8 .Nd Point to Point Protocol (a.k.a. user-ppp)
18 This is a user process
20 software package. Normally,
22 is implemented as a part of the kernel (e.g. as managed by
24 and it's thus somewhat hard to debug and/or modify its behaviour.
25 However, in this implementation
27 is done as a user process with the help of the
28 tunnel device driver (tun).
34 flag for backwards compatability) does the equivalent of a
38 network address translation features. This allows
40 to act as a NAT or masquerading engine for all machines on an internal
49 to be silent at startup rather than displaying the mode and interface
56 to only attempt to open
57 .Pa /dev/tun Ns Ar N .
60 will start with a value of 0 for
62 and keep trying to open a tunnel device by incrementing the value of
64 by one each time until it succeeds. If it fails three times in a row
65 because the device file is missing, it gives up.
71 .Bl -tag -width XXX -offset XXX
74 opens the tun interface, configures it then goes into the background.
75 The link isn't brought up until outgoing data is detected on the tun
76 interface at which point
78 attempts to bring up the link. Packets received (including the first one)
81 is trying to bring the link up will remain queued for a default of
90 must be given on the command line (see below) and a
92 must be done in the system profile that specifies a peer IP address to
93 use when configuring the interface. Something like
95 is usually appropriate. See the
98 .Pa /usr/share/examples/ppp/ppp.conf.sample
103 attempts to establish a connection with the peer immediately. If it
106 goes into the background and the parent process returns an exit code
109 exits with a non-zero result.
113 attempts to establish a connection with the peer immediately, but never
114 becomes a daemon. The link is created in background mode. This is useful
115 if you wish to control
117 invocation from another process.
119 This is used for receiving incoming connections.
123 line and uses descriptor 0 as the link.
125 If callback is configured,
129 information when dialing back.
131 This option is designed for machines connected with a dedicated
134 will always keep the device open and will never use any configured
137 This mode is equivalent to
141 will bring the link back up any time it's dropped for any reason.
143 This is a no-op, and gives the same behaviour as if none of the above
144 modes have been specified.
146 loads any sections specified on the command line then provides an
150 One or more configuration entries or systems
151 .Pq as specified in Pa /etc/ppp/ppp.conf
152 may also be specified on the command line.
157 .Pa /etc/ppp/ppp.conf
158 at startup, followed by each of the systems specified on the command line.
161 .It Provides an interactive user interface.
162 Using its command mode, the user can
163 easily enter commands to establish the connection with the remote end, check
164 the status of connection and close the connection. All functions can
165 also be optionally password protected for security.
166 .It Supports both manual and automatic dialing.
167 Interactive mode has a
169 command which enables you to talk to the device directly. When you
170 are connected to the remote peer and it starts to talk
173 detects it and switches to packet mode automatically. Once you have
174 determined the proper sequence for connecting with the remote host, you
175 can write a chat script to define the necessary dialing and login
176 procedure for later convenience.
177 .It Supports on-demand dialup capability.
182 will act as a daemon and wait for a packet to be sent over the
184 link. When this happens, the daemon automatically dials and establishes the
186 In almost the same manner
188 mode (direct-dial mode) also automatically dials and establishes the
189 connection. However, it differs in that it will dial the remote site
190 any time it detects the link is down, even if there are no packets to be
191 sent. This mode is useful for full-time connections where we worry less
192 about line charges and more about being connected full time.
195 mode is also available. This mode is targeted at a dedicated link
196 between two machines.
198 will never voluntarily quit from dedicated mode - you must send it the
200 command via its diagnostic socket. A
202 will force an LCP renegotiation, and a
204 will force it to exit.
205 .It Supports client callback.
207 can use either the standard LCP callback protocol or the Microsoft
208 CallBack Control Protocol (ftp://ftp.microsoft.com/developr/rfc/cbcp.txt).
209 .It Supports NAT or packet aliasing.
210 Packet aliasing (a.k.a. IP masquerading) allows computers on a
211 private, unregistered network to access the Internet. The
213 host acts as a masquerading gateway. IP addresses as well as TCP and
214 UDP port numbers are aliased for outgoing packets and de-aliased for
216 .It Supports background PPP connections.
217 In background mode, if
219 successfully establishes the connection, it will become a daemon.
220 Otherwise, it will exit with an error. This allows the setup of
221 scripts that wish to execute certain commands only if the connection
222 is successfully established.
223 .It Supports server-side PPP connections.
226 acts as server which accepts incoming
228 connections on stdin/stdout.
229 .It Supports PAP and CHAP (rfc 1994) authentication.
230 With PAP or CHAP, it is possible to skip the Unix style
232 procedure, and use the
234 protocol for authentication instead. If the peer requests Microsoft
235 CHAP authentication and
237 is compiled with DES support, an appropriate MD4/DES response will be
239 .It Supports RADIUS (rfc 2138) authentication.
240 An extension to PAP and CHAP,
247 allows authentication information to be stored in a central or
248 distributed database along with various per-user framed connection
251 is available at compile time,
255 requests when configured to do so.
256 .It Supports Proxy Arp.
258 can be configured to make one or more proxy arp entries on behalf of
259 the peer. This allows routing from the peer to the LAN without
260 configuring each machine on that LAN.
261 .It Supports packet filtering.
262 User can define four kinds of filters: the
264 filter for incoming packets, the
266 filter for outgoing packets, the
268 filter to define a dialing trigger packet and the
270 filter for keeping a connection alive with the trigger packet.
271 .It Tunnel driver supports bpf.
274 to check the packet flow over the
277 .It Supports PPP over TCP and PPP over UDP.
278 If a device name is specified as
279 .Em host Ns No : Ns Em port Ns
284 will open a TCP or UDP connection for transporting data rather than using a
285 conventional serial device. UDP connections force
287 into synchronous mode.
288 .It Supports PPP over ISDN.
291 is given a raw B-channel i4b device to open as a link, it's able to talk
294 daemon to establish an ISDN connection.
295 .It Supports PPP over Ethernet (rfc 2516).
298 is given a device specification of the format
299 .No PPPoE: Ns Ar iface Ns Xo
300 .Op \&: Ns Ar provider Ns
313 .It "Supports IETF draft Predictor-1 (rfc 1978) and DEFLATE (rfc 1979) compression."
315 supports not only VJ-compression but also Predictor-1 and DEFLATE compression.
316 Normally, a modem has built-in compression (e.g. v42.bis) and the system
317 may receive higher data rates from it as a result of such compression.
318 While this is generally a good thing in most other situations, this
319 higher speed data imposes a penalty on the system by increasing the
320 number of serial interrupts the system has to process in talking to the
321 modem and also increases latency. Unlike VJ-compression, Predictor-1 and
322 DEFLATE compression pre-compresses
324 network traffic flowing through the link, thus reducing overheads to a
326 .It Supports Microsoft's IPCP extensions (rfc 1877).
327 Name Server Addresses and NetBIOS Name Server Addresses can be negotiated
328 with clients using the Microsoft
330 stack (i.e., Win95, WinNT)
331 .It Supports Multi-link PPP (rfc 1990)
332 It is possible to configure
334 to open more than one physical connection to the peer, combining the
335 bandwidth of all links for better throughput.
347 will not run if the invoking user id is not zero. This may be overridden
351 .Pa /etc/ppp/ppp.conf .
352 When running as a normal user,
354 switches to user id 0 in order to alter the system routing table, set up
355 system lock files and read the ppp configuration files. All
356 external commands (executed via the "shell" or "!bg" commands) are executed
357 as the user id that invoked
361 logging facility if you're interested in what exactly is done as user id
366 you may need to deal with some initial configuration details.
369 Your kernel must include a tunnel device (the GENERIC kernel includes
370 one by default). If it doesn't, or if you require more than one tun
371 interface, you'll need to rebuild your kernel with the following line in
372 your kernel configuration file:
374 .Dl pseudo-device tun N
378 is the maximum number of
380 connections you wish to support.
384 directory for the tunnel device entries
388 represents the number of the tun device, starting at zero.
389 If they don't exist, you can create them by running "sh ./MAKEDEV tunN".
390 This will create tun devices 0 through
393 Make sure that your system has a group named
397 file and that the group contains the names of all users expected to use
401 manual page for details. Each of these users must also be given access
405 .Pa /etc/ppp/ppp.conf .
411 to log information. A common log file name is
412 .Pa /var/log/ppp.log .
413 To make output go to this file, put the following lines in the
416 .Bd -literal -offset indent
418 *.*<TAB>/var/log/ppp.log
421 It is possible to have more than one
423 log file by creating a link to the
431 .Bd -literal -offset indent
433 *.*<TAB>/var/log/ppp0.log
437 .Pa /etc/syslog.conf .
438 Don't forget to send a
443 .Pa /etc/syslog.conf .
445 Although not strictly relevant to
447 operation, you should configure your resolver so that it works correctly.
448 This can be done by configuring a local DNS
450 or by adding the correct
453 .Pa /etc/resolv.conf .
456 manual page for details.
458 Alternatively, if the peer supports it,
460 can be configured to ask the peer for the nameserver address(es) and to
463 automatically. Refer to the
467 commands below for details.
470 In the following examples, we assume that your machine name is
476 above) with no arguments, you are presented with a prompt:
477 .Bd -literal -offset indent
483 part of your prompt should always be in upper case. If it is in lower
484 case, it means that you must supply a password using the
486 command. This only ever happens if you connect to a running version of
488 and have not authenticated yourself using the correct password.
490 You can start by specifying the device name and speed:
491 .Bd -literal -offset indent
492 ppp ON awfulhak> set device /dev/cuaa0
493 ppp ON awfulhak> set speed 38400
496 Normally, hardware flow control (CTS/RTS) is used. However, under
497 certain circumstances (as may happen when you are connected directly
498 to certain PPP-capable terminal servers), this may result in
500 hanging as soon as it tries to write data to your communications link
501 as it is waiting for the CTS (clear to send) signal - which will never
502 come. Thus, if you have a direct line and can't seem to make a
503 connection, try turning CTS/RTS off with
505 If you need to do this, check the
507 description below too - you'll probably need to
508 .Dq set accmap 000a0000 .
510 Usually, parity is set to
514 default. Parity is a rather archaic error checking mechanism that is no
515 longer used because modern modems do their own error checking, and most
516 link-layer protocols (that's what
518 is) use much more reliable checking mechanisms. Parity has a relatively
519 huge overhead (a 12.5% increase in traffic) and as a result, it is always
524 is opened. However, some ISPs (Internet Service Providers) may use
525 specific parity settings at connection time (before
527 is opened). Notably, Compuserve insist
528 on even parity when logging in:
529 .Bd -literal -offset indent
530 ppp ON awfulhak> set parity even
533 You can now see what your current device settings look like:
534 .Bd -literal -offset indent
535 ppp ON awfulhak> show physical
539 Link Type: interactive
545 Device List: /dev/cuaa0
546 Characteristics: 38400bps, cs8, even parity, CTS/RTS on
549 0 octets in, 0 octets out
554 The term command can now be used to talk directly to the device:
555 .Bd -literal -offset indent
556 ppp ON awfulhak> term
562 Password: myisppassword
566 When the peer starts to talk in
569 detects this automatically and returns to command mode.
570 .Bd -literal -offset indent
571 ppp ON awfulhak> # No link has been established
572 Ppp ON awfulhak> # We've connected & finished LCP
573 PPp ON awfulhak> # We've authenticated
574 PPP ON awfulhak> # We've agreed IP numbers
577 If it does not, it's probable that the peer is waiting for your end to
578 start negotiating. To force
582 configuration packets to the peer, use the
584 command to drop out of terminal mode and enter packet mode.
586 If you never even receive a login prompt, it is quite likely that the
587 peer wants to use PAP or CHAP authentication instead of using Unix-style
588 login/password authentication. To set things up properly, drop back to
589 the prompt and set your authentication name and key, then reconnect:
590 .Bd -literal -offset indent
592 ppp ON awfulhak> set authname myispusername
593 ppp ON awfulhak> set authkey myisppassword
594 ppp ON awfulhak> term
601 You may need to tell ppp to initiate negotiations with the peer here too:
602 .Bd -literal -offset indent
604 ppp ON awfulhak> # No link has been established
605 Ppp ON awfulhak> # We've connected & finished LCP
606 PPp ON awfulhak> # We've authenticated
607 PPP ON awfulhak> # We've agreed IP numbers
610 You are now connected! Note that
612 in the prompt has changed to capital letters to indicate that you have
613 a peer connection. If only some of the three Ps go uppercase, wait until
614 either everything is uppercase or lowercase. If they revert to lowercase,
617 couldn't successfully negotiate with the peer. A good first step
618 for troubleshooting at this point would be to
619 .Bd -literal -offset indent
620 ppp ON awfulhak> set log local phase lcp ipcp
623 and try again. Refer to the
625 command description below for further details. If things fail at this point,
626 it is quite important that you turn logging on and try again. It is also
627 important that you note any prompt changes and report them to anyone trying
630 When the link is established, the show command can be used to see how
632 .Bd -literal -offset indent
633 PPP ON awfulhak> show physical
634 * Modem related information is shown here *
635 PPP ON awfulhak> show ccp
636 * CCP (compression) related information is shown here *
637 PPP ON awfulhak> show lcp
638 * LCP (line control) related information is shown here *
639 PPP ON awfulhak> show ipcp
640 * IPCP (IP) related information is shown here *
641 PPP ON awfulhak> show link
642 * Link (high level) related information is shown here *
643 PPP ON awfulhak> show bundle
644 * Logical (high level) connection related information is shown here *
647 At this point, your machine has a host route to the peer. This means
648 that you can only make a connection with the host on the other side
649 of the link. If you want to add a default route entry (telling your
650 machine to send all packets without another routing entry to the other
653 link), enter the following command:
654 .Bd -literal -offset indent
655 PPP ON awfulhak> add default HISADDR
660 represents the IP address of the connected peer.
663 command fails due to an existing route, you can overwrite the existing
665 .Bd -literal -offset indent
666 PPP ON awfulhak> add! default HISADDR
669 This command can also be executed before actually making the connection.
670 If a new IP address is negotiated at connection time,
672 will update your default route accordingly.
674 You can now use your network applications (ping, telnet, ftp etc.)
675 in other windows or terminals on your machine. If you wish to reuse
676 the current terminal, you can put
678 into the background using your standard shell suspend and background
686 section for details on all available commands.
687 .Sh AUTOMATIC DIALING
688 To use automatic dialing, you must prepare some Dial and Login chat scripts.
689 See the example definitions in
690 .Pa /usr/share/examples/ppp/ppp.conf.sample
692 .Pa /etc/ppp/ppp.conf
694 Each line contains one comment, inclusion, label or command:
697 A line starting with a
699 character is treated as a comment line. Leading whitespace are ignored
700 when identifying comment lines.
702 An inclusion is a line beginning with the word
704 It must have one argument - the file to include. You may wish to
705 .Dq !include ~/.ppp.conf
706 for compatibility with older versions of
709 A label name starts in the first column and is followed by
713 A command line must contain a space or tab in the first column.
717 .Pa /etc/ppp/ppp.conf
718 file should consist of at least a
720 section. This section is always executed. It should also contain
721 one or more sections, named according to their purpose, for example,
723 would represent your ISP, and
725 would represent an incoming
728 You can now specify the destination label name when you invoke
730 Commands associated with the
732 label are executed, followed by those associated with the destination
735 is started with no arguments, the
737 section is still executed. The load command can be used to manually
738 load a section from the
739 .Pa /etc/ppp/ppp.conf
741 .Bd -literal -offset indent
742 ppp ON awfulhak> load MyISP
745 Note, no action is taken by
747 after a section is loaded, whether it's the result of passing a label on
748 the command line or using the
750 command. Only the commands specified for that label in the configuration
751 file are executed. However, when invoking
758 switches, the link mode tells
760 to establish a connection. Refer to the
762 command below for further details.
764 Once the connection is made, the
766 portion of the prompt will change to
768 .Bd -literal -offset indent
771 ppp ON awfulhak> dial
777 The Ppp prompt indicates that
779 has entered the authentication phase. The PPp prompt indicates that
781 has entered the network phase. The PPP prompt indicates that
783 has successfully negotiated a network layer protocol and is in
787 .Pa /etc/ppp/ppp.linkup
788 file is available, its contents are executed
791 connection is established. See the provided
794 .Pa /usr/share/examples/ppp/ppp.conf.sample
795 which runs a script in the background after the connection is established
800 commands below for a description of possible substitution strings). Similarly,
801 when a connection is closed, the contents of the
802 .Pa /etc/ppp/ppp.linkdown
803 file are executed. Both of these files have the same format as
804 .Pa /etc/ppp/ppp.conf .
806 In previous versions of
808 it was necessary to re-add routes such as the default route in the
814 where all routes that contain the
818 literals will automatically be updated when the values of
823 .Sh BACKGROUND DIALING
824 If you want to establish a connection using
826 non-interactively (such as from a
830 job) you should use the
837 attempts to establish the connection immediately. If multiple phone
838 numbers are specified, each phone number will be tried once. If the
841 exits immediately with a non-zero exit code.
844 becomes a daemon, and returns an exit status of zero to its caller.
845 The daemon exits automatically if the connection is dropped by the
846 remote system, or it receives a
850 Demand dialing is enabled with the
854 options. You must also specify the destination label in
855 .Pa /etc/ppp/ppp.conf
856 to use. It must contain the
858 command to define the remote peers IP address.
860 .Pa /usr/share/examples/ppp/ppp.conf.sample )
861 .Bd -literal -offset indent
871 runs as a daemon but you can still configure or examine its
872 configuration by using the
875 .Pa /etc/ppp/ppp.conf ,
876 .Pq for example, Dq set server +3000 mypasswd
877 and connecting to the diagnostic port as follows:
878 .Bd -literal -offset indent
879 # pppctl 3000 (assuming tun0)
881 PPP ON awfulhak> show who
882 tcp (127.0.0.1:1028) *
887 command lists users that are currently connected to
889 itself. If the diagnostic socket is closed or changed to a different
890 socket, all connections are immediately dropped.
894 mode, when an outgoing packet is detected,
896 will perform the dialing action (chat script) and try to connect
899 mode, the dialing action is performed any time the line is found
901 If the connect fails, the default behaviour is to wait 30 seconds
902 and then attempt to connect when another outgoing packet is detected.
903 This behaviour can be changed using the
907 .No set redial Ar secs Ns Xo
914 .Bl -tag -width attempts -compact
916 is the number of seconds to wait before attempting
918 If the argument is the literal string
920 the delay period is a random value between 1 and 30 seconds inclusive.
922 is the number of seconds that
924 should be incremented each time a new dial attempt is made. The timeout
927 only after a successful connection is established. The default value for
931 is the maximum number of times
935 The default value for
939 is the number of seconds to wait before attempting
940 to dial the next number in a list of numbers (see the
942 command). The default is 3 seconds. Again, if the argument is the literal
945 the delay period is a random value between 1 and 30 seconds.
947 is the maximum number of times to try to connect for each outgoing packet
948 that triggers a dial. The previous value is unchanged if this parameter
949 is omitted. If a value of zero is specified for
952 will keep trying until a connection is made.
956 .Bd -literal -offset indent
960 will attempt to connect 4 times for each outgoing packet that causes
961 a dial attempt with a 3 second delay between each number and a 10 second
962 delay after all numbers have been tried. If multiple phone numbers
963 are specified, the total number of attempts is still 4 (it does not
964 attempt each number 4 times).
968 .Bd -literal -offset indent
969 set redial 10+10-5.3 20
974 to attempt to connect 20 times. After the first attempt,
976 pauses for 10 seconds. After the next attempt it pauses for 20 seconds
977 and so on until after the sixth attempt it pauses for 1 minute. The next
978 14 pauses will also have a duration of one minute. If
980 connects, disconnects and fails to connect again, the timeout starts again
983 Modifying the dial delay is very useful when running
987 mode on both ends of the link.
988 If each end has the same timeout,
989 both ends wind up calling each other at the same time if the link
990 drops and both ends have packets queued.
991 At some locations, the serial link may not be reliable, and carrier
992 may be lost at inappropriate times. It is possible to have
994 redial should carrier be unexpectedly lost during a session.
995 .Bd -literal -offset indent
996 set reconnect timeout ntries
1001 to re-establish the connection
1003 times on loss of carrier with a pause of
1005 seconds before each try. For example,
1006 .Bd -literal -offset indent
1012 that on an unexpected loss of carrier, it should wait
1014 seconds before attempting to reconnect. This may happen up to
1018 gives up. The default value of ntries is zero (no reconnect). Care
1019 should be taken with this option. If the local timeout is slightly
1020 longer than the remote timeout, the reconnect feature will always be
1021 triggered (up to the given number of times) after the remote side
1022 times out and hangs up.
1023 NOTE: In this context, losing too many LQRs constitutes a loss of
1024 carrier and will trigger a reconnect.
1027 flag is specified, all phone numbers are dialed at most once until
1028 a connection is made. The next number redial period specified with
1031 command is honoured, as is the reconnect tries value. If your redial
1032 value is less than the number of phone numbers specified, not all
1033 the specified numbers will be tried.
1034 To terminate the program, type
1035 .Bd -literal -offset indent
1036 PPP ON awfulhak> close
1037 ppp ON awfulhak> quit all
1042 command will terminate the
1046 connection but not the
1054 .Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1)
1055 To handle an incoming
1057 connection request, follow these steps:
1060 Make sure the modem and (optionally)
1062 is configured correctly.
1063 .Bl -bullet -compact
1065 Use Hardware Handshake (CTS/RTS) for flow control.
1067 Modem should be set to NO echo back (ATE0) and NO results string (ATQ1).
1075 on the port where the modem is attached.
1078 .Dl ttyd1 "/usr/libexec/getty std.38400" dialup on secure
1080 Don't forget to send a
1084 process to start the
1090 .Pa /usr/local/bin/ppplogin
1091 file with the following contents:
1092 .Bd -literal -offset indent
1094 exec /usr/sbin/ppp -direct incoming
1101 work with stdin and stdout. You can also use
1103 to connect to a configured diagnostic port, in the same manner as with
1109 section must be set up in
1110 .Pa /etc/ppp/ppp.conf .
1114 section contains the
1116 command as appropriate.
1118 Prepare an account for the incoming user.
1120 ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin
1123 Refer to the manual entries for
1129 Support for IPCP Domain Name Server and NetBIOS Name Server negotiation
1130 can be enabled using the
1134 commands. Refer to their descriptions below.
1137 .Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2)
1138 This method differs in that we use
1140 to authenticate the connection rather than
1144 Configure your default section in
1146 with automatic ppp recognition by specifying the
1151 :pp=/usr/local/bin/ppplogin:\\
1155 Configure your serial device(s), enable a
1158 .Pa /usr/local/bin/ppplogin
1159 as in the first three steps for method 1 above.
1167 .Pa /etc/ppp/ppp.conf
1170 label (or whatever label
1175 .Pa /etc/ppp/ppp.secret
1176 for each incoming user:
1185 detects a ppp connection (by recognising the HDLC frame headers), it runs
1186 .Dq /usr/local/bin/ppplogin .
1190 that either PAP or CHAP are enabled as above. If they are not, you are
1191 allowing anybody to establish ppp session with your machine
1193 a password, opening yourself up to all sorts of potential attacks.
1194 .Sh AUTHENTICATING INCOMING CONNECTIONS
1195 Normally, the receiver of a connection requires that the peer
1196 authenticates itself. This may be done using
1198 but alternatively, you can use PAP or CHAP. CHAP is the more secure
1199 of the two, but some clients may not support it. Once you decide which
1200 you wish to use, add the command
1204 to the relevant section of
1207 You must then configure the
1208 .Pa /etc/ppp/ppp.secret
1209 file. This file contains one line per possible client, each line
1210 containing up to five fields:
1213 .Ar hisaddr Op Ar label Op Ar callback-number
1220 specify the client username and password. If
1224 and PAP is being used,
1226 will look up the password database
1228 when authenticating. If the client does not offer a suitable
1229 response based on any
1230 .Ar name Ns No / Ns Ar key
1233 authentication fails.
1235 If authentication is successful,
1238 is used when negotiating IP numbers. See the
1240 command for details.
1242 If authentication is successful and
1244 is specified, the current system label is changed to match the given
1246 This will change the subsequent parsing of the
1252 If authentication is successful and
1258 the client will be called back on the given number. If CBCP is being used,
1260 may also contain a list of numbers or a
1264 command. The value will be used in
1266 subsequent CBCP phase.
1267 .Sh PPP OVER TCP and UDP (a.k.a Tunnelling)
1270 over a serial link, it is possible to
1271 use a TCP connection instead by specifying the host, port and protocol as the
1274 .Dl set device ui-gate:6669/tcp
1276 Instead of opening a serial device,
1278 will open a TCP connection to the given machine on the given
1279 socket. It should be noted however that
1281 doesn't use the telnet protocol and will be unable to negotiate
1282 with a telnet server. You should set up a port for receiving this
1284 connection on the receiving machine (ui-gate). This is
1285 done by first updating
1287 to name the service:
1289 .Dl ppp-in 6669/tcp # Incoming PPP connections over TCP
1295 how to deal with incoming connections on that port:
1297 .Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in
1299 Don't forget to send a
1303 after you've updated
1304 .Pa /etc/inetd.conf .
1305 Here, we use a label named
1308 .Pa /etc/ppp/ppp.conf
1309 on ui-gate (the receiver) should contain the following:
1310 .Bd -literal -offset indent
1313 set ifaddr 10.0.4.1 10.0.4.2
1314 add 10.0.1.0/24 10.0.4.2
1317 You may also want to enable PAP or CHAP for security. To enable PAP, add
1319 .Bd -literal -offset indent
1323 You'll also need to create the following entry in
1324 .Pa /etc/ppp/ppp.secret :
1325 .Bd -literal -offset indent
1326 MyAuthName MyAuthPasswd
1333 the password is looked up in the
1338 .Pa /etc/ppp/ppp.conf
1339 on awfulhak (the initiator) should contain the following:
1340 .Bd -literal -offset indent
1343 set device ui-gate:ppp-in/tcp
1346 set log Phase Chat Connect hdlc LCP IPCP CCP tun
1347 set ifaddr 10.0.4.2 10.0.4.1
1348 add 10.0.2.0/24 10.0.4.1
1351 Again, if you're enabling PAP, you'll also need:
1352 .Bd -literal -offset indent
1353 set authname MyAuthName
1354 set authkey MyAuthKey
1357 We're assigning the address of 10.0.4.1 to ui-gate, and the address
1358 10.0.4.2 to awfulhak.
1359 To open the connection, just type
1361 .Dl awfulhak # ppp -background ui-gate
1363 The result will be an additional "route" on awfulhak to the
1364 10.0.2.0/24 network via the TCP connection, and an additional
1365 "route" on ui-gate to the 10.0.1.0/24 network.
1366 The networks are effectively bridged - the underlying TCP
1367 connection may be across a public network (such as the
1370 traffic is conceptually encapsulated
1371 (although not packet by packet) inside the TCP stream between
1374 The major disadvantage of this mechanism is that there are two
1375 "guaranteed delivery" mechanisms in place - the underlying TCP
1376 stream and whatever protocol is used over the
1378 link - probably TCP again. If packets are lost, both levels will
1379 get in each others way trying to negotiate sending of the missing
1382 To avoid this overhead, it is also possible to do all this using
1383 UDP instead of TCP as the transport by simply changing the protocol
1384 from "tcp" to "udp". When using UDP as a transport,
1386 will operate in synchronous mode. This is another gain as the incoming
1387 data does not have to be rearranged into packets.
1389 .Sh NETWORK ADDRESS TRANSLATION (PACKET ALIASING)
1393 command line option enables network address translation (a.k.a. packet
1394 aliasing). This allows the
1396 host to act as a masquerading gateway for other computers over
1397 a local area network. Outgoing IP packets are aliased so that
1398 they appear to come from the
1400 host, and incoming packets are de-aliased so that they are routed
1401 to the correct machine on the local area network.
1402 Packet aliasing allows computers on private, unregistered
1403 subnets to have Internet access, although they are invisible
1404 from the outside world.
1407 operation should first be verified with network address translation disabled.
1410 option should be switched on, and network applications (web browser,
1415 should be checked on the
1417 host. Finally, the same or similar applications should be checked on other
1418 computers in the LAN.
1419 If network applications work correctly on the
1421 host, but not on other machines in the LAN, then the masquerading
1422 software is working properly, but the host is either not forwarding
1423 or possibly receiving IP packets. Check that IP forwarding is enabled in
1425 and that other machines have designated the
1427 host as the gateway for the LAN.
1428 .Sh PACKET FILTERING
1429 This implementation supports packet filtering.
1430 There are four kinds of
1439 filter. Here are the basics:
1442 A filter definition has the following syntax:
1451 .Ar src_addr Ns Op / Ns Ar width
1452 .Op Ar dst_addr Ns Op / Ns Ar width
1454 .Oo Ar proto Op src Ar cmp port
1471 is a numeric value between
1475 specifying the rule number. Rules are specified in numeric order according to
1486 in which case, if a given packet matches the rule, the associated action
1487 is taken immediately.
1489 can also be specified as
1491 to clear the action associated with that particular rule, or as a new
1492 rule number greater than the current rule. In this case, if a given
1493 packet matches the current rule, the packet will next be matched against
1494 the new rule number (rather than the next rule number).
1498 may optionally be followed with an exclamation mark
1502 to reverse the sense of the following match.
1504 .Op Ar src_addr Ns Op / Ns Ar width
1506 .Op Ar dst_addr Ns Op / Ns Ar width
1507 are the source and destination IP number specifications. If
1509 is specified, it gives the number of relevant netmask bits,
1510 allowing the specification of an address range.
1516 may be given the values
1520 (refer to the description of the
1522 command for a description of these values). When these values are used,
1523 the filters will be updated any time the values change. This is similar
1524 to the behaviour of the
1543 meaning less-than, equal and greater-than respectively.
1545 can be specified as a numeric port or by service name from
1553 flags are only allowed when
1557 and represent the TH_ACK, TH_SYN and TH_FIN or TH_RST TCP flags respectively.
1561 Each filter can hold up to 40 rules, starting from rule 0.
1562 The entire rule set is not effective until rule 0 is defined,
1563 i.e., the default is to allow everything through.
1565 If no rule is matched to a packet, that packet will be discarded
1569 .Dq set filter Ar name No -1
1574 .Pa /usr/share/examples/ppp/ppp.conf.sample .
1575 .Sh SETTING THE IDLE TIMER
1576 To check/set the idle timer, use the
1581 .Bd -literal -offset indent
1582 ppp ON awfulhak> set timeout 600
1585 The timeout period is measured in seconds, the default value for which
1588 To disable the idle timer function, use the command
1589 .Bd -literal -offset indent
1590 ppp ON awfulhak> set timeout 0
1597 modes, the idle timeout is ignored. In
1599 mode, when the idle timeout causes the
1604 program itself remains running. Another trigger packet will cause it to
1605 attempt to re-establish the link.
1606 .Sh PREDICTOR-1 and DEFLATE COMPRESSION
1608 supports both Predictor type 1 and deflate compression.
1611 will attempt to use (or be willing to accept) both compression protocols
1612 when the peer agrees
1613 .Pq or requests them .
1614 The deflate protocol is preferred by
1620 commands if you wish to disable this functionality.
1622 It is possible to use a different compression algorithm in each direction
1623 by using only one of
1627 .Pq assuming that the peer supports both algorithms .
1629 By default, when negotiating DEFLATE,
1631 will use a window size of 15. Refer to the
1633 command if you wish to change this behaviour.
1635 A special algorithm called DEFLATE24 is also available, and is disabled
1636 and denied by default. This is exactly the same as DEFLATE except that
1637 it uses CCP ID 24 to negotiate. This allows
1639 to successfully negotiate DEFLATE with
1642 .Sh CONTROLLING IP ADDRESS
1644 uses IPCP to negotiate IP addresses.
1645 Each side of the connection
1646 specifies the IP address that it's willing to use, and if the requested
1647 IP address is acceptable then
1649 returns ACK to the requester. Otherwise,
1651 returns NAK to suggest that the peer use a different IP address.
1653 both sides of the connection agree to accept the received request (and
1654 send ACK), IPCP is set to the open state and a network level connection
1656 To control this IPCP behaviour, this implementation has the
1658 command for defining the local and remote IP address:
1659 .Bd -literal -offset indent
1660 .No set ifaddr Oo Ar src_addr Ns
1662 .Oo Ar dst_addr Ns Op / Ns Ar \&nn
1672 is the IP address that the local side is willing to use,
1674 is the IP address which the remote side should use and
1676 is the netmask that should be used.
1678 defaults to the current
1681 defaults to 0.0.0.0, and
1683 defaults to whatever mask is appropriate for
1685 It is only possible to make
1687 smaller than the default. The usual value is 255.255.255.255, as
1688 most kernels ignore the netmask of a POINTOPOINT interface.
1692 implementations require that the peer negotiates a specific IP
1695 If this is the case,
1697 may be used to specify this IP number. This will not affect the
1698 routing table unless the other side agrees with this proposed number.
1699 .Bd -literal -offset indent
1700 set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0
1703 The above specification means:
1705 .Bl -bullet -compact
1707 I will first suggest that my IP address should be 0.0.0.0, but I
1708 will only accept an address of 192.244.177.38.
1710 I strongly insist that the peer uses 192.244.177.2 as his own
1711 address and won't permit the use of any IP address but 192.244.177.2.
1712 When the peer requests another IP address, I will always suggest that
1713 it uses 192.244.177.2.
1715 The routing table entry will have a netmask of 0xffffffff.
1718 This is all fine when each side has a pre-determined IP address, however
1719 it is often the case that one side is acting as a server which controls
1720 all IP addresses and the other side should go along with it. In order
1721 to allow more flexible behaviour, the
1723 command allows the user to specify IP addresses more loosely:
1725 .Dl set ifaddr 192.244.177.38/24 192.244.177.2/20
1727 A number followed by a slash
1729 represents the number of bits significant in the IP address. The above
1732 .Bl -bullet -compact
1734 I'd like to use 192.244.177.38 as my address if it is possible, but I'll
1735 also accept any IP address between 192.244.177.0 and 192.244.177.255.
1737 I'd like to make him use 192.244.177.2 as his own address, but I'll also
1738 permit him to use any IP address between 192.244.176.0 and
1741 As you may have already noticed, 192.244.177.2 is equivalent to saying
1744 As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no
1745 preferred IP address and will obey the remote peers selection. When
1746 using zero, no routing table entries will be made until a connection
1749 192.244.177.2/0 means that I'll accept/permit any IP address but I'll
1750 try to insist that 192.244.177.2 be used first.
1753 .Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER
1754 The following steps should be taken when connecting to your ISP:
1757 Describe your providers phone number(s) in the dial script using the
1759 command. This command allows you to set multiple phone numbers for
1760 dialing and redialing separated by either a pipe
1764 .Bd -literal -offset indent
1765 .No set phone Ar telno Ns Xo
1766 .Oo \&| Ns Ar backupnumber
1767 .Oc Ns ... Ns Oo : Ns Ar nextnumber
1772 Numbers after the first in a pipe-separated list are only used if the
1773 previous number was used in a failed dial or login script. Numbers
1774 separated by a colon are used sequentially, irrespective of what happened
1775 as a result of using the previous number. For example:
1776 .Bd -literal -offset indent
1777 set phone "1234567|2345678:3456789|4567890"
1780 Here, the 1234567 number is attempted. If the dial or login script fails,
1781 the 2345678 number is used next time, but *only* if the dial or login script
1782 fails. On the dial after this, the 3456789 number is used. The 4567890
1783 number is only used if the dial or login script using the 3456789 fails. If
1784 the login script of the 2345678 number fails, the next number is still the
1785 3456789 number. As many pipes and colons can be used as are necessary
1786 (although a given site would usually prefer to use either the pipe or the
1787 colon, but not both). The next number redial timeout is used between all
1788 numbers. When the end of the list is reached, the normal redial period is
1789 used before starting at the beginning again.
1790 The selected phone number is substituted for the \\\\T string in the
1792 command (see below).
1794 Set up your redial requirements using
1796 For example, if you have a bad telephone line or your provider is
1797 usually engaged (not so common these days), you may want to specify
1799 .Bd -literal -offset indent
1803 This says that up to 4 phone calls should be attempted with a pause of 10
1804 seconds before dialing the first number again.
1806 Describe your login procedure using the
1812 command is used to talk to your modem and establish a link with your
1814 .Bd -literal -offset indent
1815 set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" \e
1816 ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT"
1819 This modem "chat" string means:
1822 Abort if the string "BUSY" or "NO CARRIER" are received.
1824 Set the timeout to 4 seconds.
1830 Expect OK. If that's not received within the 4 second timeout, send ATZ
1833 Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from
1836 Set the timeout to 60.
1838 Wait for the CONNECT string.
1841 Once the connection is established, the login script is executed. This
1842 script is written in the same style as the dial script, but care should
1843 be taken to avoid having your password logged:
1844 .Bd -literal -offset indent
1845 set authkey MySecret
1846 set login "TIMEOUT 15 login:-\\\\r-login: awfulhak \e
1847 word: \\\\P ocol: PPP HELLO"
1850 This login "chat" string means:
1853 Set the timeout to 15 seconds.
1855 Expect "login:". If it's not received, send a carriage return and expect
1860 Expect "word:" (the tail end of a "Password:" prompt).
1862 Send whatever our current
1866 Expect "ocol:" (the tail end of a "Protocol:" prompt).
1875 command is logged specially. When
1879 logging is enabled, the actual password is not logged;
1883 Login scripts vary greatly between ISPs. If you're setting one up
1885 .Em ENABLE CHAT LOGGING
1886 so that you can see if your script is behaving as you expect.
1892 to specify your serial line and speed, for example:
1893 .Bd -literal -offset indent
1894 set device /dev/cuaa0
1898 Cuaa0 is the first serial port on FreeBSD. If you're running
1900 on OpenBSD, cua00 is the first. A speed of 115200 should be specified
1901 if you have a modem capable of bit rates of 28800 or more. In general,
1902 the serial speed should be about four times the modem speed.
1906 command to define the IP address.
1909 If you know what IP address your provider uses, then use it as the remote
1910 address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below).
1912 If your provider has assigned a particular IP address to you, then use
1913 it as your address (src_addr).
1915 If your provider assigns your address dynamically, choose a suitably
1916 unobtrusive and unspecific IP number as your address. 10.0.0.1/0 would
1917 be appropriate. The bit after the / specifies how many bits of the
1918 address you consider to be important, so if you wanted to insist on
1919 something in the class C network 1.2.3.0, you could specify 1.2.3.1/24.
1921 If you find that your ISP accepts the first IP number that you suggest,
1922 specify third and forth arguments of
1924 This will force your ISP to assign a number. (The third argument will
1925 be ignored as it is less restrictive than the default mask for your
1929 An example for a connection where you don't know your IP number or your
1930 ISPs IP number would be:
1931 .Bd -literal -offset indent
1932 set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
1936 In most cases, your ISP will also be your default router. If this is
1937 the case, add the line
1938 .Bd -literal -offset indent
1943 .Pa /etc/ppp/ppp.conf .
1947 to add a default route to whatever the peer address is
1948 .Pq 10.0.0.2 in this example .
1951 meaning that should the value of
1953 change, the route will be updated accordingly.
1955 Previous versions of
1957 required a similar entry in the
1958 .Pa /etc/ppp/ppp.linkup
1959 file. Since the advent of
1961 this is no longer required.
1963 If your provider requests that you use PAP/CHAP authentication methods, add
1964 the next lines to your
1965 .Pa /etc/ppp/ppp.conf
1967 .Bd -literal -offset indent
1969 set authkey MyPassword
1972 Both are accepted by default, so
1974 will provide whatever your ISP requires.
1976 It should be noted that a login script is rarely (if ever) required
1977 when PAP or CHAP are in use.
1979 Ask your ISP to authenticate your nameserver address(es) with the line
1980 .Bd -literal -offset indent
1986 do this if you are running a local DNS unless you also either use
1991 .Pa /etc/ppp/ppp.linkdown ,
1994 will simply circumvent its use by entering some nameserver lines in
1995 .Pa /etc/resolv.conf .
1999 .Pa /usr/share/examples/ppp/ppp.conf.sample
2001 .Pa /usr/share/examples/ppp/ppp.linkup.sample
2002 for some real examples. The pmdemand label should be appropriate for most
2004 .Sh LOGGING FACILITY
2006 is able to generate the following log info either via
2008 or directly to the screen:
2010 .Bl -tag -width XXXXXXXXX -offset XXX -compact
2012 Dump async level packet in hex.
2014 Generate CBCP (CallBack Control Protocol) logs.
2016 Generate a CCP packet trace.
2024 chat script trace logs.
2026 Log commands executed either from the command line or any of the configuration
2029 Log Chat lines containing the string "CONNECT".
2031 Log debug information.
2033 Log DNS QUERY packets.
2035 Dump HDLC packet in hex.
2037 Log all function calls specifically made as user id 0.
2039 Generate an IPCP packet trace.
2041 Generate an LCP packet trace.
2043 Generate LQR reports.
2045 Phase transition log output.
2047 Dump physical level packet in hex.
2049 Dump sync level packet in hex.
2051 Dump all TCP/IP packets.
2053 Log timer manipulation.
2055 Include the tun device on each log line.
2057 Output to the terminal device. If there is currently no terminal,
2058 output is sent to the log file using syslogs
2061 Output to both the terminal device
2062 and the log file using syslogs
2065 Output to the log file using
2071 command allows you to set the logging output level. Multiple levels
2072 can be specified on a single command line. The default is equivalent to
2075 It is also possible to log directly to the screen. The syntax is
2076 the same except that the word
2078 should immediately follow
2082 (i.e., only the un-maskable warning, error and alert output).
2084 If The first argument to
2085 .Dq set log Op local
2090 character, the current log levels are
2091 not cleared, for example:
2092 .Bd -literal -offset indent
2093 PPP ON awfulhak> set log phase
2094 PPP ON awfulhak> show log
2095 Log: Phase Warning Error Alert
2096 Local: Warning Error Alert
2097 PPP ON awfulhak> set log +tcp/ip -warning
2098 PPP ON awfulhak> set log local +command
2099 PPP ON awfulhak> show log
2100 Log: Phase TCP/IP Warning Error Alert
2101 Local: Command Warning Error Alert
2104 Log messages of level Warning, Error and Alert are not controllable
2106 .Dq set log Op local .
2110 level is special in that it will not be logged if it can be displayed
2114 deals with the following signals:
2117 Receipt of this signal causes the termination of the current connection
2118 (if any). This will cause
2120 to exit unless it is in
2125 .It HUP, TERM & QUIT
2132 to close any existing server socket, dropping all existing diagnostic
2137 If you wish to use more than one physical link to connect to a
2139 peer, that peer must also understand the
2141 protocol. Refer to RFC 1990 for specification details.
2143 The peer is identified using a combination of his
2144 .Dq endpoint discriminator
2146 .Dq authentication id .
2147 Either or both of these may be specified. It is recommended that
2148 at least one is specified, otherwise there is no way of ensuring that
2149 all links are actually connected to the same peer program, and some
2150 confusing lock-ups may result. Locally, these identification variables
2151 are specified using the
2158 must be agreed in advance with the peer.
2160 Multi-link capabilities are enabled using the
2162 command (set maximum reconstructed receive unit). Once multi-link
2165 will attempt to negotiate a multi-link connection with the peer.
2167 By default, only one
2170 .Pq called Sq deflink .
2171 To create more links, the
2173 command is used. This command will clone existing links, where all
2174 characteristics are the same except:
2177 The new link has its own name as specified on the
2183 link. It's mode may subsequently be changed using the
2187 The new link is in a
2192 A summary of all available links can be seen using the
2196 Once a new link has been created, command usage varies. All link
2197 specific commands must be prefixed with the
2199 command, specifying on which link the command is to be applied. When
2200 only a single link is available,
2202 is smart enough not to require the
2206 Some commands can still be used without specifying a link - resulting
2207 in an operation at the
2209 level. For example, once two or more links are available, the command
2211 will show CCP configuration and statistics at the multi-link level, and
2212 .Dq link deflink show ccp
2213 will show the same information at the
2217 Armed with this information, the following configuration might be used:
2219 .Bd -literal -offset indent
2223 set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2
2224 set phone "123456789"
2225 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\"\\" ATZ \e
2226 OK-AT-OK \\\\dATDT\\\\T TIMEOUT 45 CONNECT"
2228 set ifaddr 10.0.0.1/0 10.0.0.2/0
2230 set authkey ppppassword
2237 Note how all cloning is done at the end of the configuration. Usually,
2238 the link will be configured first, then cloned. If you wish all links
2239 to be up all the time, you can add the following line to the end of your
2242 .Bd -literal -offset indent
2243 link 1,2,3 set mode ddial
2246 If you want the links to dial on demand, this command could be used:
2248 .Bd -literal -offset indent
2249 link * set mode auto
2252 Links may be tied to specific names by removing the
2254 line above, and specifying the following after the
2258 .Bd -literal -offset indent
2259 link 1 set device /dev/cuaa0
2260 link 2 set device /dev/cuaa1
2261 link 3 set device /dev/cuaa2
2266 command to see which commands require context (using the
2268 command), which have optional
2269 context and which should not have any context.
2275 mode with the peer, it creates a local domain socket in the
2277 directory. This socket is used to pass link information (including
2278 the actual link file descriptor) between different
2280 invocations. This facilitates
2282 ability to be run from a
2288 capability), without needing to have initial control of the serial
2291 negotiates multi-link mode, it will pass its open link to any
2292 already running process. If there is no already running process,
2294 will act as the master, creating the socket and listening for new
2296 .Sh PPP COMMAND LIST
2297 This section lists the available commands and their effect. They are
2298 usable either from an interactive
2300 session, from a configuration file or from a
2306 .It accept|deny|enable|disable Ar option....
2307 These directives tell
2309 how to negotiate the initial connection with the peer. Each
2311 has a default of either accept or deny and enable or disable.
2313 means that the option will be ACK'd if the peer asks for it.
2315 means that the option will be NAK'd if the peer asks for it.
2317 means that the option will be requested by us.
2319 means that the option will not be requested by us.
2322 may be one of the following:
2325 Default: Enabled and Accepted. ACFComp stands for Address and Control
2326 Field Compression. Non LCP packets will usually have an address
2327 field of 0xff (the All-Stations address) and a control field of
2328 0x03 (the Unnumbered Information command). If this option is
2329 negotiated, these two bytes are simply not sent, thus minimising
2336 Default: Disabled and Accepted. CHAP stands for Challenge Handshake
2337 Authentication Protocol. Only one of CHAP and PAP (below) may be
2338 negotiated. With CHAP, the authenticator sends a "challenge" message
2339 to its peer. The peer uses a one-way hash function to encrypt the
2340 challenge and sends the result back. The authenticator does the same,
2341 and compares the results. The advantage of this mechanism is that no
2342 passwords are sent across the connection.
2343 A challenge is made when the connection is first made. Subsequent
2344 challenges may occur. If you want to have your peer authenticate
2348 .Pa /etc/ppp/ppp.conf ,
2349 and have an entry in
2350 .Pa /etc/ppp/ppp.secret
2353 When using CHAP as the client, you need only specify
2358 .Pa /etc/ppp/ppp.conf .
2359 CHAP is accepted by default.
2362 implementations use "MS-CHAP" rather than MD5 when encrypting the
2363 challenge. MS-CHAP is a combination of MD4 and DES. If
2365 was built on a machine with DES libraries available, it will respond
2366 to MS-CHAP authentication requests, but will never request them.
2368 Default: Enabled and Accepted. This option decides if deflate
2369 compression will be used by the Compression Control Protocol (CCP).
2370 This is the same algorithm as used by the
2373 Note: There is a problem negotiating
2379 implementation available under many operating systems.
2381 (version 2.3.1) incorrectly attempts to negotiate
2383 compression using type
2385 as the CCP configuration type rather than type
2391 is actually specified as
2392 .Dq PPP Magna-link Variable Resource Compression
2396 is capable of negotiating with
2403 .Ar accept Ns No ed .
2405 Default: Disabled and Denied. This is a variance of the
2407 option, allowing negotiation with the
2409 program. Refer to the
2411 section above for details. It is disabled by default as it violates
2414 Default: Disabled and Denied. This option allows DNS negotiation.
2419 will request that the peer confirms the entries in
2420 .Pa /etc/resolv.conf .
2421 If the peer NAKs our request (suggesting new IP numbers),
2422 .Pa /etc/resolv.conf
2423 is updated and another request is sent to confirm the new entries.
2426 .Dq accept Ns No ed,
2428 will answer any DNS queries requested by the peer rather than rejecting
2429 them. The answer is taken from
2430 .Pa /etc/resolv.conf
2433 command is used as an override.
2435 Default: Enabled and Accepted. This option allows control over whether we
2436 negotiate an endpoint discriminator. We only send our discriminator if
2440 is enabled. We reject the peers discriminator if
2444 Default: Disabled and Accepted. The use of this authentication protocol
2445 is discouraged as it partially violates the authentication protocol by
2446 implementing two different mechanisms (LANMan & NT) under the guise of
2447 a single CHAP type (0x80).
2449 uses a simple DES encryption mechanism and is the least secure of the
2450 CHAP alternatives (although is still more secure than PAP).
2454 description below for more details.
2456 Default: Disabled and Accepted. This option decides if Link Quality
2457 Requests will be sent or accepted. LQR is a protocol that allows
2459 to determine that the link is down without relying on the modems
2460 carrier detect. When LQR is enabled,
2466 below) as part of the LCP request. If the peer agrees, both sides will
2467 exchange LQR packets at the agreed frequency, allowing detailed link
2468 quality monitoring by enabling LQM logging. If the peer doesn't agree,
2469 ppp will send ECHO LQR requests instead. These packets pass no
2470 information of interest, but they
2472 be replied to by the peer.
2474 Whether using LQR or ECHO LQR,
2476 will abruptly drop the connection if 5 unacknowledged packets have been
2477 sent rather than sending a 6th. A message is logged at the
2479 level, and any appropriate
2481 values are honoured as if the peer were responsible for dropping the
2484 Default: Disabled and Accepted. The use of this authentication protocol
2485 is discouraged as it partially violates the authentication protocol by
2486 implementing two different mechanisms (LANMan & NT) under the guise of
2487 a single CHAP type (0x80). It is very similar to standard CHAP (type 0x05)
2488 except that it issues challenges of a fixed 8 bytes in length and uses a
2489 combination of MD4 and DES to encrypt the challenge rather than using the
2490 standard MD5 mechanism. CHAP type 0x80 for LANMan is also supported - see
2498 use CHAP type 0x80, when acting as authenticator with both
2499 .Dq enable Ns No d ,
2501 will rechallenge the peer up to three times if it responds using the wrong
2502 one of the two protocols. This gives the peer a chance to attempt using
2507 acts as the authenticatee with both protocols
2508 .Dq accept Ns No ed ,
2509 the protocols are used alternately in response to challenges.
2511 Note: If only LANMan is enabled,
2513 (version 2.3.5) misbehaves when acting as authenticatee. It provides both
2514 the NT and the LANMan answers, but also suggests that only the NT answer
2517 Default: Disabled and Accepted. PAP stands for Password Authentication
2518 Protocol. Only one of PAP and CHAP (above) may be negotiated. With
2519 PAP, the ID and Password are sent repeatedly to the peer until
2520 authentication is acknowledged or the connection is terminated. This
2521 is a rather poor security mechanism. It is only performed when the
2522 connection is first established.
2523 If you want to have your peer authenticate itself, you must
2526 .Pa /etc/ppp/ppp.conf ,
2527 and have an entry in
2528 .Pa /etc/ppp/ppp.secret
2529 for the peer (although see the
2535 When using PAP as the client, you need only specify
2540 .Pa /etc/ppp/ppp.conf .
2541 PAP is accepted by default.
2543 Default: Enabled and Accepted. This option decides if Predictor 1
2544 compression will be used by the Compression Control Protocol (CCP).
2546 Default: Enabled and Accepted. This option is used to negotiate
2547 PFC (Protocol Field Compression), a mechanism where the protocol
2548 field number is reduced to one octet rather than two.
2550 Default: Enabled and Accepted. This option determines if
2552 will request and accept requests for short
2554 sequence numbers when negotiating multi-link mode. This is only
2555 applicable if our MRRU is set (thus enabling multi-link).
2557 Default: Enabled and Accepted. This option determines if Van Jacobson
2558 header compression will be used.
2561 The following options are not actually negotiated with the peer.
2562 Therefore, accepting or denying them makes no sense.
2565 Default: Enabled. When
2567 exchanges low-level LCP, CCP and IPCP configuration traffic, the
2569 field of any replies is expected to be the same as that of the request.
2572 drops any reply packets that do not contain the expected identifier
2573 field, reporting the fact at the respective log level. If
2577 will ignore the identifier field.
2579 Default: Disabled. When
2581 runs as a Multi-link server, a different
2583 instance initially receives each connection. After determining that
2584 the link belongs to an already existing bundle (controlled by another
2588 will transfer the link to that process.
2590 If the link is a tty device or if this option is enabled,
2592 will not exit, but will change its process name to
2594 and wait for the controlling
2596 to finish with the link and deliver a signal back to the idle process.
2597 This prevents the confusion that results from
2599 parent considering the link resource available again.
2601 For tty devices that have entries in
2603 this is necessary to prevent another
2605 from being started, and for program links such as
2609 from exiting due to the death of its child. As
2611 cannot determine its parents requirements (except for the tty case), this
2612 option must be enabled manually depending on the circumstances.
2614 Default: Enabled. When
2618 will automatically loop back packets being sent
2619 out with a destination address equal to that of the
2621 interface. If disabled,
2623 will send the packet, probably resulting in an ICMP redirect from
2624 the other end. It is convenient to have this option enabled when
2625 the interface is also the default route as it avoids the necessity
2626 of a loopback route.
2628 Default: Disabled. Enabling this option will tell the PAP authentication
2629 code to use the password database (see
2631 to authenticate the caller if they cannot be found in the
2632 .Pa /etc/ppp/ppp.secret
2634 .Pa /etc/ppp/ppp.secret
2635 is always checked first. If you wish to use passwords from
2637 but also to specify an IP number or label for a given client, use
2639 as the client password in
2640 .Pa /etc/ppp/ppp.secret .
2642 Default: Disabled. Enabling this option will tell
2644 to proxy ARP for the peer. This means that
2646 will make an entry in the ARP table using
2650 address of the local network in which
2652 appears. The proxy entry cannot be made unless
2654 is an address from a LAN.
2656 Default: Disabled. Enabling this will tell
2658 to add proxy arp entries for every IP address in all class C or
2659 smaller subnets routed via the tun interface.
2661 Proxy arp entries are only made for sticky routes that are added
2664 command. No proxy arp entries are made for the interface address itself
2669 Default: Enabled. When the
2671 command is used with the
2675 values, entries are stored in the
2681 change, this list is re-applied to the routing table.
2683 Disabling this option will prevent the re-application of sticky routes,
2686 list will still be maintained.
2688 Default: Enabled. This option tells
2690 to gather throughput statistics. Input and output is sampled over
2691 a rolling 5 second window, and current, best and total figures are
2692 retained. This data is output when the relevant
2694 layer shuts down, and is also available using the
2696 command. Throughput statistics are available at the
2702 Default: Enabled. Normally, when a user is authenticated using PAP or
2707 mode, an entry is made in the utmp and wtmp files for that user. Disabling
2708 this option will tell
2710 not to make any utmp or wtmp entries. This is usually only necessary if
2711 you require the user to both login and authenticate themselves.
2715 is specified. This option simply tells
2717 to add new interface addresses to the interface rather than replacing them.
2718 The option can only be enabled if network address translation is enabled
2719 .Pq Dq nat enable yes .
2721 With this option enabled,
2723 will pass traffic for old interface addresses through the NAT engine
2724 .Pq see Xr libalias 3 ,
2725 resulting in the ability (in
2727 mode) to properly connect the process that caused the PPP link to
2728 come up in the first place.
2738 .Ar dest Ns Op / Ns Ar nn
2743 is the destination IP address. The netmask is specified either as a
2746 or as an IP number using
2751 with no mask refers to the default route. It is also possible to use the
2757 is the next hop gateway to get to the given
2759 machine/network. Refer to the
2761 command for further details.
2763 It is possible to use the symbolic names
2767 as the destination, and
2772 is replaced with the interface address and
2774 is replaced with the interface destination (peer) address.
2779 .Pq note the trailing Dq \&! ,
2780 then if the route already exists, it will be updated as with the
2784 for further details).
2786 Routes that contain the
2792 constants are considered
2794 They are stored in a list (use
2796 to see the list), and each time the value of
2802 changes, the appropriate routing table entries are updated. This facility
2803 may be disabled using
2804 .Dq disable sroutes .
2805 .It allow Ar command Op Ar args
2806 This command controls access to
2808 and its configuration files. It is possible to allow user-level access,
2809 depending on the configuration file label and on the mode that
2811 is being run in. For example, you may wish to configure
2821 User id 0 is immune to these commands.
2823 .It allow user Ns Xo
2825 .Ar logname Ns No ...
2827 By default, only user id 0 is allowed access to
2829 If this command is used, all of the listed users are allowed access to
2830 the section in which the
2832 command is found. The
2834 section is always checked first (even though it is only ever automatically
2835 loaded at startup). Each successive
2837 command overrides the previous one, so it's possible to allow users access
2838 to everything except a given label by specifying default users in the
2840 section, and then specifying a new user list for that label.
2844 is specified, access is allowed to all users.
2845 .It allow mode Ns Xo
2849 By default, access using any
2851 mode is possible. If this command is used, it restricts the access
2853 allowed to load the label under which this command is specified.
2858 command overrides any previous settings, and the
2860 section is always checked first.
2872 When running in multi-link mode, a section can be loaded if it allows
2874 of the currently existing line modes.
2877 .It nat Ar command Op Ar args
2878 This command allows the control of the network address translation (also
2879 known as masquerading or IP aliasing) facilities that are built into
2881 NAT is done on the external interface only, and is unlikely to make sense
2886 For backwards compatibility, the word
2888 may be used in place of
2890 If nat is enabled on your system (it may be omitted at compile time),
2891 the following commands are possible:
2893 .It nat enable yes|no
2894 This command either switches network address translation on or turns it off.
2897 command line flag is synonymous with
2898 .Dq nat enable yes .
2899 .It nat addr Op Ar addr_local addr_alias
2900 This command allows data for
2904 It is useful if you own a small number of real IP numbers that
2905 you wish to map to specific machines behind your gateway.
2906 .It nat deny_incoming yes|no
2907 If set to yes, this command will refuse all incoming connections
2908 by dropping the packets in much the same way as a firewall would.
2910 This command gives a summary of available nat commands.
2912 This option causes various NAT statistics and information to
2913 be logged to the file
2914 .Pa /var/log/alias.log .
2915 This file name is likely to change in the near future.
2916 .It nat port Ar proto Ar targetIP Ns Xo
2917 .No : Ns Ar targetPort Ns
2919 .No - Ns Ar targetPort
2922 .No - Ns Ar aliasPort
2923 .Oc Oo Ar remoteIP : Ns
2926 .No - Ns Ar remotePort
2929 This command causes incoming
2943 A range of port numbers may be specified as shown above. The ranges
2944 must be of the same size.
2948 is specified, only data coming from that IP number is redirected.
2952 .Pq indicating any source port
2953 or a range of ports the same size as the other ranges.
2955 This option is useful if you wish to run things like Internet phone on
2956 machines behind your gateway, but is limited in that connections to only
2957 one interior machine per source machine and target port are possible.
2958 .It nat pptp Op Ar addr
2964 .Em E Ns No encapsulated
2968 rather than the local interface address. This allows the uses of the
2972 .Em T Ns No unneling
2974 on a machine on the internal network.
2980 address translation is disabled.
2981 .It "nat proxy cmd" Ar arg Ns No ...
2984 to proxy certain connections, redirecting them to a given server. Refer
2985 to the description of
2986 .Fn PacketAliasProxyRule
2989 for details of the available commands.
2990 .It nat same_ports yes|no
2991 When enabled, this command will tell the network address translation engine to
2992 attempt to avoid changing the port number on outgoing packets. This is useful
2993 if you want to support protocols such as RPC and LPD which require
2994 connections to come from a well known port.
2995 .It nat target Op Ar address
2996 Set the given target address or clear it if no address is given. The target
2997 address is used by libalias to specify how to NAT incoming packets by default.
2998 If a target address is not set or if
3000 is given, packets are not altered and are allowed to route to the internal
3003 The target address may be set to
3005 in which case libalias will redirect all packets to the interface address.
3006 .It nat use_sockets yes|no
3007 When enabled, this option tells the network address translation engine to
3008 create a socket so that it can guarantee a correct incoming ftp data or
3010 .It nat unregistered_only yes|no
3011 Only alter outgoing packets with an unregistered source ad-
3012 dress. According to RFC 1918, unregistered source addresses
3013 are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
3016 These commands are also discussed in the file
3018 which comes with the source distribution.
3025 is executed in the background with the following words replaced:
3026 .Bl -tag -width PEER_ENDDISC
3028 This is replaced with the local
3034 This is replaced with the local endpoint discriminator value. See the
3038 This is replaced with the peers IP number.
3040 This is replaced with the name of the interface that's in use.
3042 This is replaced with the last label name used. A label may be specified
3045 command line, via the
3053 This is replaced with the IP number assigned to the local interface.
3055 This is replaced with the value of the peers endpoint discriminator.
3057 This is replaced with the current process id.
3059 This is replaced with the username that has been authenticated with PAP or
3060 CHAP. Normally, this variable is assigned only in -direct mode. This value
3061 is available irrespective of whether utmp logging is enabled.
3062 .It Li DNS0 No " & " Li DNS1
3063 These are replaced with the primary and secondary nameserver IP numbers. If
3064 nameservers are negotiated by IPCP, the values of these macros will change.
3067 These substitutions are also done by the
3071 If you wish to pause
3073 while the command executes, use the
3076 .It clear physical|ipcp Op current|overall|peak...
3077 Clear the specified throughput values at either the
3083 is specified, context must be given (see the
3085 command below). If no second argument is given, all values are
3087 .It clone Ar name Ns Xo
3088 .Op \&, Ns Ar name Ns
3091 Clone the specified link, creating one or more new links according to the
3093 argument(s). This command must be used from the
3095 command below unless you've only got a single link (in which case that
3096 link becomes the default). Links may be removed using the
3100 The default link name is
3102 .It close Op lcp|ccp Ns Op \&!
3103 If no arguments are given, the relevant protocol layers will be brought
3104 down and the link will be closed. If
3106 is specified, the LCP layer is brought down, but
3108 will not bring the link offline. It is subsequently possible to use
3111 to talk to the peer machine if, for example, something like
3115 is specified, only the relevant compression layer is closed. If the
3117 is used, the compression layer will remain in the closed state, otherwise
3118 it will re-enter the STOPPED state, waiting for the peer to initiate
3119 further CCP negotiation. In any event, this command does not disconnect
3131 This command deletes the route with the given
3137 all non-direct entries in the routing table for the current interface,
3140 entries are deleted. If
3144 the default route is deleted.
3149 .Pq note the trailing Dq \&! ,
3151 will not complain if the route does not already exist.
3152 .It dial|call Op Ar label Ns Xo
3155 This command is the equivalent of
3159 and is provided for backwards compatibility.
3160 .It down Op Ar lcp|ccp
3161 Bring the relevant layer down ungracefully, as if the underlying layer
3162 had become unavailable. It's not considered polite to use this command on
3163 a Finite State Machine that's in the OPEN state. If no arguments are
3164 supplied, the entire link is closed (or if no context is given, all links
3169 layer is terminated but the device is not brought offline and the link
3172 is specified, only the relevant compression layer(s) are terminated.
3173 .It help|? Op Ar command
3174 Show a list of available commands. If
3176 is specified, show the usage string for that command.
3177 .It iface Ar command Op args
3178 This command is used to control the interface used by
3181 may be one of the following:
3185 .Ar addr Ns Op / Ns Ar bits
3196 combination to the interface. Instead of specifying
3200 .Pq with no space between \&it and Ar addr .
3201 If the given address already exists, the command fails unless the
3203 is used - in which case the previous interface address entry is overwritten
3204 with the new one, allowing a change of netmask or peer address.
3215 .Dq 255.255.255.255 .
3216 This address (the broadcast address) is the only duplicate peer address that
3220 If this command is used while
3222 is in the OPENED state or while in
3224 mode, all addresses except for the IPCP negotiated address are deleted
3225 from the interface. If
3227 is not in the OPENED state and is not in
3229 mode, all interface addresses are deleted.
3231 .It iface delete Ns Xo
3236 This command deletes the given
3238 from the interface. If the
3240 is used, no error is given if the address isn't currently assigned to
3241 the interface (and no deletion takes place).
3243 Shows the current state and current addresses for the interface. It is
3244 much the same as running
3245 .Dq ifconfig INTERFACE .
3246 .It iface help Op Ar sub-command
3247 This command, when invoked without
3249 will show a list of possible
3251 sub-commands and a brief synopsis for each. When invoked with
3253 only the synopsis for the given sub-command is shown.
3257 .Ar name Ns Op , Ns Ar name Ns
3258 .No ... Ar command Op Ar args
3260 This command may prefix any other command if the user wishes to
3261 specify which link the command should affect. This is only
3262 applicable after multiple links have been created in Multi-link
3268 specifies the name of an existing link. If
3270 is a comma separated list,
3272 is executed on each link. If
3277 is executed on all links.
3278 .It load Op Ar label Ns Xo
3300 will not attempt to make an immediate connection.
3301 .It open Op lcp|ccp|ipcp
3302 This is the opposite of the
3304 command. All closed links are immediately brought up apart from second
3307 links - these will come up based on the
3309 command that has been used.
3313 argument is used while the LCP layer is already open, LCP will be
3314 renegotiated. This allows various LCP options to be changed, after which
3316 can be used to put them into effect. After renegotiating LCP,
3317 any agreed authentication will also take place.
3321 argument is used, the relevant compression layer is opened. Again,
3322 if it is already open, it will be renegotiated.
3326 argument is used, the link will be brought up as normal, but if
3327 IPCP is already open, it will be renegotiated and the network
3328 interface will be reconfigured.
3330 It is probably not good practice to re-open the PPP state machines
3331 like this as it's possible that the peer will not behave correctly.
3334 however useful as a way of forcing the CCP or VJ dictionaries to be reset.
3336 Specify the password required for access to the full
3338 command set. This password is required when connecting to the diagnostic
3345 command line. The value of
3349 logging is active, instead, the literal string
3355 is executed from the controlling connection or from a command file,
3356 ppp will exit after closing all connections. Otherwise, if the user
3357 is connected to a diagnostic socket, the connection is simply dropped.
3363 will exit despite the source of the command after closing all existing
3366 This command removes the given link. It is only really useful in
3367 multi-link mode. A link must be
3370 state before it is removed.
3371 .It rename|mv Ar name
3372 This command renames the given link to
3376 is already used by another link.
3378 The default link name is
3385 may make the log file more readable.
3386 .It resolv Ar command
3387 This command controls
3393 starts up, it loads the contents of this file into memory and retains this
3394 image for future use.
3396 is one of the following:
3397 .Bl -tag -width readonly
3400 .Pa /etc/resolv.conf
3405 will still attempt to negotiate nameservers with the peer, making the results
3410 macros. This is the opposite of the
3415 .Pa /etc/resolv.conf
3416 into memory. This may be necessary if for example a DHCP client overwrote
3417 .Pa /etc/resolv.conf .
3420 .Pa /etc/resolv.conf
3421 with the version originally read at startup or with the last
3423 command. This is sometimes a useful command to put in the
3424 .Pa /etc/ppp/ppp.linkdown
3428 .Pa /etc/resolv.conf
3429 file. This command will work even if the
3431 command has been used. It may be useful as a command in the
3432 .Pa /etc/ppp/ppp.linkup
3433 file if you wish to defer updating
3434 .Pa /etc/resolv.conf
3435 until after other commands have finished.
3440 .Pa /etc/resolv.conf
3445 successfully negotiates a DNS. This is the opposite of the
3450 This option is not (yet) implemented.
3455 This option allows the setting of any of the following variables:
3457 .It set accmap Ar hex-value
3458 ACCMap stands for Asynchronous Control Character Map. This is always
3459 negotiated with the peer, and defaults to a value of 00000000 in hex.
3460 This protocol is required to defeat hardware that depends on passing
3461 certain characters from end to end (such as XON/XOFF etc).
3463 For the XON/XOFF scenario, use
3464 .Dq set accmap 000a0000 .
3465 .It set Op auth Ns Xo
3468 This sets the authentication key (or password) used in client mode
3469 PAP or CHAP negotiation to the given value. It also specifies the
3470 password to be used in the dial or login scripts in place of the
3471 .Sq \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\P
3472 sequence, preventing the actual password from being logged. If
3476 logging is in effect,
3480 for security reasons.
3482 If the first character of
3484 is an exclaimation mark
3487 treats the remainder of the string as a program that must be executed
3497 is parsed as a program to execute in the same was as the
3499 command above, substituting special names in the same manner. Once executed,
3501 will feed the program three lines of input, each terminated by a newline
3505 The host name as sent in the CHAP challenge.
3507 The challenge string as sent in the CHAP challenge.
3513 Two lines of output are expected:
3518 to be sent with the CHAP response.
3522 which is encrypted with the challenge and request id, the answer being sent
3523 in the CHAP response packet.
3528 in this manner, it's expected that the host challenge is a series of ASCII
3529 digits or characters. An encryption device or Secure ID card is usually
3530 required to calculate the secret appropriate for the given challenge.
3531 .It set authname Ar id
3532 This sets the authentication id used in client mode PAP or CHAP negotiation.
3536 mode with CHAP enabled,
3538 is used in the initial authentication challenge and should normally be set to
3539 the local machine name.
3541 .Ar min-percent max-percent period
3543 These settings apply only in multi-link mode and default to zero, zero and
3547 .Pq also known as Fl auto
3548 mode link is available, only the first link is made active when
3550 first reads data from the tun device. The next
3552 link will be opened only when the current bundle throughput is at least
3554 percent of the total bundle bandwidth for
3556 seconds. When the current bundle throughput decreases to
3558 percent or less of the total bundle bandwidth for
3562 link will be brought down as long as it's not the last active
3566 The default values cause
3568 links to simply come up one at a time.
3570 Certain devices cannot determine their physical bandwidth, so it
3571 is sometimes necessary to use the
3573 command (described below) to make
3576 .It set bandwidth Ar value
3577 This command sets the connection bandwidth in bits per second.
3579 must be greater than zero. It is currently only used by the
3582 .It set callback Ar option Ns No ...
3583 If no arguments are given, callback is disabled, otherwise,
3587 mode, will accept) one of the given
3588 .Ar option Ns No s .
3589 In client mode, if an
3593 will request a different
3595 until no options remain at which point
3597 will terminate negotiations (unless
3599 is one of the specified
3603 will accept any of the given protocols - but the client
3605 request one of them. If you wish callback to be optional, you must include
3611 are as follows (in this order of preference):
3615 The callee is expected to decide the callback number based on
3618 is the callee, the number should be specified as the fifth field of
3620 .Pa /etc/ppp/ppp.secret .
3622 Microsoft's callback control protocol is used. See
3626 If you wish to negotiate
3628 in client mode but also wish to allow the server to request no callback at
3629 CBCP negotiation time, you must specify both
3633 as callback options.
3635 .Ar number Ns Op , Ns Ar number Ns
3638 The caller specifies the
3644 should be either a comma separated list of allowable numbers or a
3646 meaning any number is permitted. If
3648 is the caller, only a single number should be specified.
3650 Note, this option is very unsafe when used with a
3652 as a malicious caller can tell
3654 to call any (possibly international) number without first authenticating
3657 If the peer does not wish to do callback at all,
3659 will accept the fact and continue without callback rather than terminating
3660 the connection. This is required (in addition to one or more other callback
3661 options) if you wish callback to be optional.
3665 .No *| Ns Ar number Ns No
3667 .No , Ns Ar number Ns
3670 .Op Ar delay Op Ar retry
3673 If no arguments are given, CBCP (Microsoft's CallBack Control Protocol)
3674 is disabled - ie, configuring CBCP in the
3676 command will result in
3678 requesting no callback in the CBCP phase.
3681 attempts to use the given phone
3682 .Ar number Ns No (s).
3687 will insist that the client uses one of these numbers, unless
3689 is used in which case the client is expected to specify the number.
3693 will attempt to use one of the given numbers (whichever it finds to
3694 be agreeable with the peer), or if
3698 will expect the peer to specify the number.
3700 .No off| Ns Ar seconds Ns Op \&!
3704 checks for the existence of carrier depending on the type of device
3705 that has been opened:
3706 .Bl -tag -width XXX -offset XXX
3707 .It Terminal Devices
3708 Carrier is checked one second after the login script is complete. If it's
3711 assumes that this is because the device doesn't support carrier (which
3714 NULL-modem cables), logs the fact and stops checking
3717 As ptys don't support the TIOCMGET ioctl, the tty device will switch all
3718 carrier detection off when it detects that the device is a pty.
3719 .It ISDN (i4b) Devices
3720 Carrier is checked once per second for 6 seconds. If it's not set after
3721 the sixth second, the connection attempt is considered to have failed and
3722 the device is closed. Carrier is always required for i4b devices.
3723 .It PPPoE (netgraph) Devices
3724 Carrier is checked once per second for 5 seconds. If it's not set after
3725 the fifth second, the connection attempt is considered to have failed and
3726 the device is closed. Carrier is always required for PPPoE devices.
3729 All other device types don't support carrier. Setting a carrier value will
3730 result in a warning when the device is opened.
3732 Some modems take more than one second after connecting to assert the carrier
3733 signal. If this delay isn't increased, this will result in
3735 inability to detect when the link is dropped, as
3737 assumes that the device isn't asserting carrier.
3741 command overrides the default carrier behaviour.
3743 specifies the maximum number of seconds that
3745 should wait after the dial script has finished before deciding if
3746 carrier is available or not.
3752 will not check for carrier on the device, otherwise
3754 will not proceed to the login script until either carrier is detected
3757 has elapsed, at which point
3759 assumes that the device will not set carrier.
3761 If no arguments are given, carrier settings will go back to their default
3766 is followed immediately by an exclaimation mark
3771 carrier. If carrier is not detected after
3773 seconds, the link will be disconnected.
3774 .It set choked Op Ar timeout
3775 This sets the number of seconds that
3777 will keep a choked output queue before dropping all pending output packets.
3780 is less than or equal to zero or if
3782 isn't specified, it is set to the default value of
3785 A choked output queue occurs when
3787 has read a certain number of packets from the local network for transmission,
3788 but cannot send the data due to link failure (the peer is busy etc.).
3790 will not read packets indefinitely. Instead, it reads up to
3796 packets in multi-link mode), then stops reading the network interface
3799 seconds have passed or at least one packet has been sent.
3803 seconds pass, all pending output packets are dropped.
3804 .It set ctsrts|crtscts on|off
3805 This sets hardware flow control. Hardware flow control is
3808 .It set deflate Ar out-winsize Op Ar in-winsize
3809 This sets the DEFLATE algorithms default outgoing and incoming window
3814 must be values between
3822 will insist that this window size is used and will not accept any other
3823 values from the peer.
3824 .It set dns Op Ar primary Op Ar secondary
3825 This command specifies DNS overrides for the
3827 command. Refer to the
3829 command description above for details. This command does not affect the
3830 IP numbers requested using
3832 .It set device|line Xo
3835 This sets the device(s) to which
3837 will talk to the given
3840 All ISDN and serial device names are expected to begin with
3842 ISDN devices are usually called
3844 and serial devices are usually called
3851 it must either begin with an exclamation mark
3854 .No PPPoE: Ns Ar iface Ns Xo
3855 .Op \&: Ns Ar provider Ns
3858 .Ar host Ns No : Ns Ar port Ns Oo
3862 If it begins with an exclamation mark, the rest of the device name is
3863 treated as a program name, and that program is executed when the device
3864 is opened. Standard input, output and error are fed back to
3866 and are read and written as if they were a regular device.
3869 .No PPPoE: Ns Ar iface Ns Xo
3870 .Op \&: Ns Ar provider Ns
3872 specification is given,
3874 will attempt to create a
3876 over Ethernet connection using the given
3878 interface. The given
3880 is passed as the service name in the PPPoE Discovery Initiation (PADI)
3881 packet. If no provider is given, an empty value will be used. Refer to
3885 for further details.
3888 .Ar host Ns No : Ns Ar port Ns Oo
3891 specification is given,
3893 will attempt to connect to the given
3901 suffix is not provided, the default is
3903 Refer to the section on
3904 .Em PPP OVER TCP and UDP
3905 above for further details.
3911 will attempt to open each one in turn until it succeeds or runs out of
3913 .It set dial Ar chat-script
3914 This specifies the chat script that will be used to dial the other
3917 command below. Refer to
3919 and to the example configuration files for details of the chat script
3921 It is possible to specify some special
3923 in your chat script as follows:
3924 .Bd -unfilled -offset indent
3925 .It Li \\\\\\\\\\\\\\\\c
3926 When used as the last character in a
3928 string, this indicates that a newline should not be appended.
3929 .It Li \\\\\\\\\\\\\\\\d
3930 When the chat script encounters this sequence, it delays two seconds.
3931 .It Li \\\\\\\\\\\\\\\\p
3932 When the chat script encounters this sequence, it delays for one quarter of
3934 .It Li \\\\\\\\\\\\\\\\n
3935 This is replaced with a newline character.
3936 .It Li \\\\\\\\\\\\\\\\r
3937 This is replaced with a carriage return character.
3938 .It Li \\\\\\\\\\\\\\\\s
3939 This is replaced with a space character.
3940 .It Li \\\\\\\\\\\\\\\\t
3941 This is replaced with a tab character.
3942 .It Li \\\\\\\\\\\\\\\\T
3943 This is replaced by the current phone number (see
3946 .It Li \\\\\\\\\\\\\\\\P
3947 This is replaced by the current
3952 .It Li \\\\\\\\\\\\\\\\U
3953 This is replaced by the current
3960 Note that two parsers will examine these escape sequences, so in order to
3963 see the escape character, it is necessary to escape it from the
3964 .Sq command parser .
3965 This means that in practice you should use two escapes, for example:
3966 .Bd -literal -offset indent
3967 set dial "... ATDT\\\\T CONNECT"
3970 It is also possible to execute external commands from the chat script.
3971 To do this, the first character of the expect or send string is an
3974 When the command is executed, standard input and standard output are
3975 directed to the open device (see the
3977 command), and standard error is read by
3979 and substituted as the expect or send string. If
3981 is running in interactive mode, file descriptor 3 is attached to
3984 For example (wrapped for readability);
3985 .Bd -literal -offset indent
3986 set login "TIMEOUT 5 \\"\\" \\"\\" login:--login: ppp \e
3987 word: ppp \\"!sh \\\\-c \\\\\\"echo \\\\-n label: >&2\\\\\\"\\" \e
3988 \\"!/bin/echo in\\" HELLO"
3991 would result in the following chat sequence (output using the
3992 .Sq set log local chat
3993 command before dialing):
3994 .Bd -literal -offset indent
3999 Chat: Expecting: login:--login:
4000 Chat: Wait for (5): login:
4002 Chat: Expecting: word:
4003 Chat: Wait for (5): word:
4005 Chat: Expecting: !sh \\-c "echo \\-n label: >&2"
4006 Chat: Exec: sh -c "echo -n label: >&2"
4007 Chat: Wait for (5): !sh \\-c "echo \\-n label: >&2" --> label:
4008 Chat: Exec: /bin/echo in
4010 Chat: Expecting: HELLO
4011 Chat: Wait for (5): HELLO
4015 Note (again) the use of the escape character, allowing many levels of
4016 nesting. Here, there are four parsers at work. The first parses the
4017 original line, reading it as three arguments. The second parses the
4018 third argument, reading it as 11 arguments. At this point, it is
4021 signs are escaped, otherwise this parser will see them as constituting
4022 an expect-send-expect sequence. When the
4024 character is seen, the execution parser reads the first command as three
4027 itself expands the argument after the
4029 As we wish to send the output back to the modem, in the first example
4030 we redirect our output to file descriptor 2 (stderr) so that
4032 itself sends and logs it, and in the second example, we just output to stdout,
4033 which is attached directly to the modem.
4035 This, of course means that it is possible to execute an entirely external
4037 command rather than using the internal one. See
4039 for a good alternative.
4041 The external command that is executed is subjected to the same special
4042 word expansions as the
4045 .It set enddisc Op label|IP|MAC|magic|psn value
4046 This command sets our local endpoint discriminator. If set prior to
4047 LCP negotiation, and if no
4049 command has been used,
4051 will send the information to the peer using the LCP endpoint discriminator
4052 option. The following discriminators may be set:
4053 .Bd -unfilled -offset indent
4055 The current label is used.
4057 Our local IP number is used. As LCP is negotiated prior to IPCP, it is
4058 possible that the IPCP layer will subsequently change this value. If
4059 it does, the endpoint discriminator stays at the old value unless manually
4062 This is similar to the
4064 option above, except that the MAC address associated with the local IP
4065 number is used. If the local IP number is not resident on any Ethernet
4066 interface, the command will fail.
4068 As the local IP number defaults to whatever the machine host name is,
4070 is usually done prior to any
4074 A 20 digit random number is used. Care should be taken when using magic
4075 numbers as restarting
4077 or creating a link using a different
4079 invocation will also use a different magic number and will therefore not
4080 be recognised by the peer as belonging to the same bundle. This makes it
4089 should be set to an absolute public switched network number with the
4093 If no arguments are given, the endpoint discriminator is reset.
4094 .It set escape Ar value...
4095 This option is similar to the
4097 option above. It allows the user to specify a set of characters that
4100 as they travel across the link.
4101 .It set filter dial|alive|in|out Ar rule-no Xo
4102 .No permit|deny|clear| Ns Ar rule-no
4105 .Ar src_addr Ns Op / Ns Ar width
4106 .Op Ar dst_addr Ns Op / Ns Ar width
4107 .Oc Oo tcp|udp|ospf|igmp|icmp Op src lt|eq|gt Ar port
4108 .Op dst lt|eq|gt Ar port
4115 supports four filter sets. The
4117 filter specifies packets that keep the connection alive - resetting the
4120 filter specifies packets that cause
4126 filter specifies packets that are allowed to travel
4127 into the machine and the
4129 filter specifies packets that are allowed out of the machine.
4131 Filtering is done prior to any IP alterations that might be done by the
4132 NAT engine on outgoing packets and after any IP alterations that might
4133 be done by the NAT engine on incoming packets. By default all filter
4134 sets allow all packets to pass. Rules are processed in order according to
4136 (unless skipped by specifying a rule number as the
4138 Up to 40 rules may be given for each set. If a packet doesn't match
4139 any of the rules in a given set, it is discarded. In the case of
4143 filters, this means that the packet is dropped. In the case of
4145 filters it means that the packet will not reset the idle timer and in
4148 filters it means that the packet will not trigger a dial. A packet failing
4149 to trigger a dial will be dropped rather than queued. Refer to the
4151 .Sx PACKET FILTERING
4152 above for further details.
4153 .It set hangup Ar chat-script
4154 This specifies the chat script that will be used to reset the device
4155 before it is closed. It should not normally be necessary, but can
4156 be used for devices that fail to reset themselves properly on close.
4157 .It set help|? Op Ar command
4158 This command gives a summary of available set commands, or if
4160 is specified, the command usage is shown.
4161 .It set ifaddr Oo Ar myaddr Ns
4163 .Oo Ar hisaddr Ns Op / Ns Ar \&nn
4168 This command specifies the IP addresses that will be used during
4169 IPCP negotiation. Addresses are specified using the format
4175 is the preferred IP, but
4177 specifies how many bits of the address we will insist on. If
4179 is omitted, it defaults to
4181 unless the IP address is 0.0.0.0 in which case it defaults to
4184 If you wish to assign a dynamic IP number to the peer,
4186 may also be specified as a range of IP numbers in the format
4187 .Bd -literal -offset indent
4188 .Ar \&IP Ns Oo \&- Ns Ar \&IP Ns Xo
4189 .Oc Oo , Ns Ar \&IP Ns
4190 .Op \&- Ns Ar \&IP Ns
4197 .Dl set ifaddr 10.0.0.1 10.0.1.2-10.0.1.10,10.0.1.20
4201 as the local IP number, but may assign any of the given 10 IP
4202 numbers to the peer. If the peer requests one of these numbers,
4203 and that number is not already in use,
4205 will grant the peers request. This is useful if the peer wants
4206 to re-establish a link using the same IP number as was previously
4207 allocated (thus maintaining any existing tcp or udp connections).
4209 If the peer requests an IP number that's either outside
4210 of this range or is already in use,
4212 will suggest a random unused IP number from the range.
4216 is specified, it is used in place of
4218 in the initial IPCP negotiation. However, only an address in the
4220 range will be accepted. This is useful when negotiating with some
4222 implementations that will not assign an IP number unless their peer
4226 It should be noted that in
4230 will configure the interface immediately upon reading the
4232 line in the config file. In any other mode, these values are just
4233 used for IPCP negotiations, and the interface isn't configured
4234 until the IPCP layer is up.
4238 argument may be overridden by the third field in the
4240 file once the client has authenticated itself
4241 .Pq if PAP or CHAP are Dq enabled .
4243 .Sx AUTHENTICATING INCOMING CONNECTIONS
4244 section for details.
4246 In all cases, if the interface is already configured,
4248 will try to maintain the interface IP numbers so that any existing
4249 bound sockets will remain valid.
4250 .It set ccpretry|ccpretries Oo Ar timeout
4251 .Op Ar reqtries Op Ar trmtries
4253 .It set chapretry|chapretries Oo Ar timeout
4256 .It set ipcpretry|ipcpretries Oo Ar timeout
4257 .Op Ar reqtries Op Ar trmtries
4259 .It set lcpretry|lcpretries Oo Ar timeout
4260 .Op Ar reqtries Op Ar trmtries
4262 .It set papretry|papretries Oo Ar timeout
4265 These commands set the number of seconds that
4267 will wait before resending Finite State Machine (FSM) Request packets.
4270 for all FSMs is 3 seconds (which should suffice in most cases).
4274 is specified, it tells
4276 how many configuration request attempts it should make while receiving
4277 no reply from the peer before giving up. The default is 5 attempts for
4278 CCP, LCP and IPCP and 3 attempts for PAP and CHAP.
4282 is specified, it tells
4284 how many terminate requests should be sent before giving up waiting for the
4285 peers response. The default is 3 attempts. Authentication protocols are
4286 not terminated and it is therefore invalid to specify
4290 In order to avoid negotiations with the peer that will never converge,
4292 will only send at most 3 times the configured number of
4294 in any given negotiation session before giving up and closing that layer.
4300 This command allows the adjustment of the current log level. Refer
4301 to the Logging Facility section for further details.
4302 .It set login Ar chat-script
4305 compliments the dial-script. If both are specified, the login
4306 script will be executed after the dial script. Escape sequences
4307 available in the dial script are also available here.
4308 .It set logout Ar chat-script
4309 This specifies the chat script that will be used to logout
4310 before the hangup script is called. It should not normally be necessary.
4311 .It set lqrperiod Ar frequency
4312 This command sets the
4318 packets are sent. The default is 30 seconds. You must also use the
4320 command if you wish to send LQR requests to the peer.
4321 .It set mode Ar interactive|auto|ddial|background
4322 This command allows you to change the
4324 of the specified link. This is normally only useful in multi-link mode,
4325 but may also be used in uni-link mode.
4327 It is not possible to change a link that is
4332 Note: If you issue the command
4334 and have network address translation enabled, it may be useful to
4335 .Dq enable iface-alias
4336 afterwards. This will allow
4338 to do the necessary address translations to enable the process that
4339 triggers the connection to connect once the link is up despite the
4340 peer assigning us a new (dynamic) IP address.
4341 .It set mrru Op Ar value
4342 Setting this option enables Multi-link PPP negotiations, also known as
4343 Multi-link Protocol or MP. There is no default MRRU (Maximum
4344 Reconstructed Receive Unit) value. If no argument is given, multi-link
4346 .It set mru Op Ar value
4347 The default MRU (Maximum Receive Unit) is 1500. If it is increased, the
4348 other side *may* increase its mtu. There is no point in decreasing the
4349 MRU to below the default as the
4351 protocol *must* be able to accept packets of at least 1500 octets. If
4352 no argument is given, 1500 is assumed.
4353 .It set mtu Op Ar value
4354 The default MTU is 1500. At negotiation time,
4356 will accept whatever MRU or MRRU that the peer wants (assuming it's
4357 not less than 296 bytes). If the MTU is set,
4359 will not accept MRU/MRRU values less than
4361 When negotiations are complete, the MTU is assigned to the interface, even
4362 if the peer requested a higher value MRU/MRRU. This can be useful for
4363 limiting your packet size (giving better bandwidth sharing at the expense
4364 of more header data).
4368 is given, 1500, or whatever the peer asks for is used.
4369 .It set nbns Op Ar x.x.x.x Op Ar y.y.y.y
4370 This option allows the setting of the Microsoft NetBIOS name server
4371 values to be returned at the peers request. If no values are given,
4373 will reject any such requests.
4374 .It set openmode active|passive Op Ar delay
4383 will always initiate LCP/IPCP/CCP negotiation one second after the line
4384 comes up. If you want to wait for the peer to initiate negotiations, you
4387 If you want to initiate negotiations immediately or after more than one
4388 second, the appropriate
4390 may be specified here in seconds.
4391 .It set parity odd|even|none|mark
4392 This allows the line parity to be set. The default value is
4394 .It set phone Ar telno Ns Xo
4395 .Oo \&| Ns Ar backupnumber
4396 .Oc Ns ... Ns Oo : Ns Ar nextnumber
4399 This allows the specification of the phone number to be used in
4400 place of the \\\\T string in the dial and login chat scripts.
4401 Multiple phone numbers may be given separated either by a pipe
4406 Numbers after the pipe are only dialed if the dial or login
4407 script for the previous number failed.
4409 Numbers after the colon are tried sequentially, irrespective of
4410 the reason the line was dropped.
4412 If multiple numbers are given,
4414 will dial them according to these rules until a connection is made, retrying
4415 the maximum number of times specified by
4419 mode, each number is attempted at most once.
4420 .It set Op proc Ns Xo
4421 .No title Op Ar value
4423 The current process title as displayed by
4425 is changed according to
4429 is not specified, the original process title is restored. All the
4430 word replacements done by the shell commands (see the
4432 command above) are done here too.
4434 Note, if USER is required in the process title, the
4436 command must appear in
4438 as it is not known when the commands in
4441 .It set radius Op Ar config-file
4442 This command enables RADIUS support (if it's compiled in).
4444 refers to the radius client configuration file as described in
4447 .Dq enable Ns No d ,
4450 .Em \&N Ns No etwork
4453 and uses the configured RADIUS server to authenticate rather than
4454 authenticating from the
4456 file or from the passwd database.
4458 If neither PAP or CHAP are enabled,
4463 uses the following attributes from the RADIUS reply:
4464 .Bl -tag -width XXX -offset XXX
4465 .It RAD_FRAMED_IP_ADDRESS
4466 The peer IP address is set to the given value.
4467 .It RAD_FRAMED_IP_NETMASK
4468 The tun interface netmask is set to the given value.
4470 If the given MTU is less than the peers MRU as agreed during LCP
4471 negotiation, *and* it is less that any configured MTU (see the
4473 command), the tun interface MTU is set to the given value.
4474 .It RAD_FRAMED_COMPRESSION
4475 If the received compression type is
4478 will request VJ compression during IPCP negotiations despite any
4480 configuration command.
4481 .It RAD_FRAMED_ROUTE
4482 The received string is expected to be in the format
4483 .Ar dest Ns Op / Ns Ar bits
4486 Any specified metrics are ignored.
4490 are understood as valid values for
4497 to sepcify the default route, and
4499 is understood to be the same as
4508 For example, a returned value of
4509 .Dq 1.2.3.4/24 0.0.0.0 1 2 -1 3 400
4510 would result in a routing table entry to the 1.2.3.0/24 network via
4512 and a returned value of
4516 would result in a default route to
4519 All RADIUS routes are applied after any sticky routes are applied, making
4520 RADIUS routes override configured routes. This also applies for RADIUS
4521 routes that don't include the
4528 Values received from the RADIUS server may be viewed using
4530 .It set reconnect Ar timeout ntries
4531 Should the line drop unexpectedly (due to loss of CD or LQR
4532 failure), a connection will be re-established after the given
4534 The line will be re-connected at most
4538 defaults to zero. A value of
4542 will result in a variable pause, somewhere between 1 and 30 seconds.
4543 .It set recvpipe Op Ar value
4544 This sets the routing table RECVPIPE value. The optimum value is
4545 just over twice the MTU value. If
4547 is unspecified or zero, the default kernel controlled value is used.
4548 .It set redial Ar secs Ns Xo
4555 can be instructed to attempt to redial
4557 times. If more than one phone number is specified (see
4561 is taken before dialing each number. A pause of
4563 is taken before starting at the first number again. A literal value of
4565 may be used here in place of
4569 causing a random delay of between 1 and 30 seconds.
4573 is specified, its value is added onto
4579 will only be incremented at most
4587 delay will be effective, even after
4589 has been exceeded, so an immediate manual dial may appear to have
4590 done nothing. If an immediate dial is required, a
4592 should immediately follow the
4596 description above for further details.
4597 .It set sendpipe Op Ar value
4598 This sets the routing table SENDPIPE value. The optimum value is
4599 just over twice the MTU value. If
4601 is unspecified or zero, the default kernel controlled value is used.
4602 .It set server|socket Ar TcpPort|LocalName|none password Op Ar mask
4605 to listen on the given socket or
4607 for incoming command connections.
4613 to close any existing socket.
4615 If you wish to specify a local domain socket,
4617 must be specified as an absolute file name, otherwise it is assumed
4618 to be the name or number of a TCP port. You must specify the octal umask
4619 to be used with a local domain socket. Refer to
4621 for umask details. Refer to
4623 for details of how to translate TCP port names.
4625 You must also specify the password that must be entered by the client
4628 command above) when connecting to this socket. If the password is
4629 specified as an empty string, no password is required for connecting clients.
4631 When specifying a local domain socket, the first
4633 sequence found in the socket name will be replaced with the current
4634 interface unit number. This is useful when you wish to use the same
4635 profile for more than one connection.
4637 In a similar manner TCP sockets may be prefixed with the
4639 character, in which case the current interface unit number is added to
4644 with a server socket, the
4646 command is the preferred mechanism of communications. Currently,
4648 can also be used, but link encryption may be implemented in the future, so
4650 should not be relied upon.
4651 .It set speed Ar value
4652 This sets the speed of the serial device. If speed is specified as
4655 treats the device as a synchronous device.
4657 Certain device types will know whether they should be specified as
4658 synchronous or asynchronous. These devices will override incorrect
4659 settings and log a warning to this effect.
4660 .It set stopped Op Ar LCPseconds Op Ar CCPseconds
4661 If this option is set,
4663 will time out after the given FSM (Finite State Machine) has been in
4664 the stopped state for the given number of
4666 This option may be useful if the peer sends a terminate request,
4667 but never actually closes the connection despite our sending a terminate
4668 acknowledgement. This is also useful if you wish to
4669 .Dq set openmode passive
4670 and time out if the peer doesn't send a Configure Request within the
4672 .Dq set log +lcp +ccp
4675 log the appropriate state transitions.
4677 The default value is zero, where
4679 doesn't time out in the stopped state.
4681 This value should not be set to less than the openmode delay (see
4684 .It set timeout Ar idleseconds Op Ar mintimeout
4685 This command allows the setting of the idle timer. Refer to the
4687 .Sx SETTING THE IDLE TIMER
4688 for further details.
4694 will never idle out before the link has been up for at least that number
4702 This command controls the ports that
4704 prioritizes when transmitting data. The default priority TCP ports
4705 are ports 21 (ftp control), 22 (ssh), 23 (telnet), 513 (login), 514 (shell),
4706 543 (klogin) and 544 (kshell). There are no priority UDP ports by default.
4721 are given, the priority port lists are cleared (although if
4725 is specified, only that list is cleared). If the first
4727 argument is prefixed with a plus
4731 the current list is adjusted, otherwise the list is reassigned.
4733 prefixed with a plus or not prefixed at all are added to the list and
4735 prefixed with a minus are removed from the list.
4736 .It set vj slotcomp on|off
4739 whether it should attempt to negotiate VJ slot compression. By default,
4740 slot compression is turned
4742 .It set vj slots Ar nslots
4743 This command sets the initial number of slots that
4745 will try to negotiate with the peer when VJ compression is enabled (see the
4747 command above). It defaults to a value of 16.
4756 .It shell|! Op Ar command
4759 is not specified a shell is invoked according to the
4761 environment variable. Otherwise, the given
4763 is executed. Word replacement is done in the same way as for the
4765 command as described above.
4767 Use of the ! character
4768 requires a following space as with any of the other commands. You should
4769 note that this command is executed in the foreground -
4771 will not continue running until this process has exited. Use the
4773 command if you wish processing to happen in the background.
4775 This command allows the user to examine the following:
4778 Show the current bundle settings.
4780 Show the current CCP compression statistics.
4782 Show the current VJ compression statistics.
4784 Show the current escape characters.
4785 .It show filter Op Ar name
4786 List the current rules for the given filter. If
4788 is not specified, all filters are shown.
4790 Show the current HDLC statistics.
4792 Give a summary of available show commands.
4794 Show the current interface information
4795 .Pq the same \&as Dq iface show .
4797 Show the current IPCP statistics.
4799 Show the protocol layers currently in use.
4801 Show the current LCP statistics.
4802 .It show Op data Ns Xo
4805 Show high level link information.
4807 Show a list of available logical links.
4809 Show the current log values.
4811 Show current memory statistics.
4813 Show low level link information.
4815 Show Multi-link information.
4817 Show current protocol totals.
4819 Show the current routing tables.
4821 Show the current stopped timeouts.
4823 Show the active alarm timers.
4825 Show the current version number of
4830 Go into terminal mode. Characters typed at the keyboard are sent to
4831 the device. Characters read from the device are displayed on the
4832 screen. When a remote
4836 automatically enables Packet Mode and goes back into command mode.
4842 Read the example configuration files. They are a good source of information.
4851 to get online information about what's available.
4853 The following URLs contain useful information:
4854 .Bl -bullet -compact
4856 http://www.FreeBSD.org/FAQ/userppp.html
4858 http://www.FreeBSD.org/handbook/userppp.html
4865 refers to four files:
4871 These files are placed in the
4875 .It Pa /etc/ppp/ppp.conf
4876 System default configuration file.
4877 .It Pa /etc/ppp/ppp.secret
4878 An authorisation file for each system.
4879 .It Pa /etc/ppp/ppp.linkup
4880 A file to check when
4882 establishes a network level connection.
4883 .It Pa /etc/ppp/ppp.linkdown
4884 A file to check when
4886 closes a network level connection.
4887 .It Pa /var/log/ppp.log
4888 Logging and debugging information file. Note, this name is specified in
4889 .Pa /etc/syslogd.conf .
4892 for further details.
4893 .It Pa /var/spool/lock/LCK..*
4894 tty port locking file. Refer to
4896 for further details.
4897 .It Pa /var/run/tunN.pid
4898 The process id (pid) of the
4900 program connected to the tunN device, where
4902 is the number of the device.
4903 .It Pa /var/run/ttyXX.if
4904 The tun interface used by this port. Again, this file is only created in
4910 .It Pa /etc/services
4911 Get port number if port number is using service name.
4912 .It Pa /var/run/ppp-authname-class-value
4913 In multi-link mode, local domain sockets are created using the peer
4916 the peer endpoint discriminator class
4918 and the peer endpoint discriminator value
4920 As the endpoint discriminator value may be a binary value, it is turned
4921 to HEX to determine the actual file name.
4923 This socket is used to pass links between different instances of
4962 This program was originally written by
4963 .An Toshiharu OHNO Aq tony-o@iij.ad.jp ,
4964 and was submitted to
4967 .An Atsushi Murai Aq amurai@spec.co.jp .
4969 It was substantially modified during 1997 by
4970 .An Brian Somers Aq brian@Awfulhak.org ,
4973 in November that year
4974 (just after the 2.2 release).
4976 Most of the code was rewritten by
4978 in early 1998 when multi-link ppp support was added.