FreeBSD provides built-in support for managing dial-up
PPP connections using ppp(8). The
default FreeBSD kernel provides support for
tun which is used to interact with a
modem hardware. Configuration is performed by editing at least
one configuration file, and configuration files containing
examples are provided. Finally,
used to start and manage connections.
In order to use a PPP connection, the following items are needed:
A dial-up account with an Internet Service Provider (ISP).
A dial-up modem.
The dial-up number for the ISP.
The login name and password assigned by the ISP.
The IP address of one or more DNS servers. Normally, the ISP provides these addresses. If it did not, FreeBSD can be configured to use DNS negotiation.
If any of the required information is missing, contact the ISP.
The following information may be supplied by the ISP, but is not necessary:
The IP address of the default gateway. If this information is unknown, the ISP will automatically provide the correct value during connection setup. When configuring PPP on FreeBSD, this address is referred to as
The subnet mask. If the ISP has not provided one,
255.255.255.255will be used in the ppp(8) configuration file.
If the ISP has assigned a static IP address and hostname, it should be input into the configuration file. Otherwise, this information will be automatically provided during connection setup.
The rest of this section demonstrates how to configure FreeBSD
for common PPP connection scenarios. The
required configuration file is
/etc/ppp/ppp.conf and additional files and
examples are available in
Throughout this section, many of the file examples display line numbers. These line numbers have been added to make it easier to follow the discussion and are not meant to be placed in the actual file.
When editing a configuration file, proper indentation is
important. Lines that end in a
: start in
the first column (beginning of the line) while all other lines
should be indented as shown using spaces or tabs.
In order to configure a PPP connection,
/etc/ppp/ppp.conf with the
dial-in information for the ISP. This file
is described as follows:
1 default: 2 set log Phase Chat LCP IPCP CCP tun command 3 ident user-ppp VERSION 4 set device /dev/cuau0 5 set speed 115200 6 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ 7 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" 8 set timeout 180 9 enable dns 10 11 provider: 12 set phone "(123) 456 7890" 13 set authname foo 14 set authkey bar 15 set timeout 300 16 set ifaddr
y.y.y.y/0 255.255.255.255 0.0.0.0 17 add default HISADDR
- Line 1:
defaultentry. Commands in this entry (lines 2 through 9) are executed automatically when
- Line 2:
Enables verbose logging parameters for testing the connection. Once the configuration is working satisfactorily, this line should be reduced to:
set log phase tun
- Line 3:
Displays the version of ppp(8) to the PPP software running on the other side of the connection.
- Line 4:
Identifies the device to which the modem is connected, where
- Line 5:
Sets the connection speed. If
115200does not work on an older modem, try
- Lines 6 & 7:
The dial string written as an expect-send syntax. Refer to chat(8) for more information.
Note that this command continues onto the next line for readability. Any command in
ppp.confmay do this if the last character on the line is
- Line 8:
Sets the idle timeout for the link in seconds.
- Line 9:
Instructs the peer to confirm the DNS settings. If the local network is running its own DNS server, this line should be commented out, by adding a
#at the beginning of the line, or removed.
- Line 10:
A blank line for readability. Blank lines are ignored by ppp(8).
- Line 11:
Identifies an entry called
provider. This could be changed to the name of the ISP so that
loadcan be used to start the connection.
- Line 12:
Use the phone number for the ISP. Multiple phone numbers may be specified using the colon (
:) or pipe character (
|) as a separator. To rotate through the numbers, use a colon. To always attempt to dial the first number first and only use the other numbers if the first number fails, use the pipe character. Always enclose the entire set of phone numbers between quotation marks (
") to prevent dialing failures.
- Lines 13 & 14:
Use the user name and password for the ISP.
- Line 15:
Sets the default idle timeout in seconds for the connection. In this example, the connection will be closed automatically after 300 seconds of inactivity. To prevent a timeout, set this value to zero.
- Line 16:
Sets the interface addresses. The values used depend upon whether a static IP address has been obtained from the ISP or if it instead negotiates a dynamic IP address during connection.
If the ISP has allocated a static IP address and default gateway, replace
x.x.x.xwith the static IP address and replace
y.y.y.ywith the IP address of the default gateway. If the ISP has only provided a static IP address without a gateway address, replace
If the IP address changes whenever a connection is made, change this line to the following value. This tells ppp(8) to use the IP Configuration Protocol (IPCP) to negotiate a dynamic IP address:
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0
- Line 17:
Keep this line as-is as it adds a default route to the gateway. The
HISADDRwill automatically be replaced with the gateway address specified on line 16. It is important that this line appears after line 16.
Depending upon whether ppp(8) is started
manually or automatically, a
/etc/ppp/ppp.linkup may also need to
be created which contains the following lines. This file
is required when running
-auto mode. This file is used after the
connection has been established. At this point, the
IP address will have been assigned and
it is now be possible to add the routing table entries.
When creating this file, make sure that
provider matches the value
demonstrated in line 11 of
provider: add default HISADDR
This file is also needed when the default gateway
address is “guessed” in a static
IP address configuration. In this case,
remove line 17 from
/etc/ppp/ppp.linkup with the
above two lines. More examples for this file can be found
ppp must be
To change this default, add the account of the user
who should run
ppp to the
network group in
Then, give the user access to one or more entries in
allow. For example, to give
permission to only the
add this line to the
To give the specified users access to all entries, put
that line in the
It is possible to configure PPP to supply DNS and NetBIOS nameserver addresses on demand.
To enable these extensions with
PPP version 1.x, the following lines
might be added to the relevant section of
enable msext set ns 188.8.131.52 184.108.40.206 set nbns 220.127.116.11
And for PPP version 2 and above:
accept dns set dns 18.104.22.168 22.214.171.124 set nbns 126.96.36.199
This will tell the clients the primary and secondary name server addresses, and a NetBIOS nameserver host.
In version 2 and above, if the
dns line is omitted,
PPP will use the values found in
Some ISPs set their system up so
that the authentication part of the connection is done
using either of the PAP or CHAP authentication mechanisms.
If this is the case, the ISP will not
login: prompt at connection, but
will start talking PPP
PAP is less secure than CHAP, but security is not normally an issue here as passwords, although being sent as plain text with PAP, are being transmitted down a serial line only. There is not much room for crackers to “eavesdrop”.
The following alterations must be made:
13 set authname
MyUserName14 set authkey
MyPassword15 set login
- Line 13:
This line specifies the PAP/CHAP user name. Insert the correct value for
- Line 14:
16 accept PAP
16 accept CHAP
to make it obvious that this is the intention, but PAP and CHAP are both accepted by default.
- Line 15:
The ISP will not normally require a login to the server when using PAP or CHAP. Therefore, disable the “set login” string.
PPP has ability to use internal NAT without kernel
diverting capabilities. This functionality may be enabled
by the following line in
nat enable yes
Alternatively, NAT may be enabled by command-line
-nat. There is also
/etc/rc.conf knob named
ppp_nat, which is enabled by
When using this feature, it may be useful to include
to enable incoming connections forwarding:
nat port tcp 10.0.0.2:ftp ftp nat port tcp 10.0.0.2:http http
or do not trust the outside at all
nat deny_incoming yes
ppp is now configured,
some edits still need to be made to
Working from the top down in this file, make sure the
hostname= line is set:
If the ISP has supplied a static IP address and name, use this name as the host name.
Look for the
variable. To configure the system to dial the
ISP on demand, make sure the
tun0 device is added to the list,
otherwise remove it.
network_interfaces="lo0 tun0" ifconfig_tun0=
ifconfig_tun0 variable should
be empty, and a file called
/etc/start_if.tun0 should be created.
This file should contain the line:
ppp -auto mysystem
This script is executed at network configuration time,
starting the ppp daemon in automatic mode. If this
machine acts as a gateway, consider including
-alias. Refer to the manual page for
Make sure that the router program is set to
NO with the following line in
It is important that the
daemon is not started, as
to delete the default routing table entries created by
It is probably a good idea to ensure that the
sendmail_flags line does not include the
-q option, otherwise
sendmail will attempt to do a network
lookup every now and then, possibly causing your machine
to dial out. You may try:
The downside is that
forced to re-examine the mail queue whenever the ppp link.
To automate this, include
1 provider: 2 delete ALL 3 add 0 0 HISADDR 4 !bg sendmail -bd -q30m
An alternative is to set up a “dfilter” to block SMTP traffic. Refer to the sample files for further details.
All that is left is to reboot the machine. After rebooting, either type:
dial provider to start the
PPP session, or, to configure
ppp to establish sessions automatically
when there is outbound traffic and
start_if.tun0 does not exist,
ppp -auto provider
It is possible to talk to the
program while it is running in the background, but only
if a suitable diagnostic port has been set up. To do
this, add the following line to the configuration:
set server /var/run/ppp-tun
This will tell PPP to listen to the specified
UNIX domain socket, asking clients for the specified
password before allowing access. The
%d in the name is replaced with the
tun device number that is in
Once a socket has been set up, the pppctl(8) program may be used in scripts that wish to manipulate the running program.
An alternative to
port), a smarter version of
designed with dial-up lines in mind.
The advantages of using
that it actively talks to modems,
meaning if port is turned off in
/etc/ttys then the modem will not
answer the phone.
Later versions of
0.99beta onwards) also support the automatic detection of
PPP streams, allowing clients
scriptless access to the server.
Refer to http://mgetty.greenie.net/doc/mgetty_toc.html
for more information on
By default the comms/mgetty+sendfax
port comes with the
mgetty to detect the
LCP phase of PPP connections and
automatically spawn off a ppp shell. However, since the
default login/password sequence does not occur it is
necessary to authenticate users using either PAP or
This section assumes the user has successfully compiled, and installed the comms/mgetty+sendfax port on his system.
has the following:
/AutoPPP/ - - /etc/ppp/ppp-pap-dialup
mgetty to run
ppp-pap-dialup for detected
Create an executable file called
#!/bin/sh exec /usr/sbin/ppp -direct pap$IDENT
For each dial-up line enabled in
/etc/ttys, create a corresponding
will happily co-exist with the definitions we created
pap: enable pap set ifaddr 188.8.131.52 184.108.40.206-220.127.116.11 enable proxy
Each user logging in with this method will need to
have a username/password in
alternatively add the following option to authenticate
users via PAP from
To assign some users a static IP
number, specify the number as the third argument in