usr.sbin/ppp/ppp.8

.\" $Id: ppp.8,v 1.69 1997/10/05 10:29:32 brian Exp $
.Dd 20 September 1995
.Os FreeBSD
.Dt PPP 8
.Sh NAME
.Nm ppp
.Nd
Point to Point Protocol (aka iijppp)
.Sh SYNOPSIS
.Nm
.Op Fl auto | background | ddial | direct | dedicated
.Op Fl alias
.Op Ar system
.Sh DESCRIPTION
This is a user process
.Em PPP
software package.  Normally,
.Em PPP
is implemented as a part of the kernel (e.g. as managed by pppd) and it's
thus somewhat hard to debug and/or modify its behavior.  However, in this
implementation
.Em PPP
is done as a user process with the help of the
tunnel device driver (tun).

.Sh Major Features

.Bl -diag
.It Provides interactive user interface.
Using its command mode, the user can
easily enter commands to establish the connection with the remote end, check
the status of connection and close the connection.  All functions can
also be optionally password protected for security.

.It Supports both manual and automatic dialing.
Interactive mode has a
.Dq term
command which enables you to talk to your modem directly.  When your
modem is connected to the remote peer and it starts to talk
.Em PPP
, the
.Em PPP
software detects it and switches to packet
mode automatically. Once you have determined the proper sequence for connecting
with the remote host, you can write a chat script to define the necessary
dialing and login procedure for later convenience.

.It Supports on-demand dialup capability.
By using auto mode,
.Nm
will act as a daemon and wait for a packet to be sent over the
.Em PPP
link.  When this happens, the daemon automatically dials and establishes the
connection.

In almost the same manner ddial mode (dedicated or daemon dialing)
also automatically dials and establishes the connection.  However, it
differs in that it will dial the remote site any time it detects the
link is down, even if there are no packets to be sent.  This mode is
useful for full-time connections who worry less about line charges
and more about being connected full time.

.It Supports packet aliasing.
Packet aliasing, more commonly known as masquerading, allows computers
on a private, unregistered network to access the internet.  The
.Em PPP
host acts as a masquerading gateway.  IP addresses as well as TCP and
UDP port numbers are aliased for outgoing packets and de-aliased for
returning packets.

.It Supports background PPP connections.
In background mode, if
.Nm
successfully establishes the connection, it will become a daemon.
Otherwise, it will exit with an error.

.It Supports server-side PPP connections.
In direct mode,
.nm
acts as server which accepts incoming
.Em PPP
connections on stdin/stdout.

.It Supports PAP and CHAP authentication.

.It Supports Proxy Arp.
When
.Em PPP
is set up as server, you can also configure it to do proxy arp for your
connection.

.It Supports packet filtering.
User can define four kinds of filters:
.Em ifilter
for incoming packets,
.Em ofilter
for outgoing packets,
.Em dfilter
to define a dialing trigger packet and
.Em afilter
for keeping a connection alive with the trigger packet.

.It Tunnel driver supports bpf.
The user can use
.Xr tcpdump 1
to check the packet flow over the
.Em PPP
link.

.It Supports PPP over TCP capability.


.It Supports IETF draft Predictor-1 compression.
.Nm
supports not only VJ-compression but also Predictor-1 compression.
Normally, a modem has built-in compression (e.g. v42.bis) and the system
may receive higher data rates from it as a result of such compression.
While this is generally a good thing in most other situations, this
higher speed data imposes a penalty on the system by increasing the
number of serial interrupts the system has to process in talking to the
modem and also increases latency.  Unlike VJ-compression, Predictor-1
compression pre-compresses
.Em all
data flowing through the link, thus reducing overhead to a minimum.

.It Supports Microsofts IPCP extensions.
Name Server Addresses and NetBIOS Name Server Addresses can be negotiated
with clients using the Microsoft
.Em PPP
stack (ie. Win95, WinNT)

.Sh PERMISSIONS
.Nm Ppp
is installed as user
.Dv root
and group
.Dv network ,
with permissions
.Dv 4550 .
.Nm Ppp
will not execute in client mode if the invoking user id is not zero.
.Nm Ppp
will run in
.Fl direct
mode as a normal user, but due to its execution permissions, this user
must be a member of group
.Dv network .
When running as a normal user,
.Nm
switches to user id 0 in order to alter the system routing table.  All
external commands (executed via the "shell" or "!bg" commands) are executed
as the user id that invoked
.Nm ppp .

.Sh GETTING STARTED

When you first run
.Nm
you may need to deal with some initial configuration details.  First,
your kernel should include a tunnel device (the GENERIC kernel includes
one by default).  If it doesn't, or if you require more than one tun
interface, you'll need to rebuild your kernel with the following line in
your kernel configuration file:

.Dl pseudo-device tun N

where
.Ar N
is the maximum number of
.Em PPP
connections you wish to support.

Second, check your
.Pa /dev
directory for the tunnel device entries
.Pa /dev/tunN ,
where
.Ar N
represents the number of the tun device, starting at zero.
If they don't exist, you can create them by running "sh ./MAKEDEV tunN".
This will create tun devices 0 through
.Ar N .

Last of all, create a log file.
.Nm Ppp
uses
.Xr syslog 3
to log information.  A common log file name is
.Pa /var/log/ppp.log .
To make output go to this file, put the following lines in the
.Pa /etc/syslog.conf
file:

.Dl !ppp
.Dl *.*<TAB>/var/log/ppp.log

Make sure you use actual TABs here.  If you use spaces, the line will be
silently ignored.

It is possible to have more than one ppp log file by creating a link
to the ppp executable:

.Dl # cd /usr/sbin
.Dl # ln ppp ppp0

and using

.Dl !ppp0
.Dl *.* /var/log/ppp0.log

in
.Pa /etc/syslog.conf .
Don't forget to send a
.Dv HUP
signal to
.Nm syslogd
after altering
.Pa /etc/syslog.conf .

.Sh MANUAL DIALING

In the following examples, we assume that your machine name is
.Nm awfulhak .

If you set your hostname and password in
.Pa /etc/ppp/ppp.secret ,
you can't do anything except run the help, passwd and quit commands.

.Bd -literal -offset indent
ppp on "your hostname"> help
 help    : Display this message
 passwd  : Password for security
 quit    : Quit the PPP program
ppp on awfulhak> pass <password>
.Ed

The "on" part of your prompt will change to "ON" if you specify the
correct password.

.Bd -literal -offset indent
ppp ON awfulhak>
.Ed

You can now specify the device name, speed and parity for your modem,
and whether CTS/RTS signalling should be used (CTS/RTS is used by
default).  If your hardware does not provide CTS/RTS lines (as
may happen when you are connected directly to certain ppp-capable
terminal servers),
.Nm
will never send any output through the port; it waits for a signal
which never comes.  Thus, if you have a direct line and can't seem
to make a connection, try turning ctsrts off:


.Bd -literal -offset indent
ppp ON awfulhak> set line /dev/cuaa0
ppp ON awfulhak> set speed 38400
ppp ON awfulhak> set parity even
ppp ON awfulhak> set ctsrts on
ppp ON awfulhak> show modem

* Modem related information is shown here *

ppp ON awfulhak>
.Ed

The term command can now be used to talk directly with your modem:

.Bd -literal -offset indent
ppp ON awfulhak> term
at
OK
atdt123456
CONNECT
login: ppp
Password:
Protocol: ppp
.Ed

When the peer starts to talk in PPP,
.Nm
detects this automatically and returns to command mode.

.Bd -literal -offset indent
ppp ON awfulhak>
PPP ON awfulhak>
.Ed

You are now connected!  Note that
.Sq PPP
in the prompt has changed to capital letters to indicate that you have
a peer connection.  The show command can be used to see how things are
going:

.Bd -literal -offset indent
PPP ON awfulhak> show lcp

* LCP related information is shown here *

PPP ON awfulhak> show ipcp

* IPCP related information is shown here *
.Ed

At this point, your machine has a host route to the peer.  This means
that you can only make a connection with the host on the other side
of the link.  If you want to add a default route entry (telling your
machine to send all packets without another routing entry to the other
side of the ppp link), enter the following command:

.Bd -literal -offset indent
PPP ON awfulhak> add 0 0 HISADDR
.Ed

The string
.Sq HISADDR
represents the IP address of the connected peer.  This variable is only
available once a connection has been established.  A common error
is to specify the above command in your
.Pa ppp.conf
file.  This won't work as the remote IP address hasn't been
established when this file is read.

You can now use your network applications (ping, telnet, ftp etc.)
in other windows on your machine.

Refer to the PPP COMMAND LIST section for details on all available commands.

.Sh AUTOMATIC DIALING

To use automatic dialing, you must prepare some Dial and Login chat scripts.
See the example definitions in
.Pa /etc/ppp/ppp.conf.sample
(the format of ppp.conf is pretty simple).

.Bl -bullet -compact

.It
Each line contains one command, label or comment.

.It
A line starting with a
.Sq #
character is treated as a comment line.

.It
A label name starts in the first column and is followed by
a colon (:).

.It
A command line must contain a space or tab in the first column.

.El

The
.Pa ppp.conf
file should consist of at least a
.Dq default
section.  This section is always executed.  It should also contain
one or more sections, named according to their purpose, for example,
.Dq MyISP
would represent your ISP, and
.Dq ppp-in
would represent an incoming
.Nm
configuration.

You can now specify the destination label name when you invoke
.Nm ppp .
Commands associated with the
.Dq default
label are executed, followed by those associated with the destination
label provided.  When
.Nm
is started with no arguments, the
.Dq default
section is still executed.  The load command can be used to manually
load a section from the
.Pa ppp.conf
file:

.Bd -literal -offset indent
PPP ON awfulhak> load MyISP
.Ed

Once the connection is made, the ppp portion of the prompt will change
to PPP:

.Bd -literal -offset indent
# ppp MyISP
...
ppp ON awfulhak> dial
dial OK!
login OK!
PPP ON awfulhak>
.Ed

If the
.Pa /etc/ppp/ppp.linkup
file is available, its contents are executed
when the
.Em PPP
connection is established.  See the provided
.Dq pmdemand
example in
.Pa /etc/ppp/ppp.conf.sample
which adds a default route.  The string HISADDR is available as the IP
address of the remote peer.  Similarly, when a connection is closed, the
contents of the
.Pa /etc/ppp/ppp.linkdown
file are executed.

.Sh BACKGROUND DIALING

If you want to establish a connection using
.Nm
non-interactively (such as from a
.Xr crontab(5)
entry or an
.Xr at(1)
job) you should use the
.Fl background
option.  You must also specify the destination label in
.Pa /etc/ppp/ppp.conf
to use.  This label must contain the
.Dq set ifaddr
command to define the remote peer's IP address. (refer to
.Pa /etc/ppp/ppp.conf.sample )

When
.Fl background
is specified,
.Nm
attempts to establish the connection immediately.  If multiple phone
numbers are specified, each phone number will be tried once.  If the
attempt fails,
.Nm
exits immediately with a non-zero exit code.

If it succeeds, then
.Nm
becomes a daemon, and returns an exit status of zero to its caller.
The daemon exits automatically if the connection is dropped by the
remote system, or it receives a
.Dv TERM
signal.

.Sh DIAL ON DEMAND

Demand dialing is enabled with the
.Fl auto
or
.Fl ddial
options.  You must also specify the destination label in
.Pa /etc/ppp/ppp.conf
to use.  It must contain the
.Dq set ifaddr
command to define the remote peer's IP address. (refer to
.Pa /etc/ppp/ppp.conf.sample )

.Bd -literal -offset indent
# ppp -auto pmdemand
...
#
.Ed

When
.Fl auto
or
.Fl ddial
is specified,
.Nm
runs as a daemon but you can still configure or examine its
configuration by using the diagnostic port as follows (this
can be done in
.Fl background
and
.Fl direct
mode too):

.Bd -literal -offset indent
# pppctl -v 3000 show ipcp
Password:
IPCP [OPEND]
  his side: xxxx
  ....
.Ed

Currently,
.Xr telnet 1
may also be used to talk interactively.

.Pp
Each
.Nm
daemon has an associated port number which is computed as "3000 +
tunnel_device_number".

In
.Fl auto
mode, when an outgoing packet is detected,
.Nm
will perform the dialing action (chat script) and try to connect
with the peer.  In
.Fl ddial
mode, the dialing action is performed any time the line is found
to be down.

If the connect fails, the default behavior is to wait 30 seconds
and then attempt to connect when another outgoing packet is detected.
This behavior can be changed with
.Bd -literal -offset indent
set redial seconds|random[.nseconds|random] [dial_attempts]
.Ed
.Pp
.Sq Seconds
is the number of seconds to wait before attempting
to connect again. If the argument is
.Sq random ,
the delay period is a random value between 0 and 30 seconds.
.Sq Nseconds
is the number of seconds to wait before attempting
to dial the next number in a list of numbers (see the
.Dq set phone
command).  The default is 3 seconds.  Again, if the argument is
.Sq random ,
the delay period is a random value between 0 and 30 seconds.
.Sq dial_attempts
is the number of times to try to connect for each outgoing packet
that is received. The previous value is unchanged if this parameter
is omitted.  If a value of zero is specified for
.Sq dial_attempts ,
.Nm
will keep trying until a connection is made.
.Bd -literal -offset indent
set redial 10.3 4
.Ed
.Pp
will attempt to connect 4 times for each outgoing packet that is
detected with a 3 second delay between each number and a 10 second
delay after all numbers have been tried.  If multiple phone numbers
are specified, the total number of attempts is still 4 (it does not
attempt each number 4 times).

Modifying the dial delay is very useful when running
.Nm
in demand
dial mode on both ends of the link. If each end has the same timeout,
both ends wind up calling each other at the same time if the link
drops and both ends have packets queued.

At some locations, the serial link may not be reliable, and carrier
may be lost at inappropriate times.  It is possible to have
.Nm
redial should carrier be unexpectedly lost during a session.
.Bd -literal -offset indent
set reconnect timeout ntries
.Ed

This command tells ppp to re-establish the connection
.Ar ntries
times on loss of carrier with a pause of
.Ar timeout
seconds before each try.  For example,
.Bd -literal -offset indent
set reconnect 3 5
.Ed

tells
.Nm
that on an unexpected loss of carrier, it should wait
.Ar 3
seconds before attempting to reconnect.  This may happen up to
.Ar 5
times before
.Nm
gives up.  The default value of ntries is zero (no reconnect).  Care
should be taken with this option.  If the local timeout is slightly
longer than the remote timeout, the reconnect feature will always be
triggered (up to the given number of times) after the remote side
times out and hangs up.

NOTE:  In this context, losing too many LQRs constitutes a loss of
carrier and will trigger a reconnect.

If the
.Fl background
flag is specified, all phone numbers are dialed at most once until
a connection is made.  The next number redial period specified with
the
.Dq set redial
command is honoured, as is the reconnect tries value.  If your redial
value is less than the number of phone numbers specified, not all
the specified numbers will be tried.

To terminate the program, type

  PPP ON awfulhak> close
  ppp ON awfulhak> quit all

.Pp
A simple
.Dq quit
command will terminate the telnet connection but not the program itself.
You must use
.Dq quit all
to terminate the program as well.

.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 1)

To handle an incoming
.Em PPP
connection request, follow these steps:

.Bl -enum
.It
Make sure the modem and (optionally)
.Pa /etc/rc.serial
is configured correctly.
.Bl -bullet -compact
.It
Use Hardware Handshake (CTS/RTS) for flow control.
.It
Modem should be set to NO echo back (ATE0) and NO results string (ATQ1).
.El

.It
Edit
.Pa /etc/ttys
to enable a getty on the port where the modem is attached.

For example:

.Dl ttyd1  "/usr/libexec/getty std.38400" dialup on secure

Don't forget to send a
.Dv HUP
signal to the init process to start the getty.

.Dl # kill -HUP 1

.It
Prepare an account for the incoming user.
.Bd -literal
ppp:xxxx:66:66:PPP Login User:/home/ppp:/usr/local/bin/ppplogin
.Ed

.It
Create a
.Pa /usr/local/bin/ppplogin
file with the following contents:
.Bd -literal -offset indent
#!/bin/sh -p
exec /usr/sbin/ppp -direct
.Ed

(You can specify a label name for further control.)

.Pp
Direct mode (
.Fl direct
) lets
.Nm
work with stdin and stdout.  You can also use
.Nm pppctl
or
.Nm telnet
to connect to port 3000 plus the current tunnel device number to get
command mode control in the same manner as client-side
.Nm.

.It
Optional support for Microsoft's IPCP Name Server and NetBIOS
Name Server negotiation can be enabled use
.Dq enable msext
and
.Dq set ns pri-addr [sec-addr]
along with
.Dq set nbns pri-addr [sec-addr]
in your ppp.conf file

.El

.Sh RECEIVING INCOMING PPP CONNECTIONS (Method 2)

This method differs in that it recommends the use of
.Em mgetty+sendfax
to handle the modem connections.  The latest version 0.99
can be compiled with the
.Dq AUTO_PPP
option to allow detection of clients speaking PPP to the login
prompt.

Follow these steps:

.Bl -enum

.It
Get, configure, and install mgetty+sendfax v0.99 or later making
sure you have used the AUTO_PPP option.

.It
Edit
.Pa /etc/ttys
to enable a mgetty on the port where the modem is attached.  For
example:

.Dl cuaa1  "/usr/local/sbin/mgetty -s 57600"       dialup on

.It
Prepare an account for the incoming user.
.Bd -literal
Pfred:xxxx:66:66:Fred's PPP:/home/ppp:/etc/ppp/ppp-dialup
.Ed

.It
Examine the files
.Pa /etc/ppp/sample.ppp-dialup
.Pa /etc/ppp/sample.ppp-pap-dialup
and
.Pa /etc/ppp/ppp.conf.sample
for ideas.   ppp-pap-dialup is supposed to be called from
.Pa /usr/local/etc/mgetty+sendfax/login.conf
from a line like

.Dl /AutoPPP/ -     -       /etc/ppp/ppp-pap-dialup
.El

.Sh PPP OVER TCP (a.k.a Tunneling)

Instead of running ppp over a serial link, it is possible to
use a tcp connection instead by specifying a host and port as the
device:

.Dl set device ui-gate:6669

Instead of opening a serial device,
.Nm
will open a tcp connection to the given machine on the given
socket.  It should be noted however that
.Nm
doesn't use the telnet protocol and will be unable to negotiate
with a telnet server.  You should set up a port for receiving
this ppp connection on the receiving machine (ui-gate).  This is
done by first updating
.Pa /etc/services
to name the service:

.Dl ppp-in 6669/tcp # Incoming ppp connections over tcp

and updating
.Pa /etc/inetd.conf
to tell inetd how to deal with incoming connections on that port:

.Dl ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in

Don't forget to send a
.Dv HUP
signal to
.Nm inetd
after you've updated
.Pa /etc/inetd.conf .

Here, we use a label named
.Dq ppp-in .
The entry in
.Pa /etc/ppp/ppp.conf
on ui-gate (the receiver) should contain the following:

.Bd -literal -offset indent
ppp-in:
 set timeout 0
 set ifaddr 10.0.4.1 10.0.4.2
 add 10.0.1.0 255.255.255.0 10.0.4.1
.Ed

You may also want to enable PAP or CHAP for security.  To enable PAP, add
the following line:
.Bd -literal -offset indent
 enable PAP
.Ed
.Pp
You'll also need to create the following entry in
.Pa /etc/ppp/ppp.secret :
.Bd -literal -offset indent
MyAuthName MyAuthPasswd
.Ed
.Pp
The entry in
.Pa /etc/ppp/ppp.conf
on awfulhak (the initiator) should contain the following:

.Bd -literal -offset indent
ui-gate:
 set escape 0xff
 set device ui-gate:ppp-in
 set dial
 set timeout 30 5 4
 set log Phase Chat Connect Carrier hdlc LCP IPCP CCP tun
 set ifaddr 10.0.4.2 10.0.4.1
 add 10.0.2.0 255.255.255.0 10.0.4.2
.Ed
.Pp
Again, if you're enabling PAP, you'll also need:
.Bd -literal -offset indent
 set authname MyAuthName
 set authkey MyAuthKey
.Ed

We're assigning the address of 10.0.4.1 to ui-gate, and the address
10.0.4.2 to awfulhak.

To open the connection, just type

.Dl awfulhak # ppp -background ui-gate

The result will be an additional "route" on awfulhak to the
10.0.2.0/24 network via the tcp connection, and an additional
"route" on ui-gate to the 10.0.1.0/24 network.

The networks are effectively bridged - the underlying tcp
connection may be across a public network (such as the
Internet), and the ppp traffic is conceptually encapsulated
(although not packet by packet) inside the tcp stream between
the two gateways.

The major disadvantage of this mechanism is that there are two
"guaranteed delivery" mechanisms in place - the underlying tcp
stream and whatever protocol is used over the ppp link - probably
tcp again.  If packets are lost, both levels will get in eachothers
way trying to negotiate sending of the missing packet.

.Sh PACKET ALIASING

The
.Fl alias
command line option enables packet aliasing.  This allows the
ppp host to act as a masquerading gateway for other computers over
a local area network.  Outgoing IP packets are aliased so that
they appear to come from the ppp host, and incoming packets are
de-aliased so that they are routed to the correct machine on the
local area network.

Packet aliasing allows computers on private, unregistered
subnets to have internet access, although they are invisible
from the outside world.

In general, correct ppp operation should first be verified
with packet aliasing disabled.  Then, the
.Fl alias
option should be switched on, and network applications (web browser,
telnet, ftp, ping, traceroute) should be checked on the ppp host.
Finally, the same or similar applications should be checked on other
computers in the LAN.

If network applications work correctly on the ppp host, but not on
other machines in the LAN, then the masquerading software is working
properly, but the host is either not forwarding or possibly receiving
IP packets.  Check that IP forwarding is enabled in
.Pa /etc/rc.conf
and that other machines have designated the ppp host as the gateway
for the LAN.

.Sh PACKET FILTERING

This implementation supports packet filtering. There are four kinds of
filters; ifilter, ofilter, dfilter and afilter.  Here are the basics:

.Bl -bullet -compact
.It
A filter definition has the following syntax:

set filter-name rule-no action [src_addr/src_width] [dst_addr/dst_width]
[proto [src [lt|eq|gt] port ]] [dst [lt|eq|gt] port] [estab]
.Bl -enum
.It
.Sq filter-name
should be one of ifilter, ofilter, dfilter or afilter.
.It
There are two actions:
.Sq permit
and
.Sq deny .
If a given packet
matches the rule, the associated action is taken immediately.
.It
.Sq src_width
and
.Sq dst_width
work like a netmask to represent an address range.
.It
.Sq proto
must be one of icmp, udp or tcp.
.It
.Sq port number
can be specified by number and service name from
.Pa /etc/services .

.El

.It
Each filter can hold up to 20 rules, starting from rule 0.
The entire rule set is not effective until rule 0 is defined,
ie. the default is to allow everything through.

.It
If no rule is matched to a packet, that packet will be discarded
(blocked).

.It
Use
.Dq set filter-name -1
to flush all rules.

.El

See
.Pa /etc/ppp/ppp.conf.filter.example .


.Sh SETTING IDLE, LINE QUALITY REQUEST, RETRY TIMER

To check/set idletimer, use the
.Dq show timeout
and
.Dq set timeout [lqrtimer [retrytimer]]
commands:

.Bd -literal -offset indent
ppp ON awfulhak> set timeout 600
.Ed

The timeout period is measured in seconds, the  default values for which
are timeout = 180 or 3 min, lqrtimer = 30sec and retrytimer = 3sec.
To disable the idle timer function, use the command

.Bd -literal -offset indent
ppp ON awfulhak> set timeout 0
.Ed

In
.Fl auto
mode, an idle timeout causes the
.Em PPP
session to be
closed, though the
.Nm
program itself remains running.  Another trigger packet will cause it to
attempt to reestablish the link.

.Sh PREDICTOR-1 COMPRESSION

This version supports CCP and Predictor type 1 compression based on
the current IETF-draft specs. As a default behavior,
.Nm
will attempt to use (or be willing to accept) this capability when the
peer agrees (or requests it).

To disable CCP/predictor functionality completely, use the
.Dq disable pred1
and
.Dq deny pred1
commands.

.Sh CONTROLLING IP ADDRESS

.Nm
uses IPCP to negotiate IP addresses. Each side of the connection
specifies the IP address that it's willing to use, and if the requested
IP address is acceptable then
.Nm
returns ACK to the requester.  Otherwise,
.Nm
returns NAK to suggest that the peer use a different IP address. When
both sides of the connection agree to accept the received request (and
send ACK), IPCP is set to the open state and a network level connection
is established.

To control this IPCP behavior, this implementation has the
.Dq set ifaddr
command for defining the local and remote IP address:

.Bd -literal -offset indent
set ifaddr [src_addr [dst_addr [netmask [trigger_addr]]]]
.Ed

where,
.Sq src_addr
is the IP address that the local side is willing to use,
.Sq dst_addr
is the IP address which the remote side should use and
.Sq netmask
is the netmask that should be used.
.Sq Src_addr
and
.Sq dst_addr
default to 0.0.0.0, and
.Sq netmask
defaults to whatever mask is appropriate for
.Sq src_addr .
It is only possible to make
.Sq netmask
smaller than the default.  The usual value is 255.255.255.255.
Some incorrect ppp implementations require that the peer negotiates
a specific IP address instead of
.Sq src_addr .
If this is the case,
.Sq trigger_addr
may be used to specify this IP number.  This will not affect the
routing table unless the other side agrees with this proposed number.

.Bd -literal -offset indent
set ifaddr 192.244.177.38 192.244.177.2 255.255.255.255 0.0.0.0
.Ed

The above specification means:
.Bl -bullet -compact
.It
I will first suggest that my IP address should be 0.0.0.0, but I
will only accept an address of 192.244.177.38.

.It
I strongly insist that the peer uses 192.244.177.2 as his own
address and won't permit the use of any IP address but 192.244.177.2.
When the peer requests another IP address, I will always suggest that
it uses 192.244.177.2.

.It
The routing table entry will have a netmask of 0xffffffff.
.El

This is all fine when each side has a pre-determined IP address, however
it is often the case that one side is acting as a server which controls
all IP addresses and the other side should obey the direction from it.

In order to allow more flexible behavior, `ifaddr' variable allows the
user to specify IP address more loosely:

.Dl set ifaddr 192.244.177.38/24 192.244.177.2/20

A number followed by a slash (/) represent the number of bits significant in
the IP address.  The above example signifies that:

.Bl -bullet -compact
.It
I'd like to use 192.244.177.38 as my address if it is possible, but I'll
also accept any IP address between 192.244.177.0 and 192.244.177.255.

.It
I'd like to make him use 192.244.177.2 as his own address, but I'll also
permit him to use any IP address between 192.244.176.0 and
192.244.191.255.

.It
As you may have already noticed, 192.244.177.2 is equivalent to saying
192.244.177.2/32.

.It
As an exception, 0 is equivalent to 0.0.0.0/0, meaning that I have no
preferred IP address and will obey the remote peer's selection.  When
using zero, no routing table entries will be made until a connection
is established.

.It
192.244.177.2/0 means that I'll accept/permit any IP address but I'll
try to insist that 192.244.177.2 be used first.
.El

.Sh CONNECTING WITH YOUR INTERNET SERVICE PROVIDER

The following steps should be taken when connecting to your ISP:

.Bl -enum
.It
Describe your provider's phone number(s) in the dial script using the
.Dq set phone
command.  This command allows you to set multiple phone numbers for
dialing and redialing separated by either a pipe (|) or a colon (:)
.Bd -literal -offset indent
set phone "111[|222]...[:333[|444]...]...
.Ed
Numbers after the first in a pipe-separated list are only used if the
previous number was used in a failed dial or login script.  Numbers
separated by a colon are used sequentially, irrespective of what happened
as a result of using the previous number.  For example:
.Bd -literal -offset indent
set phone "1234567|2345678:3456789|4567890"
.Ed
.Pp
Here, the 1234567 number is attempted.  If the dial or login script fails,
the 2345678 number is used next time, but *only* if the dial or login script
fails.  On the dial after this, the 3456789 number is used.  The 4567890
number is only used if the dial or login script using the 3456789 fails.  If
the login script of the 2345678 number fails, the next number is still the
3456789 number.  As many pipes and colons can be used as are necessary
(although a given site would usually prefer to use either the pipe or the
colon, but not both).  The next number redial timeout is used between all
numbers.  When the end of the list is reached, the normal redial period is
used before starting at the beginning again.

The selected phone number is substituted for the \\\\T string in the
.Dq set dial
command (see below).

.It
Set up your redial requirements using
.Dq set redial .
For example, if you have a bad telephone line or your provider is
usually engaged (not so common these days), you may want to specify
the following:
.Bd -literal -offset indent
set redial 10 4
.Ed
.Pp
This says that up to 4 phone calls should be attempted with a pause of 10
seconds before dialing the first number again.

.It
Describe your login procedure using the
.Dq set dial
and
.Dq set login
commands.  The
.Dq set dial
command is used to talk to your modem and establish a link with your
ISP, for example:
.Bd -literal -offset indent
set dial "ABORT BUSY ABORT NO\\\\sCARRIER TIMEOUT 4 \\"\\" ATZ OK-ATZ-OK ATDT\\\\T TIMEOUT 60 CONNECT"
.Ed
.Pp
This modem "chat" string means:

.Bl -bullet
.It
Abort if the string "BUSY" or "NO CARRIER" are received.
.It
Set the timeout to 4.
.It
Expect nothing.
.It
Send ATZ.
.It
Expect OK.  If that's not received, send ATZ and expect OK.
.It
Send ATDTxxxxxxx where xxxxxxx is the next number in the phone list from
above.
.It
Set the timeout to 60.
.It
Wait for the CONNECT string.
.El

Once the connection is established, the login script is executed.  This
script is written in the same style as the dial script:
.Bd -literal -offset indent
set login "TIMEOUT 15 login:-\\\\r-login: awfulhak word: xxx ocol: PPP HELLO"
.Ed
.Pp
This login "chat" string means:

.Bl -bullet
.It
Set the timeout to 15 seconds.
.It
Expect "login:".  If it's not received, send a carriage return and expect
"login:" again.
.It
Send "awfulhak"
.It
Expect "word:" (the tail end of a "Password:" prompt).
.It
Send "xxx".
.It
Expect "ocol:" (the tail end of a "Protocol:" prompt).
.It
Send "PPP".
.It
Expect "HELLO".
.El
.Pp
Login scripts vary greatly between ISPs.

.It
Use
.Dq set line
and
.Dq set speed
to specify your serial line and speed, for example:
.Bd -literal -offset indent
set line /dev/cuaa0
set sp 115200
.Ed
.Pp
Cuaa0 is the first serial port on FreeBSD.  If you're running
.Nm
on OpenBSD, cua00 is the first.  A speed of 115200 should be specified
if you have a modem capable of bit rates of 28800 or more.  In general,
the serial speed should be about four times the modem speed.

.It
Use the
.Dq set ifaddr
command to define the IP address.
.Bl -bullet
.It
If you know what IP address your provider uses, then use it as the remote
address (dst_addr), otherwise choose something like 10.0.0.2/0 (see below).
.It
If your provider has assigned a particular IP address to you, then use
it as your address (src_addr).
.It
If your provider assigns your address dynamically, choose a suitably
unobtrusive and unspecific IP number as your address.  10.0.0.1/0 would
be appropriate.  The bit after the / specifies how many bits of the
address you consider to be important, so if you wanted to insist on
something in the class C network 1.2.3.0, you could specify 1.2.3.1/24.
.It
If you find that your ISP accepts the first IP number that you suggest,
specify third and forth arguments of
.Dq 0.0.0.0 .
This will force your ISP to assign a number.  (The third argument will
be ignored as it is less restrictive than the default mask for your
.Sq src_addr .
.El
.Pp
An example for a connection where you don't know your IP number or your
ISPs IP number would be:
.Bd -literal -offset indent
set ifaddr 10.10.10.10/0 10.10.11.11/0 0.0.0.0 0.0.0.0
.Ed

.It
In most cases, your ISP will also be your default router.  If this is
the case, add the lines

.Bd -literal -offset indent
delete ALL
add 0 0 HISADDR
.Ed

.Pp
to
.Pa ppp.conf .
.Pp
This tells
.Nm
to delete all non-direct routing entries for the tun interface that
.Nm
is running on, then to add a default route to 10.10.11.11.
.Pp
If you're using dynamic IP numbers, you must also put these two lines
in the
.Pa ppp.linkup
file:

.Bd -literal -offset indent
delete ALL
add 0 0 HISADDR
.Ed

HISADDR is a macro meaning the "other side"s IP number, and is
available once an IP number has been agreed (using IPCP).
Now, once a connection is established,
.Nm
will delete all non-direct interface routes, and add a default route
pointing at the peers IP number.  You should use the same label as the
one used in
.Pa ppp.conf .
.Pp
If commands are being typed interactively, the only requirement is
to type
.Bd -literal -offset indent
add 0 0 HISADDR
.Ed
.Pp
after a successful dial.

.It
If your provider requests that you use PAP/CHAP authentication methods, add
the next lines to your
.Pa ppp.conf
file:
.Bd -literal -offset indent
set authname MyName
set authkey MyPassword
.Ed
.Pp
Both are accepted by default, so ppp will provide whatever your ISP
requires.
.El

Please refer to
.Pa /etc/ppp/ppp.conf.sample
and
.Pa /etc/ppp/ppp.linkup.sample
for some real examples.  The pmdemand label should be appropriate for most
ISPs.

.Sh LOGGING FACILITY

.Nm
is able to generate the following log info via
.Xr syslog 3 :

.Bl -column SMMMMMM -offset indent
.It Li Async	Dump async level packet in hex
.It Li Carrier	Log Chat lines with 'CARRIER'
.It Li CCP	Generate a CPP packet trace
.It Li Chat	Generate Chat script trace log
.It Li Command	Log commands executed
.It Li Connect	Generate complete Chat log
.It Li Debug	Log (very verbose) debug information
.It Li HDLC	Dump HDLC packet in hex
.It Li IPCP	Generate an IPCP packet trace
.It Li LCP	Generate an LCP packet trace
.It Li Link	Log address assignments and link up/down events
.It Li LQM	Generate LQR report
.It Li Phase	Phase transition log output
.It Li TCP/IP	Dump all TCP/IP packets
.It Li TUN	Include the tun device on each log line
.It Li Warning	Output to the terminal device.  If there is currently no
terminal, output is sent to the log file using LOG_WARNING.
.It Li Error	Output to both the terminal device and the log file using
LOG_ERROR.
.It Li Alert	Output to the log file using LOG_ALERT
.El

The
.Dq set log
command allows you to set logging output level, of which
multiple levels can be specified.  The default is equivalent to
.Dq set log Carrier Link Phase .

If The first argument to
.Dq set log
begins with a '+' or a '-' character, the current log levels are
not cleared, for example:

.Bd -literal -offset indent
PPP ON awfulhak> show log
Log: Carrier Link Phase
PPP ON awfulhak> set log -Link +tcp/ip
PPP ON awfulhak> show log
Log: Carrier Phase TCP/IP
.Ed

Log messages of level Warning, Error and Alert are not controlable
using
.Dq set log .

.Sh SIGNAL HANDLING

.Nm Ppp
deals with the following signals:

.Bl -tag -width 20
.It INT
Receipt of this signal causes the termination of the current connection
(if any).  This will cause
.Nm
to exit unless it is in
.Fl auto
or
.Fl ddial
mode.

.It HUP, TERM & QUIT
These signals tell
.Nm
to exit.

.It USR1
This signal, when not in interactive mode, tells
.Nm
to close any existing server socket and open an internet socket using
the default rules for choosing a port number - that is, using port
3000 plus the current tunnel device number.

.El

.Sh PPP COMMAND LIST

This section lists the available commands and their effect.  They are
usable either from an interactive ppp session, from a configuration
file or from a telnet session.

.Bl -tag -width 20
.It accept|deny|enable|disable option....
These directives tell
.Nm
how to negotiate the initial connection with the peer.  Each
.Dq option
has a default of either accept or deny and enable or disable.
.Dq Accept
means that the option will be ACK'd if the peer asks for it.
.Dq Deny
means that the option will be NAK'd if the peer asks for it.
.Dq Enable
means that the option will be requested by us.
.Dq Disable
means that the option will not be requested by us.
.Pp
.Dq Option
may be one of the following:

.Bl -tag -width 20
.It vjcomp
Default: Enabled and Accepted.  This option decides if Van Jacobson
header compression will be used.

.It lqr
Default: Disabled and Accepted.  This option decides if Link Quality
Requests will be sent.  LQR is a protocol that allows
.Nm
to determine that the link is down without relying on the modems
carrier detect.

.It chap
Default: Disabled and Accepted.  CHAP stands for Challenge Handshake
Authentication Protocol.  Only one of CHAP and PAP (below) may be
negotiated.  With CHAP, the authenticator sends a "challenge" message
to its peer.  The peer uses a one-way hash function to encrypt the
challenge and sends the result back.  The authenticator does the same,
and compares the results.  The advantage of this mechanism is that no
passwords are sent across the connection.

A challenge is made when the connection is first made.  Subsequent
challenges may occur.  If you want to have your peer authenticate
itself, you must
.Dq enable chap .
in
.Pa ppp.conf ,
and have an entry in
.Pa ppp.secret
for the peer.
.Pp
When using CHAP as the client, you need only specify
.Dq AuthName
and
.Dq AuthKey
in
.Pa ppp.conf .
CHAP is accepted by default.

Some ppp implementations use "MS-CHAP" rather than MD5 when encrypting the
challenge.  Refer to the description of the
.Dq set encrypt
command for further details.

.It pap
Default: Disabled and Accepted.  PAP stands for Password Authentication
Protocol.  Only one of PAP and CHAP (above) may be negotiated.  With
PAP, the ID and Password are sent repeatedly to the peer until
authentication is acknowledged or the connection is terminated.  This
is a rather poor security mechanism.  It is only performed when the
connection is first established.

If you want to have your peer authenticate itself, you must
.Dq enable pap .
in
.Pa ppp.conf ,
and have an entry in
.Pa ppp.secret
for the peer (although see the
.Dq passwdauth
option below).
.Pp
When using PAP as the client, you need only specify
.Dq AuthName
and
.Dq AuthKey
in
.Pa ppp.conf .
PAP is accepted by default.

.It acfcomp
Default: Enabled and Accepted.  ACFComp stands for Address and Control
Field Compression.  Non LCP packets usually have very similar address
and control fields - making them easily compressable.

.It protocomp
Default: Enabled and Accepted.  This option is used to negotiate
PFC (Protocol Field Compression), a mechanism where the protocol
field number is reduced to one octet rather than two.

.It pred1
Default: Enabled and Accepted.  This option decides if Predictor 1
compression will be used.

.It msext
Default: Disabled.  This option allows the use of Microsoft's ppp
extensions, supporting the negotiation of the Microsoft PPP DNS
and the Microsoft NetBIOS NS.  Enabling this allows us to pass back
the values given in "set ns" and "set nbns".

.El
The following options are not actually negotiated with the peer.
Therefore, accepting or denying them makes no sense.

.Bl -tag -width 20
.It proxy
Default: Disabled.  Enabling this option will tell
.Nm
to proxy ARP for the peer.

.It passwdauth
Default: Disabled.  Enabling this option will tell the PAP authentication
code to use the
.Pa passwd
file to authenticate the caller rather than the
.Pa ppp.secret
file.

.It utmp
Default: Enabled.  Normally, when a user is authenticated using PAP or
CHAP, and when
.Nm
is running in
.Fl direct
mode, an entry is made in the utmp and wtmp files for that user.  Disabling
this option will tell ppp not to make any utmp or wtmp entries.  This is
usually only necessary if you require the user to both login and authenticate
themselves.

.El

.It add dest mask gateway
.Dq Dest
is the destination IP address and
.Dq mask
is its mask.
.Dq 0 0
refers to the default route.
.Dq Gateway
is the next hop gateway to get to the given
.Dq dest
machine/network.

.It [!]bg command
The given command is executed in the background.
Any of the pseudo arguments
.Dv HISADDR ,
.Dv INTERFACE
and
.Dv MYADDR
will be replaced with the appropriate values.  If you wish to pause
.Nm
while the command executes, use the
.Dv shell
command instead.

.It close
Close the current connection (but don't quit).

.It delete ALL | dest [gateway [mask]]
If
.Dq ALL
is specified, all non-direct entries in the routing for the interface
that
.Nm
is using are deleted.  This means all entries for tunX, except the entry
representing the actual link.  When
.Dq ALL
is not used, any existing route with the given
.Dq dest ,
destination network
.Dq mask
and
.Dq gateway
is deleted.  The default
.Dq mask
value is 0.0.0.0.

.It dial|call [remote]
If
.Dq remote
is specified, a connection is established using the
.Dq dial
and
.Dq login
scripts for the given
.Dq remote
system.  Otherwise, the current settings are used to establish
the connection.

.It display
Displays the current status of the negotiable protocol
values as specified under
.Dq accept|deny|enable|disable option....
above.

.It passwd pass
Specify the password required for access to the full
.Nm
command set.

.It load [remote]
Load the given
.Dq remote
label.  If
.Dq remote
is not given, the
.Dq default
label is assumed.

.It save
This option is not (yet) implemented.

.It set[up] var value
This option allows the setting of any of the following variables:

.Bl -tag -width 20
.It set accmap hex-value
ACCMap stands for Asyncronous Control Character Map.  This is always
negotiated with the peer, and defaults to a value of 0x00000000.
This protocol is required to defeat hardware that depends on passing
certain characters from end to end (such as XON/XOFF etc).

.It set filter-name rule-no action [src_addr/src_width]
[dst_addr/dst_width] [proto [src [lt|eq|gt] port ]]
[dst [lt|eq|gt] port] [estab]
.Pp
.Nm Ppp
supports four filter sets.  The afilter specifies packets that keep
the connection alive - reseting the idle timer.  The dfilter specifies
packets that cause
.Nm
to dial when in
.Fl auto
mode.  The ifilter specifies packets that are allowed to travel
into the machine and the ofilter specifies packets that are allowed
out of the machine.  By default all filter sets allow all packets
to pass.

Rules are processed in order according to
.Dq n .
Up to 20 rules may be given for each set.  If a packet doesn't match
any of the rules in a given set, it is discarded.  In the case of
ifilters and ofilters, this means that the packet is dropped.  In
the case of afilters it means that the packet will not reset the
idle timer and in the case of dfilters it means that the packet will
not trigger a dial.

Refer to the section on PACKET FILTERING above for further details.

.It set authkey|key value
This sets the authentication key (or password) used in client mode
PAP or CHAP negotiation to the given value.  It can also be used to
specify the password to be used in the dial or login scripts, preventing
the actual password from being logged.

.It set authname id
This sets the authentication id used in client mode PAP or CHAP negotiation.

.It set ctsrts
This sets hardware flow control and is the default.

.It set device|line value
This sets the device to which ppp will talk to the given
.Dq value .
All serial device names are expected to begin with
.Pa /dev/ .
If
.Dq value
does not begin with
.Pa /dev/ ,
it must be of the format
.Dq host:port .
If this is the case,
.Nm
will attempt to connect to the given
.Dq host
on the given
.Dq port .
Refer to the section on PPP OVER TCP above for further details.

.It set dial chat-script
This specifies the chat script that will be used to dial the other
side.  See also the
.Dv set login
command below.  Refer to
.Xr chat 8
and to the example configuration files for details of the chat script
format.  The string \\\\T will be replaced with the current phone number
(see
.Dq set phone
below) and the string \\\\P will be replaced with the password (see
.Dq set key
above).

.It set hangup chat-script
This specifies the chat script that will be used to reset the modem
before it is closed.  It should not normally be necessary, but can
be used for devices that fail to reset themselves properly on close.

.It set encrypt MSChap|MD5
This specifies the encryption algorithm to request and use when issuing
the CHAP challenge, and defaults to MD5.  If this is set to MSChap,
.Nm
will behave like a Microsoft RAS when sending the CHAP challenge (assuming
CHAP is enabled).  When responding to a challenge,
.Nm
determines how to encrypt the response based on the challenge, so this
setting is ignored.

.Bl -tag -width NOTE:
.It NOTE:
Because the Microsoft encryption algorithm uses a combination of MD4 and DES,
if you have not installed DES encryption software on your machine
before building
.Nm ppp ,
this option will not be available - only MD5 will be used.
.El

.It set escape value...
This option is similar to the
.Dq set accmap
option above.  It allows the user to specify a set of characters that
will be `escaped' as they travel across the link.

.It set ifaddr [myaddr [hisaddr [netmask [triggeraddr]]]]
This command specifies the IP addresses that will be used during
IPCP negotiation.  Addresses are specified using the format

.Dl a.b.c.d/n

Where a.b.c.d is the preferred IP, but n specifies how many bits
of the address we will insist on.  If the /n bit is omitted, it
defaults to /32 unless the IP address is 0.0.0.0 in which case
the mask defaults to /0.

If
.Dq triggeraddr
is specified, it is used in place of
.Dq myaddr
in the initial IPCP negotiation.  However, only an address in the
.Dq myaddr
range will be accepted.

.It set loopback on|off
When set to
.Dq on
(the default),
.Nm
will automatically loop back packets being sent
out with a destination address equal to that of the ppp interface.
If set to
.Dq off ,
.Nm
will send the packet, probably resulting in an ICMP redirect from
the other end.

.It set log [+|-]value...
This command allows the adjustment of the current log level.  Please
refer to the Logging Facility section for further details.

.It set login chat-script
This chat-script compliments the dial-script.  If both are specified,
the login script will be executed after the dial script.  Escape
sequences available in the dial script are also available here.

.It set mru value
The default MRU is 1500.  If it is increased, the other side *may*
increase its mtu.  There is no use decreasing the MRU to below the
default as the PPP protocol *must* be able to accept packets of at
least 1500 octets.

.It set mtu value
The default MTU is 1500.  This may be increased by the MRU specified
by the peer.  It may only be subsequently decreased by this option.
Increasing it is not valid as the peer is not necessarily able to
receive the increased packet size.

.It set openmode active|passive
By default, openmode is always active.  That is,
.Nm
will always initiate LCP/IPCP/CCP negotiation.  If you want to wait for the
peer to initiate negotiations, you may use the value
.Dq passive .

.It set parity odd|even|none|mark
This allows the line parity to be set.  The default value is none.

.It set phone telno[|telno]...[:telno[|telno]...]...
This allows the specification of the phone number to be used in
place of the \\\\T string in the dial and login chat scripts.
Multiple phone numbers may be given separated by a pipe (|) or
a colon (:).  Numbers after the pipe are only dialed if the dial or login
script for the previous number failed.  Numbers separated by a colon are
tried sequentially, irrespective of the reason the line was dropped.
If multiple numbers are given,
.Nm
will dial them according to these rules until a connection is made, retrying
the maximum number of times specified by
.Dq set redial
below.  In
.Fl background
mode, each number is attempted at most once.

.It set reconnect timeout ntries
Should the line drop unexpectedly (due to loss of CD or LQR
failure), a connection will be re-established after the given
.Dq timeout .
The line will be re-connected at most
.Dq ntries
times.
.Dq Ntries
defaults to zero.  A value of
.Dq random
for
.Dq timeout
will result in a variable pause, somewhere between 0 and 30 seconds.

.It set redial seconds[.nseconds] [attempts]
.Nm Ppp
can be instructed to attempt to redial
.Dq attempts
times.  If more than one number is specified (see
.Dq set phone
above), a pause of
.Dq nseconds
is taken before dialing each number.  A pause of
.Dq seconds
is taken before starting at the first number again.  A value of
.Dq random
may be used here too.

.It set stopped [LCPseconds [IPCPseconds [CCPseconds]]]
If this option is set,
.Nm
will time out after the given FSM (Finite State Machine) has been in
the stopped state for the given number of
.Dq seconds .
This option may be useful if you see ppp failing to respond in the
stopped state.  Use
.Dq set log +lcp +ipcp +ccp
to make
.Nm
log all state transitions.
.Pp
The default value is zero, where ppp doesn't time out in the stopped
state.

.It set server|socket TcpPort|LocalName|none [mask]
Normally, when not in interactive mode,
.Nm
listens to a tcp socket for incoming command connections.  The
default socket number is calculated as 3000 plus the number of the
tunnel device that
.Nm
opened.  So, for example, if
.Nm
opened tun2, socket 3002 would be used.
.Pp
Using this command, you can specify your own port number, a
local domain socket (specified as an absolute file name), or
you can tell
.Nm
not to accept any command connections.  If a local domain socket
is specified, you may also specify an octal mask that should be
set before creating the socket.  See also the use of
the
.Dv USR1
signal.

.Pp
When using
.Nm
with a server socket, the
.Xr pppctl 8
command is the preferred mechanism of communications.  Currently,
.Xr telnet 1
can also be used, but link encryption may be implemented in the future, so
.Nm telnet
should not be relied upon.

.It set speed value
This sets the speed of the serial device.

.It set timeout Idle [ lqr [ retry ] ]
This command allows the setting of the idle timer, the LQR timer (if
enabled) and the retry timer.

.It set ns x.x.x.x y.y.y.y
This option allows the setting of the Microsoft PPP DNS servers that
will be negotiated.

.It set nbns x.x.x.x y.y.y.y
This option allows the setting of the Microsoft NetBIOS DNS servers that
will be negotiated.

.It set help|?
This command gives a summary of available set commands.
.El

.It shell|! [command]
If
.Dq command
is not specified a shell is invoked according to the
.Dv SHELL
environment variable.  Otherwise, the given command is executed.
Any of the pseudo arguments
.Dv HISADDR ,
.Dv INTERFACE
and
.Dv MYADDR
will be replaced with the appropriate values.  Use of the ! character
requires a following space as with any other commands.  You should note
that this command is executed in the foreground - ppp will not continue
running until this process has exited.  Use the
.Dv bg
command if you wish processing to happen in the background.

.It show var
This command allows the user to examine the following:

.Bl -tag -width 20
.It show [adio]filter
List the current rules for the given filter.

.It show auth
Show the current authname and authkey.

.It show ccp
Show the current CCP statistics.

.It show compress
Show the current compress statistics.

.It show escape
Show the current escape characters.

.It show hdlc
Show the current HDLC statistics.

.It show ipcp
Show the current IPCP statistics.

.It show lcp
Show the current LCP statistics.

.It show loopback
Show the current loopback status.

.It show log
Show the current log values.

.It show mem
Show current memory statistics.

.It show modem
Show current modem statistics.

.It show mru
Show the current MRU.

.It show mtu
Show the current MTU.

.It show proto
Show current protocol totals.

.It show reconnect
Show the current reconnect values.

.It show redial
Show the current redial values.

.It show stopped
Show the current stopped timeouts.

.It show route
Show the current routing tables.

.It show timeout
Show the current timeout values.

.It show msext
Show the current Microsoft extension values.

.It show version
Show the current version number of ppp.

.It show help|?
Give a summary of available show commands.
.El

.It term
Go into terminal mode.  Characters typed at the keyboard are sent to
the modem.  Characters read from the modem are displayed on the
screen.  When a
.Nm
peer is detected on the other side of the modem,
.Nm
automatically enables Packet Mode and goes back into command mode.

.It alias .....
This command allows the control of the aliasing (or masquerading)
facilities that are built into
.Nm ppp .
Until this code is required, it is not loaded by
.Nm ppp ,
and it is quite possible that the alias library is not installed
on your system (some administrators consider it a security risk).

If aliasing is enabled on your system, the following commands are
possible:

.Bl -tag -width 20
.It alias enable [yes|no]
This command either switches aliasing on or turns it off.
The
.Fl alias
command line flag is synonomous with
.Dq alias enable yes .

.It alias port [proto targetIP:targetPORT [aliasIP:]aliasPORT]
This command allows us to redirect connections arriving at
.Dq aliasPORT
for machine [aliasIP] to
.Dq targetPORT
on
.Dq targetIP .
If proto is specified, only connections of the given protocol
are matched.  This option is useful if you wish to run things like
internet phone on the machines behind your gateway.

.It alias addr [addr_local addr_alias]
This command allows data for
.Dq addr_alias
to be redirected to
.Dq addr_local .
It is useful if you own a small number of real IP numbers that
you wish to map to specific machines behind your gateway.

.It alias deny_incoming [yes|no]
If set to yes, this command will refuse all incoming connections
by dropping the packets in much the same way as a firewall would.

.It alias log [yes|no]
This option causes various aliasing statistics and information to
be logged to the file
.Pa /var/log/alias.log .

.It alias same_ports [yes|no]
When enabled, this command will tell the alias library attempt to
avoid changing the port number on outgoing packets.  This is useful
if you want to support protocols such as RPC and LPD which require
connections to come from a well known port.

.It alias use_sockets [yes|no]
When enabled, this option tells the alias library to create a
socket so that it can guarantee a correct incoming ftp data or
IRC connection.

.It alias unregistered_only [yes|no]
Only alter outgoing packets with an unregistered source ad-
dress.  According to rfc 1918, unregistered source addresses
are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

.It alias help|?
This command gives a summary of available alias commands.

.El

.It quit|bye [all]
Exit
.Nm ppp .
If
.Nm
is in interactive mode or if the
.Dq all
argument is given, ppp will exit, closing the connection.  A simple
.Dq quit
issued from a telnet session will not close the current connection.

.It help|? [command]
Show a list of available commands.  If
.Dq command
is specified, show the usage string for that command.

.It down
Bring the link down ungracefully.  It's not considered polite to
use this command.

.El

.Sh MORE DETAILS

.Bl -bullet -compact

.It
Read the example configuration files.  They are a good source of information.

.It
Use
.Dq help ,
.Dq show ? ,
.Dq alias ? ,
.Dq set ?
and
.Dq set ? <var>
commands.
.El

.Sh FILES
.Nm Ppp
refers to four files: ppp.conf, ppp.linkup, ppp.linkdown and
ppp.secret.  These files are placed in
.Pa /etc/ppp ,
but the user can create his own files under his $HOME directory as
.Pa .ppp.conf ,
.Pa .ppp.linkup ,
.Pa .ppp.linkdown
and
.Pa .ppp.secret.
.Nm
will always try to consult the user's personal setup first.

.Bl -tag -width flag
.Pa $HOME/ppp/.ppp.[conf|linkup|linkdown|secret]
User dependent configuration files.

.Pa /etc/ppp/ppp.conf
System default configuration file.

.Pa /etc/ppp/ppp.secret
An authorization file for each system.

.Pa /etc/ppp/ppp.linkup
A file to check when
.Nm
establishes a network level connection.

.Pa /etc/ppp/ppp.linkdown
A file to check when
.Nm
closes a network level connection.

.Pa /var/log/ppp.log
Logging and debugging information file.

.Pa /var/spool/lock/LCK..*
tty port locking file.  Refer to
.Xr uucplock 8
for further details.

.Pa /var/run/tunX.pid
The process id (pid) of the ppp program connected to the tunX device, where
'X' is the number of the device.  This file is only created in
.Fl background ,
.Fl auto
and
.Fl ddial
modes.

.Pa /var/run/ttyXX.if
The tun interface used by this port.  Again, this file is only created in
.Fl background ,
.Fl auto
and
.Fl ddial
modes.

.Pa /etc/services
Get port number if port number is using service name.
.El

.Sh SEE ALSO

.Xr chat 8 ,
.Xr pppd 8 ,
.Xr uucplock 3 ,
.Xr syslog 3 ,
.Xr syslog.conf 5 ,
.Xr syslogd 8 ,
.Xr pppctl 8 ,
.Xr telnet 1

.Sh HISTORY

This program was originally written by Toshiharu OHNO (tony-o@iij.ad.jp),
and was submitted to FreeBSD-2.0.5 by Atsushi Murai (amurai@spec.co.jp).
It has since had an enormous face lift and looks substantially different.