xref: /freebsd/share/examples/ppp/ppp.conf.span-isp (revision 5e57afbe996e40ec80e4e1c3558ad7c41a4b05fb) 
17f3dea24SPeter Wemm# $FreeBSD$
2c6f660d1SBrian Somers
3c6f660d1SBrian Somers# This advanced ppp configuration file explains how to implement
4c6f660d1SBrian Somers# the following:
5c6f660d1SBrian Somers#
6c6f660d1SBrian Somers#    -------------       -------------       -------------
7c6f660d1SBrian Somers#    |   host1   |       |   host2   |       |   host3   |
8c6f660d1SBrian Somers#    -------------       -------------       -------------
9c6f660d1SBrian Somers#          |                       |               |
10c6f660d1SBrian Somers#     |---------------------- LAN ----------------------|
11c6f660d1SBrian Somers#                          |
12c6f660d1SBrian Somers#                        -------------
13c6f660d1SBrian Somers#                        |  Gateway  |
14c6f660d1SBrian Somers#                        -------------
15c6f660d1SBrian Somers#                              |
16c6f660d1SBrian Somers#             -----------------------------------
17c6f660d1SBrian Somers#             |          |           |          |
18c6f660d1SBrian Somers#            isp1       isp2       isp3       ispN
19c6f660d1SBrian Somers#             |          |           |          |
20c6f660d1SBrian Somers#             -----------------------------------
21c6f660d1SBrian Somers#                              |
22c6f660d1SBrian Somers#                         ------------
23c6f660d1SBrian Somers#                         | Receiver |
24c6f660d1SBrian Somers#                         ------------
25c6f660d1SBrian Somers#                              |
26c6f660d1SBrian Somers#                          Internet
27c6f660d1SBrian Somers#
28c6f660d1SBrian Somers# The connection is implemented so that any ISP connection can go down
29c6f660d1SBrian Somers# without loss of connectivity between the LAN and the Internet.  It is
30c6f660d1SBrian Somers# of course also possible to shut down any link manually.
31c6f660d1SBrian Somers#
32c6f660d1SBrian Somers# There is a working example in ppp.*.span-isp.working that can be tested
33c6f660d1SBrian Somers# on a single machine !
34c6f660d1SBrian Somers#
35c6f660d1SBrian Somers#
36c6f660d1SBrian Somers# Prerequisites:
37c6f660d1SBrian Somers#
38c6f660d1SBrian Somers# o The Receiver machine must be in the outside world and must be willing
39c6f660d1SBrian Somers#   to accept a multilink ppp connection over UDP, assigning a routable IP
40c6f660d1SBrian Somers#   number to the Gateway machine.  This probably means that it must be
41c6f660d1SBrian Somers#   a *BSD box as I know of no other ppp implementations that can use UDP
42c6f660d1SBrian Somers#   as a transport.
43c6f660d1SBrian Somers#
44c6f660d1SBrian Somers# o The Receiver machine must be multi-homed with at least N+1 addresses
45c6f660d1SBrian Somers#   where N is the maximun number of ISPs that you wish to use
46c6f660d1SBrian Somers#   simultaneously.  We assume the IP numbers to be RIP1, RIP2 ... RIPN.
47c6f660d1SBrian Somers#   REAL-LOCAL-IP is the real IP number of the Receiver machine (and must
48c6f660d1SBrian Somers#   not be the same as any of the RIP* numbers).
49c6f660d1SBrian Somers#
50c6f660d1SBrian Somers# o Both the Gateway and the Receiver machines must have several tun
51c6f660d1SBrian Somers#   interfaces configured into the kernel (see below).
52c6f660d1SBrian Somers#
53c6f660d1SBrian Somers# o Both the Gateway and the Receiver machines must have the following
54c6f660d1SBrian Somers#   entry in /etc/services:
55c6f660d1SBrian Somers#
56c6f660d1SBrian Somers#      ppp 6671/udp
57c6f660d1SBrian Somers#
58c6f660d1SBrian Somers#   The port number isn't important, but it must be consistent across
59c6f660d1SBrian Somers#   machines.
60c6f660d1SBrian Somers#
61c6f660d1SBrian Somers# o The Receiver machine must have the following entry in
62c6f660d1SBrian Somers#   /etc/inetd.conf:
63c6f660d1SBrian Somers#
64c6f660d1SBrian Somers#      ppp dgram udp wait root /usr/sbin/ppp ppp -direct vpn-in
65c6f660d1SBrian Somers#
66c6f660d1SBrian Somers#   Note: Because inetd ``wait''s for ppp to finish, a single ppp
67c6f660d1SBrian Somers#         invocation receives all incoming packets.  This creates
68c6f660d1SBrian Somers#         havoc with LQR magic number checks, so LQR *must not* be
69c6f660d1SBrian Somers#         enabled.
70c6f660d1SBrian Somers#         Also, -direct invocations of ppp do sendto()s using the
71c6f660d1SBrian Somers#         address that was last recvfrom()d.  This means that the
72c6f660d1SBrian Somers#         returning traffic is a bit unbalanced.  Perhaps ppp should
73c6f660d1SBrian Somers#         be smart enough to automatically clone an existing link
74c6f660d1SBrian Somers#         when it detects a new incoming address.... tricky !
75c6f660d1SBrian Somers#
76c6f660d1SBrian Somers# If you use ppp to connect to your ISPs, the isp* profiles shold be used,
77c6f660d1SBrian Somers# resulting in the vpn* profiles being called from ppp.linkup.span-isp.
78c6f660d1SBrian Somers# These invocations will bond together into a MP ppp invocation.
79c6f660d1SBrian Somers#
80c6f660d1SBrian Somers# If the link to your ISP is via another type of interface (cable modem
81c6f660d1SBrian Somers# etc), simply configure the interface with a netmask of 0xffffffff and
82c6f660d1SBrian Somers# add a route to RIPN via the interface address (no default).  You can
83c6f660d1SBrian Somers# then start ppp using the vpn-nic label.
84c6f660d1SBrian Somers#
85c6f660d1SBrian Somers# The Receiver machine should have N tun interfaces (where N is the maximum
86c6f660d1SBrian Somers# number of ISPs that you wish to use simultaneously).  The Gateway machine
87c6f660d1SBrian Somers# requires N interfaces plus an additional N interfaces (total 2 * N) if
88c6f660d1SBrian Somers# you're using ppp to talk to the ISPs.
89c6f660d1SBrian Somers
90c6f660d1SBrian Somers# Using ppp to connect to your ISPs (PPP over UDP over PPP):
91c6f660d1SBrian Somers#
92c6f660d1SBrian Somers# When we connect to our ISPs using ppp, we start the MP ppp invocation
93c6f660d1SBrian Somers# from ppp.linkup (see ppp.linkup.span-isp) for each link.  We also remove
94c6f660d1SBrian Somers# the link from ppp.linkdown (see ppp.linkdown.span-isp).  This is necessary
95c6f660d1SBrian Somers# because relying on our LQR strategy (dropping the link after 5 missing
96c6f660d1SBrian Somers# replies) is just too slow to be practical in this environment.
97c6f660d1SBrian Somers#
98c6f660d1SBrian Somers# This works because the MP invocations are smart enough to recognise that
99c6f660d1SBrian Somers# another process is already running and to pass the link over to that
100c6f660d1SBrian Somers# running version.
101c6f660d1SBrian Somers#
102c6f660d1SBrian Somers# Only the ISP links should be started manually.  When they come up, they'll
103c6f660d1SBrian Somers# start the MP invocation.
104c6f660d1SBrian Somers
105c6f660d1SBrian Somersdefault:
106c6f660d1SBrian Somers  set speed 115200
107c6f660d1SBrian Somers  set device /dev/cuaa0 /dev/cuaa1 /dev/cuaa2 /dev/cuaa3
108c6f660d1SBrian Somers  set dial "ABORT BUSY ABORT NO\\sCARRIER ABORT NO\\sDIAL\\sTONE TIMEOUT 4 \
109c6f660d1SBrian Somers            \"\" ATZ OK-ATZ-OK ATDT\\T TIMEOUT 60 CONNECT \\c \\n"
110c6f660d1SBrian Somers  set login
111c6f660d1SBrian Somers  set redial 3 5
112c6f660d1SBrian Somers  set timeout 0
113c6f660d1SBrian Somers  enable lqr
114c6f660d1SBrian Somers  set lqrperiod 15
115c6f660d1SBrian Somers
116c6f660d1SBrian Somersisp1:
117c6f660d1SBrian Somers  set phone "1234567"
118c6f660d1SBrian Somers  set authname isp1name
119c6f660d1SBrian Somers  set authkey isp1key
120c6f660d1SBrian Somers  add! RIP1/32 HISADDR
121c6f660d1SBrian Somers
122c6f660d1SBrian Somersisp2:
123c6f660d1SBrian Somers  set phone "2345678"
124c6f660d1SBrian Somers  set authname isp2name
125c6f660d1SBrian Somers  set authkey isp2key
126c6f660d1SBrian Somers  add! RIP2/32 HISADDR
127c6f660d1SBrian Somers
128c6f660d1SBrian SomersispN:
129c6f660d1SBrian Somers  set phone "3456789"
130c6f660d1SBrian Somers  set authname ispNname
131c6f660d1SBrian Somers  set authkey ispNkey
132c6f660d1SBrian Somers  add! RIPN/32 HISADDR
133c6f660d1SBrian Somers
134c6f660d1SBrian Somers
135c6f660d1SBrian Somers# Our MP version of ppp.  vpn is a generic label used by each of the
136c6f660d1SBrian Somers# other vpn invocations by envoking ppp with both labels (see
137c6f660d1SBrian Somers# ppp.linkup.span-isp).
138c6f660d1SBrian Somers# Each ``set device'' command tells ppp to use UDP packets destined for
139c6f660d1SBrian Somers# the given IP/port as the link (transport).  The routing table will
140c6f660d1SBrian Somers# ensure that these UDP packets use the correct ISP connection.
141c6f660d1SBrian Somers
142c6f660d1SBrian Somersvpn:
143c6f660d1SBrian Somers  set enddisc LABEL
144c6f660d1SBrian Somers  set speed sync
145c6f660d1SBrian Somers  set mrru 1500
1465e57afbeSBrian Somers  set mru 1504			# Room for the MP header
14773cf919aSBrian Somers  nat enable yes
148c6f660d1SBrian Somers  set authname vpnname
149c6f660d1SBrian Somers  set authkey vpnkey
150c6f660d1SBrian Somers  add! default HISADDR
151c6f660d1SBrian Somers  disable deflate pred1 lqr
152c6f660d1SBrian Somers  deny deflate pred1
153c6f660d1SBrian Somers
154c6f660d1SBrian Somersvpn1:
155c6f660d1SBrian Somers  rename 1
156c6f660d1SBrian Somers  set device RIP1:ppp/udp
157c6f660d1SBrian Somers
158c6f660d1SBrian Somersvpn2:
159c6f660d1SBrian Somers  rename 2
160c6f660d1SBrian Somers  set device RIP2:ppp/udp
161c6f660d1SBrian Somers
162c6f660d1SBrian SomersvpnN:
163c6f660d1SBrian Somers  rename N
164c6f660d1SBrian Somers  set device RIPN:ppp/udp
165c6f660d1SBrian Somers
166c6f660d1SBrian Somersvpn-nic:
167c6f660d1SBrian Somers  load vpn
168c6f660d1SBrian Somers  clone 1 2 N
169c6f660d1SBrian Somers  link deflink rm
170c6f660d1SBrian Somers  link 1 set device RIP1:ppp/udp
171c6f660d1SBrian Somers  link 2 set device RIP2:ppp/udp
172c6f660d1SBrian Somers  link N set device RIPN:ppp/udp
173c6f660d1SBrian Somers
174c6f660d1SBrian Somers# The Receiver profile is a bit more straight forward, as it doesn't need
175c6f660d1SBrian Somers# to get bogged down with sublinks.  Replace REAL-ASSIGNED-IP with the
176c6f660d1SBrian Somers# IP number to be assigned to the Gateway machine.  Replace REAL-LOCAL-IP
177c6f660d1SBrian Somers# with the real IP number of the Receiver machine.
178c6f660d1SBrian Somers#
179c6f660d1SBrian Somers# No other entries are required on the Receiver machine, and this entry
180c6f660d1SBrian Somers# is not required on the Gateway machine.  The Receiver machine also
181c6f660d1SBrian Somers# requires the contents of ppp.secret.span-isp.
182c6f660d1SBrian Somers#
183c6f660d1SBrian Somers# Of course it's simple to assign an IP block to the client with a simple
184c6f660d1SBrian Somers# ``add'' command, and then have the client use those IP numbers on its
18573cf919aSBrian Somers# LAN rather than using ``nat enable yes''.
186c6f660d1SBrian Somers
187c6f660d1SBrian Somersvpn-in:
188c6f660d1SBrian Somers  set enddisc label
189c6f660d1SBrian Somers  set speed sync
190c6f660d1SBrian Somers  set mrru 1500
1915e57afbeSBrian Somers  set mru 1504			# Room for the MP header
192c6f660d1SBrian Somers  enable chap
193c6f660d1SBrian Somers  disable lqr
194c6f660d1SBrian Somers  set ifaddr REAL-LOCAL-IP REAL-ASSIGNED-IP
195