higher value MRU.
5248 This can be useful for
5249 limiting your packet size (giving better bandwidth sharing at the expense
5250 of more header data).
5256 will refuse to negotiate a higher value.
5257 The maximum MTU can be set to 2048 at most.
5258 Note, it is necessary to use the
5260 keyword to limit the MTU when using PPPoE.
5264 is given, 1500, or whatever the peer asks for is used.
5265 A value must be given when
5268 .It set nbns Op Ar x.x.x.x Op Ar y.y.y.y
5269 This option allows the setting of the Microsoft NetBIOS name server
5270 values to be returned at the peers request.
5271 If no values are given,
5273 will reject any such requests.
5274 .It set openmode active|passive Op Ar delay
5283 will always initiate LCP/IPCP/CCP negotiation one second after the line
5285 If you want to wait for the peer to initiate negotiations, you
5288 If you want to initiate negotiations immediately or after more than one
5289 second, the appropriate
5291 may be specified here in seconds.
5292 .It set parity odd|even|none|mark
5293 This allows the line parity to be set.
5294 The default value is
5296 .It set phone Ar telno Ns Xo
5297 .Oo \&| Ns Ar backupnumber Oc Ns ... Ns Oo : Ns Ar nextnumber Oc Ns ... Xc
5298 This allows the specification of the phone number to be used in
5299 place of the \\\\T string in the dial and login chat scripts.
5300 Multiple phone numbers may be given separated either by a pipe
5305 Numbers after the pipe are only dialed if the dial or login
5306 script for the previous number failed.
5308 Numbers after the colon are tried sequentially, irrespective of
5309 the reason the line was dropped.
5311 If multiple numbers are given,
5313 will dial them according to these rules until a connection is made, retrying
5314 the maximum number of times specified by
5319 mode, each number is attempted at most once.
5320 .It set pppoe Op standard|3Com
5321 This option configures the underlying
5323 node to either standard RFC2516 PPPoE or proprietary 3Com mode.
5324 If not set the system default will be used.
5325 .It set Oo proc Oc Ns Xo
5326 .No title Op Ar value
5328 The current process title as displayed by
5330 is changed according to
5334 is not specified, the original process title is restored.
5336 word replacements done by the shell commands (see the
5338 command above) are done here too.
5340 Note, if USER is required in the process title, the
5342 command must appear in
5344 as it is not known when the commands in
5347 .It set radius Op Ar config-file
5348 This command enables RADIUS support (if it is compiled in).
5350 refers to the radius client configuration file as described in
5352 If PAP, CHAP, MSCHAP or MSCHAPv2 are
5353 .Dq enable Ns No d ,
5356 .Em \&N Ns No etwork
5359 and uses the configured RADIUS server to authenticate rather than
5360 authenticating from the
5362 file or from the passwd database.
5364 If none of PAP, CHAP, MSCHAP or MSCHAPv2 are enabled,
5369 uses the following attributes from the RADIUS reply:
5370 .Bl -tag -width XXX -offset XXX
5371 .It RAD_FRAMED_IP_ADDRESS
5372 The peer IP address is set to the given value.
5373 .It RAD_FRAMED_IP_NETMASK
5374 The tun interface netmask is set to the given value.
5376 If the given MTU is less than the peers MRU as agreed during LCP
5377 negotiation, *and* it is less that any configured MTU (see the
5379 command), the tun interface MTU is set to the given value.
5380 .It RAD_FRAMED_COMPRESSION
5381 If the received compression type is
5384 will request VJ compression during IPCP negotiations despite any
5386 configuration command.
5388 If this attribute is supplied,
5390 will attempt to use it as an additional label to load from the
5395 The load will be attempted before (and in addition to) the normal
5397 If the label does not exist, no action is taken and
5399 proceeds to the normal load using the current label.
5400 .It RAD_FRAMED_ROUTE
5401 The received string is expected to be in the format
5402 .Ar dest Ns Op / Ns Ar bits
5405 Any specified metrics are ignored.
5409 are understood as valid values for
5416 to specify the default route, and
5418 is understood to be the same as
5427 For example, a returned value of
5428 .Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400
5429 would result in a routing table entry to the 1.2.3.0/24 network via
5431 and a returned value of
5435 would result in a default route to
5438 All RADIUS routes are applied after any sticky routes are applied, making
5439 RADIUS routes override configured routes.
5440 This also applies for RADIUS routes that do not {include} the
5445 .It RAD_FRAMED_IPV6_PREFIX
5446 If this attribute is supplied, the value is substituted for IPV6PREFIX
5448 You may pass it to an upper layer protocol such as DHCPv6 for delegating an
5449 IPv6 prefix to a peer.
5450 .It RAD_FRAMED_IPV6_ROUTE
5451 The received string is expected to be in the format
5452 .Ar dest Ns Op / Ns Ar bits
5455 Any specified metrics are ignored.
5459 are understood as valid values for
5466 to specify the default route, and
5468 is understood to be the same as
5477 For example, a returned value of
5478 .Dq 3ffe:505:abcd::/48 ::
5479 would result in a routing table entry to the 3ffe:505:abcd::/48 network via
5481 and a returned value of
5484 .Dq default HISADDR6
5485 would result in a default route to
5488 All RADIUS IPv6 routes are applied after any sticky routes are
5489 applied, making RADIUS IPv6 routes override configured routes.
5491 also applies for RADIUS IPv6 routes that do not {include} the
5496 .It RAD_SESSION_TIMEOUT
5497 If supplied, the client connection is closed after the given number of
5499 .It RAD_REPLY_MESSAGE
5500 If supplied, this message is passed back to the peer as the authentication
5502 .It RAD_MICROSOFT_MS_CHAP_ERROR
5504 .Dv RAD_VENDOR_MICROSOFT
5505 vendor specific attribute is supplied, it is passed back to the peer as the
5506 authentication FAILURE text.
5507 .It RAD_MICROSOFT_MS_CHAP2_SUCCESS
5509 .Dv RAD_VENDOR_MICROSOFT
5510 vendor specific attribute is supplied and if MS-CHAPv2 authentication is
5511 being used, it is passed back to the peer as the authentication SUCCESS text.
5512 .It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
5514 .Dv RAD_VENDOR_MICROSOFT
5515 vendor specific attribute is supplied and has a value of 2 (Required),
5517 will insist that MPPE encryption is used (even if no
5519 configuration command has been given with arguments).
5520 If it is supplied with a value of 1 (Allowed), encryption is made optional
5523 configuration commands with arguments).
5524 .It RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
5526 .Dv RAD_VENDOR_MICROSOFT
5527 vendor specific attribute is supplied, bits 1 and 2 are examined.
5528 If either or both are set, 40 bit and/or 128 bit (respectively) encryption
5529 options are set, overriding any given first argument to the
5532 Note, it is not currently possible for the RADIUS server to specify 56 bit
5534 .It RAD_MICROSOFT_MS_MPPE_RECV_KEY
5536 .Dv RAD_VENDOR_MICROSOFT
5537 vendor specific attribute is supplied, it is value is used as the master
5538 key for decryption of incoming data.
5539 When clients are authenticated using
5540 MSCHAPv2, the RADIUS server MUST provide this attribute if inbound MPPE is
5542 .It RAD_MICROSOFT_MS_MPPE_SEND_KEY
5544 .Dv RAD_VENDOR_MICROSOFT
5545 vendor specific attribute is supplied, it is value is used as the master
5546 key for encryption of outgoing data.
5547 When clients are authenticated using
5548 MSCHAPv2, the RADIUS server MUST provide this attribute if outbound MPPE is
5552 Values received from the RADIUS server may be viewed using
5554 .It set rad_alive Ar timeout
5555 When RADIUS is configured, setting
5561 to sent RADIUS accounting information to the RADIUS server every
5564 .It set rad_port_id Ar option
5565 When RADIUS is configured, setting the
5567 value specifies what should be sent to the RADIUS server as
5574 PID of the corresponding tunnel.
5579 index of the interface as returned by
5580 .Xr if_nametoindex 3 .
5582 keeps the default behavior.
5584 .It set reconnect Ar timeout ntries
5585 Should the line drop unexpectedly (due to loss of CD or LQR
5586 failure), a connection will be re-established after the given
5588 The line will be re-connected at most
5597 will result in a variable pause, somewhere between 1 and 30 seconds.
5598 .It set recvpipe Op Ar value
5599 This sets the routing table RECVPIPE value.
5600 The optimum value is just over twice the MTU value.
5603 is unspecified or zero, the default kernel controlled value is used.
5604 .It set redial Ar secs Ns Xo
5606 .Oo - Ns Ar max Ns Oc Oc Ns
5611 can be instructed to attempt to redial
5614 If more than one phone number is specified (see
5618 is taken before dialing each number.
5621 is taken before starting at the first number again.
5624 may be used here in place of
5628 causing a random delay of between 1 and 30 seconds.
5632 is specified, its value is added onto
5638 will only be incremented at most
5646 delay will be effective, even after
5648 has been exceeded, so an immediate manual dial may appear to have
5650 If an immediate dial is required, a
5652 should immediately follow the
5657 description above for further details.
5658 .It set sendpipe Op Ar value
5659 This sets the routing table SENDPIPE value.
5660 The optimum value is just over twice the MTU value.
5663 is unspecified or zero, the default kernel controlled value is used.
5664 .It "set server|socket" Ar TcpPort Ns No \&| Ns Xo
5665 .Ar LocalName Ns No |none|open|closed
5666 .Op password Op Ar mask
5670 to listen on the given socket or
5672 for incoming command connections.
5678 to close any existing socket and clear the socket configuration.
5683 to attempt to re-open the port.
5688 to close the open port.
5690 If you wish to specify a local domain socket,
5692 must be specified as an absolute file name, otherwise it is assumed
5693 to be the name or number of a TCP port.
5694 You may specify the octal umask to be used with a local domain socket.
5700 for details of how to translate TCP port names.
5702 You must also specify the password that must be entered by the client
5705 variable above) when connecting to this socket.
5707 specified as an empty string, no password is required for connecting clients.
5709 When specifying a local domain socket, the first
5711 sequence found in the socket name will be replaced with the current
5712 interface unit number.
5713 This is useful when you wish to use the same
5714 profile for more than one connection.
5716 In a similar manner TCP sockets may be prefixed with the
5718 character, in which case the current interface unit number is added to
5723 with a server socket, the
5725 command is the preferred mechanism of communications.
5728 can also be used, but link encryption may be implemented in the future, so
5736 interact with the diagnostic socket.
5737 .It set speed Ar value
5738 This sets the speed of the serial device.
5739 If speed is specified as
5742 treats the device as a synchronous device.
5744 Certain device types will know whether they should be specified as
5745 synchronous or asynchronous.
5746 These devices will override incorrect
5747 settings and log a warning to this effect.
5748 .It set stopped Op Ar LCPseconds Op Ar CCPseconds
5749 If this option is set,
5751 will time out after the given FSM (Finite State Machine) has been in
5752 the stopped state for the given number of
5754 This option may be useful if the peer sends a terminate request,
5755 but never actually closes the connection despite our sending a terminate
5757 This is also useful if you wish to
5758 .Dq set openmode passive
5759 and time out if the peer does not send a Configure Request within the
5762 .Dq set log +lcp +ccp
5765 log the appropriate state transitions.
5767 The default value is zero, where
5769 does not time out in the stopped state.
5771 This value should not be set to less than the openmode delay (see
5774 .It set timeout Ar idleseconds Op Ar mintimeout
5775 This command allows the setting of the idle timer.
5776 Refer to the section titled
5777 .Sx SETTING THE IDLE TIMER
5778 for further details.
5784 will never idle out before the link has been up for at least that number
5792 This command controls the ports that
5794 prioritizes when transmitting data.
5795 The default priority TCP ports
5796 are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell),
5797 543 (klogin) and 544 (kshell).
5798 There are no priority UDP ports by default.
5813 are given, the priority port lists are cleared (although if
5817 is specified, only that list is cleared).
5820 argument is prefixed with a plus
5824 the current list is adjusted, otherwise the list is reassigned.
5826 prefixed with a plus or not prefixed at all are added to the list and
5828 prefixed with a minus are removed from the list.
5832 is specified, all priority port lists are disabled and even
5834 packets are not prioritised.
5835 .It set urgent length Ar length
5836 This command tells ppp to prioritize small packets up to
5841 is not specified, or 0, this feature is disabled.
5842 .It set vj slotcomp on|off
5845 whether it should attempt to negotiate VJ slot compression.
5846 By default, slot compression is turned
5848 .It set vj slots Ar nslots
5849 This command sets the initial number of slots that
5851 will try to negotiate with the peer when VJ compression is enabled (see the
5854 It defaults to a value of 16.
5862 .It shell|! Op Ar command
5865 is not specified a shell is invoked according to the
5867 environment variable.
5868 Otherwise, the given
5871 Word replacement is done in the same way as for the
5873 command as described above.
5875 Use of the !\& character
5876 requires a following space as with any of the other commands.
5877 You should note that this command is executed in the foreground;
5879 will not continue running until this process has exited.
5882 command if you wish processing to happen in the background.
5884 This command allows the user to examine the following:
5887 Show the current bundle settings.
5889 Show the current CCP compression statistics.
5891 Show the current VJ compression statistics.
5893 Show the current escape characters.
5894 .It show filter Op Ar name
5895 List the current rules for the given filter.
5898 is not specified, all filters are shown.
5900 Show the current HDLC statistics.
5902 Give a summary of available show commands.
5904 Show the current interface information
5908 Show the current IPCP statistics.
5910 Show the protocol layers currently in use.
5912 Show the current LCP statistics.
5913 .It show Oo data Oc Ns Xo
5916 Show high level link information.
5918 Show a list of available logical links.
5920 Show the current log values.
5922 Show current memory statistics.
5924 Show the current NCP statistics.
5926 Show low level link information.
5928 Show Multi-link information.
5930 Show current protocol totals.
5932 Show the current routing tables.
5934 Show the current stopped timeouts.
5936 Show the active alarm timers.
5938 Show the current version number of
5942 Go into terminal mode.
5943 Characters typed at the keyboard are sent to the device.
5944 Characters read from the device are displayed on the screen.
5949 automatically enables Packet Mode and goes back into command mode.
5954 Read the example configuration files.
5955 They are a good source of information.
5964 to get online information about what is available.
5966 The following URLs contain useful information:
5967 .Bl -bullet -compact
5969 https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/faq/ppp.html
5971 https://www.FreeBSD.org/doc/handbook/userppp.html
5976 refers to four files:
5982 These files are placed in the
5986 .It Pa /etc/ppp/ppp.conf
5987 System default configuration file.
5988 .It Pa /etc/ppp/ppp.secret
5989 An authorisation file for each system.
5990 .It Pa /etc/ppp/ppp.linkup
5991 A file to check when
5993 establishes a network level connection.
5994 .It Pa /etc/ppp/ppp.linkdown
5995 A file to check when
5997 closes a network level connection.
5998 .It Pa /var/log/ppp.log
5999 Logging and debugging information file.
6000 Note, this name is specified in
6001 .Pa /etc/syslog.conf .
6004 for further details.
6005 .It Pa /var/spool/lock/LCK..*
6006 tty port locking file.
6009 for further details.
6010 .It Pa /var/run/tunN.pid
6011 The process id (pid) of the
6013 program connected to the tunN device, where
6015 is the number of the device.
6016 .It Pa /var/run/ttyXX.if
6017 The tun interface used by this port.
6018 Again, this file is only created in
6024 .It Pa /etc/services
6025 Get port number if port number is using service name.
6026 .It Pa /var/run/ppp-authname-class-value
6027 In multi-link mode, local domain sockets are created using the peer
6030 the peer endpoint discriminator class
6032 and the peer endpoint discriminator value
6034 As the endpoint discriminator value may be a binary value, it is turned
6035 to HEX to determine the actual file name.
6037 This socket is used to pass links between different instances of
6079 This program was originally written by
6080 .An Toshiharu OHNO Aq Mt tony-o@iij.ad.jp ,
6081 and was submitted to
6084 .An Atsushi Murai Aq Mt amurai@spec.co.jp .
6086 It was substantially modified during 1997 by
6087 .An Brian Somers Aq Mt brian@Awfulhak.org ,
6090 in November that year
6091 (just after the 2.2 release).
6093 Most of the code was rewritten by
6095 in early 1998 when multi-link ppp support was added.