xref: /freebsd/share/examples/ppp/ppp.conf.span-isp (revision d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf) 
1c6f660d1SBrian Somers
2c6f660d1SBrian Somers# This advanced ppp configuration file explains how to implement
3c6f660d1SBrian Somers# the following:
4c6f660d1SBrian Somers#
5c6f660d1SBrian Somers#    -------------       -------------       -------------
6c6f660d1SBrian Somers#    |   host1   |       |   host2   |       |   host3   |
7c6f660d1SBrian Somers#    -------------       -------------       -------------
8c6f660d1SBrian Somers#          |                       |               |
9c6f660d1SBrian Somers#     |---------------------- LAN ----------------------|
10c6f660d1SBrian Somers#                          |
11c6f660d1SBrian Somers#                        -------------
12c6f660d1SBrian Somers#                        |  Gateway  |
13c6f660d1SBrian Somers#                        -------------
14c6f660d1SBrian Somers#                              |
15c6f660d1SBrian Somers#             -----------------------------------
16c6f660d1SBrian Somers#             |          |           |          |
17c6f660d1SBrian Somers#            isp1       isp2       isp3       ispN
18c6f660d1SBrian Somers#             |          |           |          |
19c6f660d1SBrian Somers#             -----------------------------------
20c6f660d1SBrian Somers#                              |
21c6f660d1SBrian Somers#                         ------------
22c6f660d1SBrian Somers#                         | Receiver |
23c6f660d1SBrian Somers#                         ------------
24c6f660d1SBrian Somers#                              |
25c6f660d1SBrian Somers#                          Internet
26c6f660d1SBrian Somers#
27c6f660d1SBrian Somers# The connection is implemented so that any ISP connection can go down
28c6f660d1SBrian Somers# without loss of connectivity between the LAN and the Internet.  It is
29c6f660d1SBrian Somers# of course also possible to shut down any link manually.
30c6f660d1SBrian Somers#
31c6f660d1SBrian Somers# There is a working example in ppp.*.span-isp.working that can be tested
32c6f660d1SBrian Somers# on a single machine !
33c6f660d1SBrian Somers#
34c6f660d1SBrian Somers#
35c6f660d1SBrian Somers# Prerequisites:
36c6f660d1SBrian Somers#
37c6f660d1SBrian Somers# o The Receiver machine must be in the outside world and must be willing
38c6f660d1SBrian Somers#   to accept a multilink ppp connection over UDP, assigning a routable IP
39c6f660d1SBrian Somers#   number to the Gateway machine.  This probably means that it must be
40c6f660d1SBrian Somers#   a *BSD box as I know of no other ppp implementations that can use UDP
41c6f660d1SBrian Somers#   as a transport.
42c6f660d1SBrian Somers#
43c6f660d1SBrian Somers# o The Receiver machine must be multi-homed with at least N+1 addresses
44c6f660d1SBrian Somers#   where N is the maximun number of ISPs that you wish to use
45c6f660d1SBrian Somers#   simultaneously.  We assume the IP numbers to be RIP1, RIP2 ... RIPN.
46c6f660d1SBrian Somers#   REAL-LOCAL-IP is the real IP number of the Receiver machine (and must
47c6f660d1SBrian Somers#   not be the same as any of the RIP* numbers).
48c6f660d1SBrian Somers#
49c6f660d1SBrian Somers# o Both the Gateway and the Receiver machines must have several tun
50c6f660d1SBrian Somers#   interfaces configured into the kernel (see below).
51c6f660d1SBrian Somers#
52c6f660d1SBrian Somers# o Both the Gateway and the Receiver machines must have the following
53c6f660d1SBrian Somers#   entry in /etc/services:
54c6f660d1SBrian Somers#
55c6f660d1SBrian Somers#      ppp 6671/udp
56c6f660d1SBrian Somers#
57c6f660d1SBrian Somers#   The port number isn't important, but it must be consistent across
58c6f660d1SBrian Somers#   machines.
59c6f660d1SBrian Somers#
60c6f660d1SBrian Somers# o The Receiver machine must have the following entry in
61c6f660d1SBrian Somers#   /etc/inetd.conf:
62c6f660d1SBrian Somers#
63c6f660d1SBrian Somers#      ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in
64c6f660d1SBrian Somers#
65c6f660d1SBrian Somers#   Note: Because inetd ``wait''s for ppp to finish, a single ppp
66c6f660d1SBrian Somers#         invocation receives all incoming packets.  This creates
67c6f660d1SBrian Somers#         havoc with LQR magic number checks, so LQR *must not* be
68c6f660d1SBrian Somers#         enabled.
69c6f660d1SBrian Somers#         Also, -direct invocations of ppp do sendto()s using the
70c6f660d1SBrian Somers#         address that was last recvfrom()d.  This means that the
71c6f660d1SBrian Somers#         returning traffic is a bit unbalanced.  Perhaps ppp should
72c6f660d1SBrian Somers#         be smart enough to automatically clone an existing link
73c6f660d1SBrian Somers#         when it detects a new incoming address.... tricky !
74c6f660d1SBrian Somers#
75c6f660d1SBrian Somers# If you use ppp to connect to your ISPs, the isp* profiles shold be used,
76c6f660d1SBrian Somers# resulting in the vpn* profiles being called from ppp.linkup.span-isp.
77c6f660d1SBrian Somers# These invocations will bond together into a MP ppp invocation.
78c6f660d1SBrian Somers#
79c6f660d1SBrian Somers# If the link to your ISP is via another type of interface (cable modem
80c6f660d1SBrian Somers# etc), simply configure the interface with a netmask of 0xffffffff and
81c6f660d1SBrian Somers# add a route to RIPN via the interface address (no default).  You can
82c6f660d1SBrian Somers# then start ppp using the vpn-nic label.
83c6f660d1SBrian Somers#
84c6f660d1SBrian Somers# The Receiver machine should have N tun interfaces (where N is the maximum
85c6f660d1SBrian Somers# number of ISPs that you wish to use simultaneously).  The Gateway machine
86c6f660d1SBrian Somers# requires N interfaces plus an additional N interfaces (total 2 * N) if
87c6f660d1SBrian Somers# you're using ppp to talk to the ISPs.
88c6f660d1SBrian Somers
89c6f660d1SBrian Somers# Using ppp to connect to your ISPs (PPP over UDP over PPP):
90c6f660d1SBrian Somers#
91c6f660d1SBrian Somers# When we connect to our ISPs using ppp, we start the MP ppp invocation
92c6f660d1SBrian Somers# from ppp.linkup (see ppp.linkup.span-isp) for each link.  We also remove
93c6f660d1SBrian Somers# the link from ppp.linkdown (see ppp.linkdown.span-isp).  This is necessary
94c6f660d1SBrian Somers# because relying on our LQR strategy (dropping the link after 5 missing
95c6f660d1SBrian Somers# replies) is just too slow to be practical in this environment.
96c6f660d1SBrian Somers#
97c6f660d1SBrian Somers# This works because the MP invocations are smart enough to recognise that
98c6f660d1SBrian Somers# another process is already running and to pass the link over to that
99c6f660d1SBrian Somers# running version.
100c6f660d1SBrian Somers#
101c6f660d1SBrian Somers# Only the ISP links should be started manually.  When they come up, they'll
102c6f660d1SBrian Somers# start the MP invocation.
103c6f660d1SBrian Somers
104c6f660d1SBrian Somersdefault:
105c6f660d1SBrian Somers  set speed 115200
106*839f11a4SEitan Adler  set device /dev/cuau0 /dev/cuau1 /dev/cuau2 /dev/cuau3
107c6f660d1SBrian Somers  set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \
108c6f660d1SBrian Somers            \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"
109c6f660d1SBrian Somers  set login
110c6f660d1SBrian Somers  set redial 3 5
111c6f660d1SBrian Somers  set timeout 0
1121f82daa5SBrian Somers  enable lqr echo
113c6f660d1SBrian Somers  set lqrperiod 15
114c6f660d1SBrian Somers
115c6f660d1SBrian Somersisp1:
116c6f660d1SBrian Somers  set phone "1234567"
117e40db2c4SGiorgos Keramidas  set authname "isp1name"
118e40db2c4SGiorgos Keramidas  set authkey "isp1key"
119c6f660d1SBrian Somers  add! RIP1/32 HISADDR
120c6f660d1SBrian Somers
121c6f660d1SBrian Somersisp2:
122c6f660d1SBrian Somers  set phone "2345678"
123e40db2c4SGiorgos Keramidas  set authname "isp2name"
124e40db2c4SGiorgos Keramidas  set authkey "isp2key"
125c6f660d1SBrian Somers  add! RIP2/32 HISADDR
126c6f660d1SBrian Somers
127c6f660d1SBrian SomersispN:
128c6f660d1SBrian Somers  set phone "3456789"
129e40db2c4SGiorgos Keramidas  set authname "ispNname"
130e40db2c4SGiorgos Keramidas  set authkey "ispNkey"
131c6f660d1SBrian Somers  add! RIPN/32 HISADDR
132c6f660d1SBrian Somers
133c6f660d1SBrian Somers
134c6f660d1SBrian Somers# Our MP version of ppp.  vpn is a generic label used by each of the
135c6f660d1SBrian Somers# other vpn invocations by envoking ppp with both labels (see
136c6f660d1SBrian Somers# ppp.linkup.span-isp).
137c6f660d1SBrian Somers# Each ``set device'' command tells ppp to use UDP packets destined for
138c6f660d1SBrian Somers# the given IP/port as the link (transport).  The routing table will
139c6f660d1SBrian Somers# ensure that these UDP packets use the correct ISP connection.
140c6f660d1SBrian Somers
141c6f660d1SBrian Somersvpn:
142c6f660d1SBrian Somers  set enddisc LABEL
143c6f660d1SBrian Somers  set speed sync
144c6f660d1SBrian Somers  set mrru 1500
1455e57afbeSBrian Somers  set mru 1504			# Room for the MP header
14673cf919aSBrian Somers  nat enable yes
147e40db2c4SGiorgos Keramidas  set authname "vpnname"
148e40db2c4SGiorgos Keramidas  set authkey "vpnkey"
149c6f660d1SBrian Somers  add! default HISADDR
150c6f660d1SBrian Somers  disable deflate pred1 lqr
151c6f660d1SBrian Somers  deny deflate pred1
152c6f660d1SBrian Somers
153c6f660d1SBrian Somersvpn1:
154c6f660d1SBrian Somers  rename 1
155c6f660d1SBrian Somers  set device RIP1:ppp/udp
156c6f660d1SBrian Somers
157c6f660d1SBrian Somersvpn2:
158c6f660d1SBrian Somers  rename 2
159c6f660d1SBrian Somers  set device RIP2:ppp/udp
160c6f660d1SBrian Somers
161c6f660d1SBrian SomersvpnN:
162c6f660d1SBrian Somers  rename N
163c6f660d1SBrian Somers  set device RIPN:ppp/udp
164c6f660d1SBrian Somers
165c6f660d1SBrian Somersvpn-nic:
166c6f660d1SBrian Somers  load vpn
167c6f660d1SBrian Somers  clone 1 2 N
168c6f660d1SBrian Somers  link deflink rm
169c6f660d1SBrian Somers  link 1 set device RIP1:ppp/udp
170c6f660d1SBrian Somers  link 2 set device RIP2:ppp/udp
171c6f660d1SBrian Somers  link N set device RIPN:ppp/udp
172c6f660d1SBrian Somers
173c6f660d1SBrian Somers# The Receiver profile is a bit more straight forward, as it doesn't need
174c6f660d1SBrian Somers# to get bogged down with sublinks.  Replace REAL-ASSIGNED-IP with the
175c6f660d1SBrian Somers# IP number to be assigned to the Gateway machine.  Replace REAL-LOCAL-IP
176c6f660d1SBrian Somers# with the real IP number of the Receiver machine.
177c6f660d1SBrian Somers#
178c6f660d1SBrian Somers# No other entries are required on the Receiver machine, and this entry
179c6f660d1SBrian Somers# is not required on the Gateway machine.  The Receiver machine also
180c6f660d1SBrian Somers# requires the contents of ppp.secret.span-isp.
181c6f660d1SBrian Somers#
182c6f660d1SBrian Somers# Of course it's simple to assign an IP block to the client with a simple
183c6f660d1SBrian Somers# ``add'' command, and then have the client use those IP numbers on its
18473cf919aSBrian Somers# LAN rather than using ``nat enable yes''.
185c6f660d1SBrian Somers
186c6f660d1SBrian Somersvpn-in:
187c6f660d1SBrian Somers  set enddisc label
188c6f660d1SBrian Somers  set speed sync
189c6f660d1SBrian Somers  set mrru 1500
1905e57afbeSBrian Somers  set mru 1504			# Room for the MP header
191c6f660d1SBrian Somers  enable chap
192c6f660d1SBrian Somers  disable lqr
193c6f660d1SBrian Somers  set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP
194