Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Aug 1998 14:27:52 -0400
From:      charlespeters@chickenbean.com
To:        <questions@FreeBSD.ORG>
Subject:   Problem with dial-out gateway - ppp
Message-ID:  <000101bdbf0c$6da84920$20710418@ci1000971-c.sptnbrg1.sc.home.com>

Next in thread | Raw E-Mail | Index | Archive | Help
I have set up a dialout gateway using freebsd 2.2.6, but I am having some
problems that I don't seem to be able to solve.

Here is the setup:

	Freebsd 2.2.6 gateway with:

1 network card configured as 192.168.0.1
1 internal modem 56K -  /dev/cuaa1   (com2)

	Several Win95 computers with tcp/ip addresses set as follows:
		192.168.0.43
		192.168.0.40
		192.168.0.48
		...

		Default gateway is set to 192.168.0.1, and dns is set to the ISP's DNS
servers.  This configuration works fine.

I am able to ping the win95 boxes from the freebsd box, and I am able to
ping the freebsd box from all win95 boxes.

The goal is to allow internet access to all win95 computers via the freebsd
gateway machine.  When it is working, I am able to ping all internet
addresses from the win95 boxes (ie. ping ftp.cdrom.com works fine), but I
cannot ping the same internet address from the freebsd gateway box.

I would like to establish a ppp connection to the ISP, and keep the
connection alive for 10 mins after the last data is transmitted (to speed up
access for users who leave their desks for a few minutes, and then come back
to continue browsing or checking/sending email).  It seems to me like the
system dials up the ISP as soon as the connection is lost.  This seems
wasteful.

Also, I often (once or twice daily) have to shutdown -r now and then during
the reboot, turn of the power for a few seconds to reset the modem.  This is
also a pain in the ass, as I am not always there to reset the machine for my
users.  The system works fine for our application when it works, but it
locks up too often.

If any other info is required, let me know.

This is kinda new to me, so please realize that you are answering a highly
computer literate user who is totally new to freebsd.

Thanks,

Charles

PS: below is more info that you may find helpful!

charlespeters@chickenbean.com
charlespeters@tecpro.com




On the bsd gateway, running ifconfig -a yields the following result:

	de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
		inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
		ether 00:c0:f0:30:86:f6
		media: autoselect (10baseT/UTP) status: active
	lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST>mtu 1500
	tun0: flags=8051 <UP,POINTOPOINT,RUNNING,MULTICAST>mtu 1500
		inet 206.139.129.158 --> 206.139.129.5 netmask 0xffffff00
	sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST>mtu 552
	ppp0: flags= 8010<POINTOPOINT,MULTICAST>mtu 1500
	lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST>mtu 16384
		inet 127.0.0.1 netmask 0xff000000


When I run netstat on the bsd-gateway, the first two lines displayed are as
follows:

	tcp	0	0	192.168.0.1.telnet		192.168.0.42.1039	ESTABLISHED
	tcp	0	0	206.139.129.141.telnet		24.4.113.32.1025	ESTABLISHED

I am telnetted into the computer from 192.168.0.48, and was also telnetted
into the computer from 24.4.113.32.  The freebsd boxes ppp ip address was
206.139.129.141.  That connection has been lost for at least an hour now,
but netstat still says that it is established.



I have included a copy of my ppp.conf file (it's kinda long, cause I needed
to keep the help hints for my own reference) below:


#################################################################
#
#  	PPP  Sample Configuration File
#
#	  Originally written by Toshiharu OHNO
#
# $Id: ppp.conf.sample,v 1.5.2.13 1998/01/30 19:54:36 brian Exp $
#
#################################################################

# This file is separated into sections.  Each section is named with
# a label starting in column 0 and followed directly by a ``:''.  The
# section continues until the next section.  Blank lines and lines
# beginning with ``#'' are ignored.
#
# Lines beginning with "!include" will ``include'' another file.  You
# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
#

# Default setup. Always executed when PPP is invoked.
#  This section is *not* loaded by the ``load'' or ``dial'' commands.
#
#  This is the best place to specify your modem device, it's DTR rate,
#  and any logging specification.  Logging specs should be done first
#  so that subsequent commands are logged.
#
default:
 set log Phase Chat Connect Carrier LCP IPCP CCP tun command
 set device /dev/cuaa1
 set speed 115200

# next block by cap
 disable pred1
 deny pred1
 disable lqr
# end of block by cap

 deny lqr
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0
OK \\dATDT\\T TIMEOUT 40 CONNECT"

# next line by cap
# -by hipper-  OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT"
# end of cap

# Client side PPP
#
#  Although the PPP protocol is a peer to peer protocol, we normally
#  consider the side that makes the connection as the client and the
#  side that receives the connection as the server.  Authentication
#  is required by the server either using a unix-style login proceedure
#  or by demanding PAP or CHAP authentication from the client.
#

# An on demand example where we have dynamic IP addresses:
#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
#  can't predict what their IP will be either, take a wild guess at
#  some IPs that you can't currently route to.  Ensure that the "delete"
#  and "add" lines are also present in the pmdemand section of ppp.linkup
#  so that when we connect, things will be put straight.
#
#  This will work with static IP numbers too.  You can also use this entry
#  if you don't want on-demand dialup.  The "set ifaddr", "delete" and
#  "add" lines are required for on-demand.  Note, for dynamic IP numbers,
#  whether dialing manually or on demand, there should *always* be an entry
#  in ppp.linkup.
#
#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
#  specified IP actually being correct, therefore, the other side can assign
#  any IP numbers.
#
#  The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
#  IP number, forcing the peer to make the decision.
#
innova:
 set phone 9,3711340
 set login "TIMEOUT 15 ogin: lswcan word: xxxxxxxx"
 set timeout 300
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0
 delete ALL
 add 0 0 HISADDR

# When we want to use PAP or CHAP instead of using a unix-style login
# proceedure, we do the following.  Note, the peer suggests whether we
# should send PAP or CHAP.  By default, we send whatever we're asked for.
#
PAPorCHAPdemand:
 set phone 9,3711340
 set login
 set authname lswcan
 set authkey xxxxxxxx
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 delete ALL
 add 0 0 HISADDR

# On demand dialup example with static IP addresses:
#  Here, the local side uses 192.244.185.226 and the remote side
#  uses 192.244.176.44.
#
#  # ppp -auto ondemand
#
#  It is not necessary to have an entry in ppp.linkup when both IP numbers
#  are static.  Be warned though, the MYADDR: label is executed from
#  ppp.linkup if the "ondemand:" and "192.244.176.44" labels are not found.
#
ondemand:
 set phone 9,3711340
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 192.244.185.226 192.244.176.44 255.255.255.0
 delete ALL
 add 0 0 HISADDR

#                          Example segments
#
# The following lines may be included as part of your configuration
# section and aren't themselves complete.  They're provided as examples
# of how to achieve different things.

examples:
# Multi-phone example.  Numbers separated by a : are used sequentially.
# Numbers separated by a | are used if the previous dial or login script
# failed.  Usually, you will prefer to use only one of | or :, but both
# are allowed.
#
    set phone 12345678|12345679:12345670|12345671
#
# When in -auto, -ddial, -direct or -background mode, ppp can accept
# control instructions from the ``pppctl'' program.  First, you must
# set up your control socket.  It's safest to use a UNIX domain socket,
# and watch the permissions:
#
    set server /var/tmp/internet 0177
#
# Although a TCP port may be used if you want to allow control
# connections from other machines:
#
    set server 6670
#
# If you don't like ppp's builtin chat, use an external one:
#
    set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
#
# If we have a ``strange'' modem that must be re-initialized when we
# hangup:
#
    set hangup "\"\" AT OK-AT-OK ATZ OK"
#
# To adjust logging withouth blasting the setting in default:
#
    set log -command +tcp/ip
#
# To see log messages on the screen in interactive mode:
#
    set log local LCP IPCP CCP
#
# If you're seeing a lot of magic number problems and failed connections,
# try this (check out the FAQ):
#
    set openmode passive
#
# For noisy lines, we may want to reconnect (up to 20 times) after loss
# of carrier:
#
    set reconnect 3 10
#
# When playing server for M$ clients, tell them who our name servers are:
#
    set ns 10.0.0.1 10.0.0.2
    set nbns 10.0.0.1 10.0.0.2
    enable msext
#
# If we're using the -alias switch, redirect ftp and http to an internal
# machine:
#
    alias port 10.0.0.2:ftp ftp
    alias port 10.0.0.2:http http
#
# or don't trust the outside at all
#
    alias deny_incoming yes
#
# I trust user brian to run ppp, so this goes in the `default' section:
#
    allow user brian
#
# But label `internet' contains passwords that even brian can't have, so
# I empty out the user access list in that section:
#
    allow users
#
# I also may wish to set up my ppp login script so that it asks the client
# for the label they wish to use.  I may only want user ``dodgy'' to access
# their own label in direct mode:
#
dodgy:
    allow user dodgy
    allow mode direct
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
    set afilter 0 deny icmp
    set afilter 1 deny udp src eq 53
    set afilter 2 deny udp dst eq 53
    set afilter 3 permit 0/0 0/0
#
# And we don't want ICMPs to cause a dialup:
#
    set dfilter 0 deny icmp
    set dfilter 1 permit 0/0 0/0
#
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
    set ifilter 0 permit tcp dst eq 113
    set ofilter 0 permit tcp src eq 113
    set ifilter 1 permit tcp src eq 23 estab
    set ofilter 1 permit tcp dst eq 23
    set ifilter 2 permit tcp src eq 21 estab
    set ofilter 2 permit tcp dst eq 21
    set ifilter 3 permit tcp src eq 20 dst gt 1023
    set ofilter 3 permit tcp dst eq 20
    set ifilter 4 permit udp src eq 53
    set ofilter 4 permit udp dst eq 53
    set ifilter 5 permit 192.244.191.0/24 0/0
    set ofilter 5 permit 0/0 192.244.191.0/24
    set ifilter 6 permit icmp
    set ofilter 6 permit icmp
    set ifilter 7 permit udp dst gt 33433
    set ofilter 7 permit udp dst gt 33433


# Server side PPP
#  If you want the remote system to authenticate itself, you insist
#  that the peer uses CHAP (or PAP) with the "enable" keyword.  Both CHAP
and
#  PAP are disabled by default (we usually only "enable" on of them if the
#  other side is dialing into our server).
#  When the peer authenticates itself, we use ppp.secret for verification.
#
#  Ppp is launched with:
#   # ppp -direct CHAPserver
#
#  Note:  We can supply a third field in ppp.secret specifying the IP
address
#         for that user.
#
CHAPserver:
 enable chap
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31

# If we wish to act as a server, allowing PAP access according to
# accounts in /etc/passwd, we do this:
#
PAPServerwithPASSWD:
 enable pap
 enable passwdauth
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31


# Example to connect using a null-modem cable:
#  The important thing here is to allow the lqr packets on both sides.
#  Without them enabled, we can't tell if the line's dropped - there
#  should always be carrier on a direct connection.
#  Here, the server sends lqr's every 10 seconds and quits if three in a
#  row fail.
#
#  Make sure you don't have "deny lqr" in your default: on the client !
#
direct-client:
 set dial ""
 set line /dev/cuaa0
 set sp 115200
 set timeout 900 10 3
 set log Phase Chat LQM
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
 set ifaddr 10.0.4.2 10.0.4.1
 enable lqr
 accept lqr

direct-server:
 set timeout 900 10 3
 set log Phase LQM
 set ifaddr 10.0.4.1 10.0.4.2
 enable lqr
 accept lqr


# Example for PPP over TCP.
#  We assume that inetd on tcpsrv.mynet has been
#  configured to run "ppp -direct tcp-server" when it gets a connection on
#  port 1234.  Read the man page for further details
#
tcp-client:
 set device tcpsrv.mynet:1234
 set dial
 set login
 set escape 0xff
 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0

tcp-server:
 set escape 0xff
 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0

# If you want to test ppp, do it through a loopback:
#
# Requires a line in /etc/services:
#   ppploop 6671/tcp # loopback ppp daemon
#
# and a line in /etc/inetd.conf:
#   ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
#
loop:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set device localhost:ppploop
 set dial
 set login
 set escape 0xff
 set ifaddr 127.0.0.2 127.0.0.3
 set openmode passive
 set server /var/tmp/loop "" 0177

loop-in:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set escape 0xff
 allow mode direct



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000101bdbf0c$6da84920$20710418>