diff --git a/en/tutorials/ppp/ppp.sgml b/en/tutorials/ppp/ppp.sgml index 8edeb42750..cbe3c327ec 100644 --- a/en/tutorials/ppp/ppp.sgml +++ b/en/tutorials/ppp/ppp.sgml @@ -1,1736 +1,1737 @@ - +
PPP - Pedantic PPP Primer <author>Maintainer: Steve Sims <tt><htmlurl url="mailto:SimsS@IBM.NET" name="<SimsS@IBM.NET>"></tt> -<date>$Date: 1997-01-21 05:49:54 $ +<date>$Date: 1997-12-30 02:47:15 $ <abstract> This is a step-by-step guide for configuring FreeBSD systems to act as a dial-up router/gateway in a Local Area Environment. All entries may be assumed to be relevant to FreeBSD 2.2+, unless otherwise noted. </abstract> <toc> <sect> <heading>Overview:</heading> <p>The User-Mode PPP dialer in FreeBSD Version 2.2 (also known as: <it>"IIJ-PPP"</it> ) now supports Packet Aliasing for dial up connections to the Internet. This feature, also known as "<IT/Masquerading/", "<IT/IP Aliasing/", or "<IT/Network Address Translation/", allows a FreeBSD system to act as a dial- on-demand router between an Ethernet-based Local Area Network and an Internet Service Provider. Systems on the LAN can use the FreeBSD system to forward information between the Internet by means of a single dial-connection. <sect1> <heading>Purpose of this Guide.</heading> <p> This guide explains how to: <itemize> <item>Configure the FreeBSD system to support dial-out connections, <item>Share a dial-out connection with other systems in a network, <item>Configure Windows platforms to use the FreeBSD system as a gateway to the Internet. </itemize> <p> While the focus of this guide is to assist in configuring IP Aliasing, it also includes specific examples of the configuration steps necessary to configure and install each individual component; each section stands alone and may be used to assist in the configuration of various aspects of FreeBSD internetworking. </sect> <sect> <heading>Building the Local Area Network</heading> <p> While the ppp program can, and usually is, be configured to provide services to <em/only/ the local FreeBSD box it can also be used to serve as a "Gateway" (or "router") between other LAN-connected resources and the Internet or other Dial-Up service. <sect1> <heading>Typical Network Topology</heading> <p>This guide assumes a typical Local Area Network lashed together as follows: <verb> +---------+ ----> Dial-Up Internet Connection | FreeBSD | \ (i.e.: NetCom, AOL, AT&T, EarthLink, etc) | |-------- | "Curly" | | | +----+----+ | |----+-------------+-------------+----| <-- Ethernet Network | | | | | | +----+----+ +----+----+ +----+----+ | | | | | | | Win95 | | WFW | | WinNT | | "Larry" | | "Moe" | | "Shemp" | | | | | | | +---------+ +---------+ +---------+ </verb> <sect1> <heading>Assumptions about the Local Area Network</heading> <p>Some specific assumptions about this sample network are: <p>Three workstations and a Server are connected with Ethernet cabling: <itemize> <item>a FreeBSD Server ("Curly") with an NE-2000 adapter configured as 'ed0' <item>a Windows-95 workstation ("Larry") with Microsoft's "native" 32-bit TCP/IP drivers <item>a Windows for Workgroups workstation ("Moe") with Microsoft's 16-bit TCP/IP extensions <item>a Windows NT workstation ("Shemp") with Microsoft's "native" 32-bit TCP/IP drivers </itemize> <p>The IP Addresses on the Ethernet side of this sample LAN have been taken from the pool of "reserved" addresses proposed in RFC-1597. IP addresses are assigned as follows: <verb>Name IP Address "Curly" 192.168.1.1 # The FreeBSD box "Larry" 192.168.1.2 # The Win'95 box "Moe" 192.168.1.3 # The WfW box "Shemp" 192.168.1.4 # The Windows NT box </VERB> <p>This guide assumes that the modem on the FreeBSD box is connected to the first serial port ('<tt>/dev/cuaa0</tt>' or '<tt>COM1:</tt>' in DOS-terms). <p>Finally, we'll also assume that your Internet Service Provider (ISP) automatically provides the IP addresses of both your PPP/FreeBSD side as well as the ISP's side. (i.e.: Dynamic IP Addresses on both ends of the link.) Specific details for configuring the Dial-Out side of PPP will be addressed in Section 2, "Configuring the FreeBSD System". </sect> <sect> <heading>FreeBSD System Configuration</heading> <p>There are three basic pieces of information that must be known to the FreeBSD box before you can proceed with integrating the sample Local Area Network: <itemize> <item>The Host Name of the FreeBSD system; in our example it's "Curly", <item>The Network configuration, <item>The <tt>/etc/hosts</tt> file (which lists the names and IP addresses of the other systems in your network) </itemize> <p>If you performed the installation of FreeBSD over a network connection some of this information may already be configured into your FreeBSD system. <p>Even if you believe that the FreeBSD system was properly configured when it was installed you should at least verify each of these bits of information to prevent trouble in subsequent steps. <sect1> <heading>Verifying the FreeBSD Host Name</heading> <p>It's possible that the FreeBSD host name was specified and saved when the system was initially installed. To verify that it was, enter the following command at a prompt:<p> <tscreen><verb> # hostname </verb></tscreen> <p>The name of the host FreeBSD system will be displayed on a single line. If the name looks correct (this is very subjective :-) skip ahead to Section 3.2, "Verifying the Ethernet Interface Configuration". <p>For example, in our sample network, we would see 'curly.my.domain' as a result of the `hostname` command if the name had been set correctly during, or after, installation. (At this point, don't worry too much about the ".my.domain" part, we'll sort this out later. The important part is the name up to the first dot.) <p>If a host name wasn't specified when FreeBSD was installed you'll probably see 'myname.my.domain` as a response. You'll need to edit <tt>/etc/sysconfig</tt> to set the name of the machine. <sect2><heading>Configuring the FreeBSD Host Name</heading> <p><em><bf>Reminder: You must be logged in as 'root' to edit the system configuration files!</bf></em> <em><bf>CAUTION: If you mangle the system configuration files, chances are your system WILL NOT BOOT correctly! Be careful!</bf></em> <p>The configuration file that specifies the FreeBSD system's host name when the system boots is in <tt>/etc/sysconfig</tt>. Use the default text editor ('<tt/ee/') to edit this file. <p>Logged in as user 'root' load <tt>/etc/sysconfig</tt> into the editor with the following command: <tscreen><verb> # ee /etc/sysconfig </verb></tscreen> <p>Using the arrow keys, scroll down until you find the line that specifies the host name of the FreeBSD system. By default, this section says: <tscreen><verb> --- # Set to the name of your host - this is pretty important! hostname=myname.my.domain --- </verb></tscreen> Change this section to say (in our example): <tscreen><verb> --- # Set to the name of your host - this is pretty important! hostname=curly.my.domain --- </verb></tscreen> Once the change to the host name has been made, press the 'Esc' key to access the command menu. Select "leave editor" and make sure to specify "save changes" when prompted. <sect1> <heading>Verifying the Ethernet Interface Configuration</heading> <p>To reiterate our basic assumption, this guide assumes that the Ethernet Interface in the FreeBSD system is named '<tt/ed0/'. This is the default for NE-1000, NE-2000, WD/SMC models 8003, 8013 and Elite Ultra (8216) network adapters. <p>Other models of network adapters may have different device names in FreeBSD. Check the FAQ for specifics about your network adapter. If you're not sure of the device name of your adapter, check the FreeBSD FAQ to determine the device name for the card you have and substitute that name (i.e.: '<tt/de0/', '<tt/zp0/', or similar) in the following steps. <p>As was the case with the host name, the configuration for the FreeBSD system's Ethernet Interface may have been specified when the system was installed. To display the configuration for the interfaces in your FreeBSD system (Ethernet and others), enter the following command: <tscreen><verb> # ifconfig -a </verb></tscreen> (In layman's terms: "Show me the <BF/I/nter<BF/F/ace <BF/CONFIG/uration for my network devices.") <p>An example: <tscreen><verb> # ifconfig -a ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 ether 01:02:03:04:05:06 lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 tun0: flags=8050<POINTOPOINT,RUNNING, MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 # _ </verb></tscreen> <p>In this example, the following devices were displayed:<p> <tt/ed0:/ The Ethernet Interface<p> <tt/lp0:/ The Parallel Port Interface (ignored in this guide)<p> <tt/tun0:/ The "tunnel" device; <em/This is the one user-mode ppp uses!/<p> <tt/sl0:/ The SL/IP device (ignored in this guide)<p> <tt/ppp0:/ Another PPP device (for kernel ppp; ignored in this guide)<p> <tt/lo0:/ The "Loopback" device (ignored in this guide)<p> In this example, the 'ed0' device is up and running. The key indicators are: <enum> <item>Its status is "<tt/UP/", <item>It has an Internet ("<tt/inet/") address, (in this case, 192.168.1.1) <item>It has a valid Subnet Mask ("netmask"; 0xffffff00 is the same as 255.255.255.0), and <item>It has a valid broadcast address (in this case, 192.168.1.255). </enum> <p>If the line for the Ethernet card had shown something similar to: <tscreen><verb> ed0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 ether 01:02:03:04:05:06 </verb></tscreen> then the Ethernet card hasn't been configured yet. <p>If the configuration for the Ethernet interface is correct you can skip forward to Section 3.4, "Creating the list of other LAN hosts". Otherwise, proceed with the next section. <sect2> <heading>Configuring your Ethernet Interface</heading> <p><em><bf>Reminder: You must be logged in as 'root' to edit the system configuration files!</bf></em> <em><bf>CAUTION: If you mangle the system configuration files, chances are your system WILL NOT BOOT correctly! Be careful!</bf></em> <p>The configuration file that specifies settings for the network interfaces when the system boots is in <tt>/etc/sysconfig</tt>. Use the default text editor ('ee') to edit this file. <p>Logged in as user 'root' load <tt>/etc/sysconfig</tt> into the editor with the following command: <p> <tt> # ee /etc/sysconfig</tt> <p> About 100 lines from the top of <tt>/etc/sysconfig</tt> is the section that describes which network interfaces should be activated when the system boots. In the default configuration file the specific line that controls this is: <tscreen><verb> network_interfaces="lo0" </verb></tscreen> <p>You'll need to amend this line to tell FreeBSD that you want to add another device, namely the '<tt/ed0/' device. Change this line to read: <tscreen><verb> network_interfaces="lo0 ed0" </verb></tscreen> <p>(Note the space between the definition for the loopback device ("lo0") and the Ethernet device ("<tt/ed0/")! <p><em><bf> Reminder: If your Ethernet card isn't named '<tt/ed0/', specify the correct device name here instead.</bf></em> <p>If you performed the installation of FreeBSD over a network connection then the '<tt/network_interfaces=/' line may already include a reference to your Ethernet adapter. If it is, verify that it is the correct device name. <p>Specify the Interface Settings for the Ethernet device ('<tt/ed0/'): <p>Beneath the line that specifies which interfaces should be activated are the lines that specify the actual settings for each interface. In the default <tt>/etc/sysconfig</tt> file is a single line that says: <tscreen><verb> ifconfig_lo0="inet localhost" </verb></tscreen> <p>You'll need to add another line after that to specify the settings for your '<tt/ed0/' device. <p>If you performed the installation of FreeBSD over a network connection then there may already be an '<tt>ifconfig_ed0=</tt>' line after the loopback definition. If so, verify that it has the correct values. <p>For our sample configuration we'll insert a line immediately after the loopback device definition that says: <tscreen><verb> ifconfig_ed0="inet 192.168.1.1 netmask 255.255.255.0" </verb></tscreen> <p>When you've finished editing <tt>/etc/sysconfig</tt> to specify and configure the network interfaces the section should look really close to: <tscreen><verb> --- network_interfaces="lo0 ed0" ifconfig_lo0="inet localhost" ifconfig_ed0="inet 192.168.1.1 netmask 0xffffff00" --- </verb></tscreen> <p>Once all of the necessary changes to <tt>/etc/sysconfig</tt> have been made, press the 'Esc' key to invoke the control menu. Select "leave editor" and be sure to select "save changes" when prompted. <sect1> <heading>Enabling Packet Forwarding</heading> <p>By default the FreeBSD system will not forward IP packets between various network interfaces. In other words, routing functions (also known as gateway functions) are disabled. <p>If your intent is to use a FreeBSD system as stand-alone Internet workstation and not as a gateway between LAN nodes and your ISP you should skip forward to Section 3.4, "Creating the List of Other LAN Hosts". <p>If you intend for the PPP program to service the local FreeBSD box as well as LAN workstations (as a router) you'll need to enable IP forwarding. <p>To enable IP Packet forwarding you'll need to edit the <tt>/etc/sysconfig</tt> file. Load this file into your editor with the following command: <tscreen><verb> # ee /etc/sysconfig </verb></tscreen> <p>About 250 lines down from the top of the file will be the configuration section which controls IP forwarding, which will look like: <tscreen><verb> ===== # If you want this host to be a gateway, set to YES. gateway=NO ===== </verb></tscreen> <p>Change this line to read: <tscreen><verb> ===== # If you want this host to be a gateway, set to YES. gateway=YES ===== </verb></tscreen> and exit the editor (saving the changes!). <p><em><bf>NOTE: This line may already be set to '<tt/gateway=YES/' if IP forwarding was enabled when the FreeBSD system was installed.</bf></em> <sect1> <heading>Creating the List of other LAN Hosts(<tt>/etc/hosts</tt>)</heading> <p>The final step in configuring the LAN side of the FreeBSD system is to create a list of the names and TCP/IP addresses of the various systems that are connected to the Local Area Network. This list is stored in the '<tt>/etc/hosts</tt>' file. <p>The default version of this file has only a single host name listing in it: the name and address of the loopback device ('lo0'). By networking convention, this device is always named "localhost" and always has an IP address of 127.0.0.1. (See the interface configuration example in Section 3.2.) <p>To edit the <tt>/etc/hosts</tt> file enter the following command: <tscreen><verb> # ee /etc/hosts </verb></tscreen> <p>Scroll all the way to the bottom of the file (paying attention to the comments along the way; there's some good information there!) and enter (assuming our sample network) the following IP addresses and host names: <tscreen><verb> 192.168.1.1 curly curly.my.domain # FreeBSD System 192.168.1.2 larry larry.my.domain # Windows '95 System 192.168.1.3 moe moe.my.domain # Windows for Workgroups System 192.168.1.4 shemp shemp.my.domain # Windows NT System </verb></tscreen> <p>(No changes are needed to the line for the '<tt>127.0.0.1 localhost</tt>' entry.) <p>Once you've entered these lines, press the 'Esc' key to invoke the control menu. Select "leave editor" and be sure to select "save changes" when prompted. <sect1> <heading>Testing the FreeBSD system</heading> <p>Congratulations! Once you've made it to this point, the FreeBSD system is configured as a network-connected UNIX system! If you made any changes to the <tt>/etc/sysconfig</tt> file you should probably re-boot your FreeBSD system. This will accomplish two important objectives: <itemize> <item>Allow the changes to the interface configurations to be applied, and <item>Verify that the system restarts without any glaring configuration errors. </itemize> Once the system has been rebooted you should test the network interfaces. <p> <sect2> <heading>Verifying the operation of the loopback device</heading> <p>To verify that the loopback device is configured correctly, log in as 'root' and enter: <tscreen><verb> # ping localhost </verb></tscreen> <p>You should see: <tscreen><verb> # ping localhost PING localhost.my.domain. (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.219 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.287 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.214 m [...] </verb></tscreen> messages scroll by until you hit Ctrl-C to stop the madness. <sect2> <heading>Verifying the operation of the Ethernet Device</heading> <p>To verify that the Ethernet device is configured correctly, enter: <tscreen><verb> # ping curly </verb></tscreen> You should see: <tscreen><verb> # ping curly PING curly.my.domain. (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.219 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.200 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.187 ms [...] </verb></tscreen> messages. <p>One important thing to look at in these two examples is that the names (loopback and curly) correctly correlate to their IP addresses (127.0.0.1 and 192.168.1.1). This verifies that the <tt>/etc/hosts</tt> files is correct. <p>If the IP address for "curly" isn't 192.168.1.1 or the address for "localhost" isn't 127.0.0.1, return to Section 3.4 and review your entries in '<tt>/etc/hosts</tt>'. <p>If the names and addresses are indicated correctly in the result of the ping command but there are errors displayed then something is amiss with the interface configuration(s). Return to Section 3.1 and verify everything again. <p>If everything here checks out, proceed with the next section. </sect> <sect> <heading>Configuring the PPP Dial-Out Connection</heading> <p>There are two basic modes of operation of the ppp driver: "Interactive" and "Automatic". In Interactive mode you:<p> <itemize> <item>Manually establish a connection to your ISP, <item>Browse, surf, transfer files and mail, etc..., <item>Manually disconnect from your ISP. </itemize> <p>In Automatic mode, the PPP program silently watches what goes on inside the FreeBSD system and automagically connects and disconnects with your ISP as required to make the Internet a seamless element of your network. <p>In this section we'll address the configuration(s) for both modes with emphasis on configuring your `ppp` environment to operate in "Automatic" mode. <sect1> <heading>Backing up the original PPP configuration files</heading> <p>Before making any changes to the files which are used by PPP you should make a copy of the default files that were created when the FreeBSD system was installed. Log in as the 'root' user and perform the following steps: Change to the '<tt>/etc</tt> directory: <p><tt># cd /etc</tt> Make a backup copy the original files in the 'ppp' directory: <p><tt># cp -R ppp ppp.ORIGINAL</TT> <p>You should now be able to see both a '<tt>ppp</tt>' and a '<tt>ppp.ORIGINAL</tt>' subdirectory in the '<tt>/etc</tt>' directory. <sect1> <heading>Create your own PPP configuration files</heading> <p>By default, the FreeBSD installation process creates a number of sample configuration files in the /etc/ppp directory. Please take some time to review these files; they were derived from working systems and represent the features and capabilities of the PPP program. <p>I <em/strongly/ encourage you to learn from these sample files and apply them to your own configuration as necessary. <p>For detailed information about the `ppp` program, read the ppp manpage: <tscreen><verb> # man ppp </verb></tscreen> <p>For detailed information about the `chat` scripting language used by the PPP dialer, read the chat manpage: <tscreen><verb> # man chat </verb></tscreen> <p>The remainder of this section describes the recommended contents of the PPP configuration files. <sect2> <heading>The '<tt>/etc/ppp/ppp.conf</tt>' file</heading> <p>The '<tt>/etc/ppp/ppp.conf</tt>' file contains the information and settings required to set up a dial-out PPP connection. More than one configuration may be contained in this file. The FreeBSD handbook (XXX URL? XXX) describes the contents and syntax of this file in detail. <p>This section will describe only the minimal configuration to get a dial-out connection working. <p>Below is the /etc/ppp/ppp.conf file that we'll be using to provide a dial-out Internet gateway for our example LAN: <tscreen><verb> ################################################################ # PPP Configuration File ('/etc/ppp/ppp.conf') # # Default settings; These are always executed always when PPP # is invoked and apply to all system configurations. ################################################################ default: set device /dev/cuaa0 set speed 57600 disable pred1 deny pred1 disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0 OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT" set redial 3 10 # # ################################################################ # # For interactive mode use this configuration: # # Invoke with `ppp -alias interactive` # ################################################################ interactive: set authname Your_User_ID_On_Remote_System set authkey Your_Password_On_Remote_System set phone 1-800-123-4567 set timeout 300 set openmode active accept chap # ################################################################ # # For demand-dial (automatic) mode we'll use this configuration: # # Invoke with: 'ppp -auto -alias demand' # ################################################################ demand: set authname Your_User_ID_On_Remote_System set authkey Your_Password_On_Remote_System set phone 1-800-123-4567 set timeout 300 set openmode active accept chap set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 add 0 0 127.2.2.2 ################################################################ # End of /etc/ppp/ppp.conf </verb></tscreen> This file, taken verbatim from a working system, has three relevant configuration sections: <sect3> <heading>The "<tt>default</tt>" Section</heading> <p>The '<tt>default:</tt>' section contains the values and settings used by every other section in the file. Essentially, this section is implicitly added to the configuration lines to each other section. <p>This is a good place to put "global defaults" applicable to all dial-up sessions; especially modem settings and dialing prefixes which typically don't change based on which destination system you're connecting to. <p>Following are the descriptions of each line in the "default" section of the sample '<tt>/etc/ppp/ppp.conf</tt>' file: <tscreen><verb> set device /dev/cuaa0 </verb></tscreen> This statement informs the PPP program that it should use the first serial port. Under FreeBSD the '<tt>/dev/cuaa0</tt>' device is the same port that's known as "<tt>COM1:</tt>" under DOS, Windows, Windows 95, etc.... <p>If your modem is on <tt>COM2:</tt> you should specify '<tt>/dev/cua01</tt>; <tt>COM3:</tt> would be '<tt>/dev/cua02</tt>'. <tscreen><verb> set speed 57600 </verb></tscreen> This line sets the transmit and receive speed for the connection between the serial port and the modem. While the modem used for this configuration is only a 28.8 device, setting this value to 57600 lets the serial link run at a higher rate to accommodate higher throughput as a result of the data compression built into late-model modems. If you have trouble communicating with your modem, try setting this value to 38400 or even as low as 19200. <tscreen><verb> disable pred1 deny pred1 </verb></tscreen> These two lines disable the "CCP/Predictor type 1" compression features of the PPP program. The current version of `ppp` supports data compression in accordance with draft Internet standards. Unfortunately many ISPs use equipment that does not support this capability. Since most modems try to perform on-the-fly compression anyway you're probably not losing much performance by disabling this feature on the FreeBSD side and denying the remote side from forcing it on you. <tscreen><verb> disable lqr deny lqr </verb></tscreen> These two lines control the "Line Quality Reporting" functions which are part of the complete Point-to-Point (PPP) protocol specification. (See RFC-1989 for details.) The first line, "disable lqr", instructs the PPP program to not attempt to report line quality status to the device on the remote end. The second line, "deny lqr", instructs the PPP program to deny any attempts by the remote end to reports line quality. As most modern dial-up modems have automatic error correction and detection and LQR reporting is not fully implemented in many vendor's products it's generally a safe bet to include these two lines in the default configuration. <tscreen><verb> set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0 OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT" </verb></tscreen> <em>NOTE: (This statement should appear on a single line; ignore any line wrapping that may appear in this document.)</em> This line instructs the PPP program how to dial the modem and specifies some rudimentary guidelines for doing so: <itemize> <item>Attempts to dial should fail if the modem returns a "BUSY" result code, <item>Attempts to dial should also fail if the modem returns a "NO CARRIER" result code, <item>The PPP program should expect each of the following events to complete within a 5-second timeout period: <itemize> <item>The PPP program will initially expect nothing (specified above by the \"\" portion of the statement) from the modem <item>The program will send the modem initialization string "ATE1Q0M0" to the modem and await a response of "OK". If a response is not received, the program should send an attention command to the modem ("AT") and look again for a response of "OK", <item>The program should delay for one second (specified by the "\\d" part of the statement, and send the dialing string to the modem. The "ATDT" portion of the statement is the standard modem prefix to dial using tone-dialing; if you do not have touch-tone service on your local phone line, replace the "ATDT" with "ATDP". The "\\T" string is a placeholder for the actual phone number (which will be automatically inserted as specified by the "set dial 123-4567"). </itemize> <item>Finally, before a (maximum) timeout of 40 seconds, the PPP program should expect to see a "CONNECT" result code returned from the modem. </itemize> A failure at any point in this dialog will be interpreted as a dialing failure and the PPP program will fail to connect. (For a detailed description of the mini-scripting language used by the PPP dialer, refer to the "chat" manpage.) <tscreen><verb> set redial 3 10 </verb></tscreen> This line specifies that if a dial connection cannot immediately be made the PPP program should retry (up to 3 times if necessary) with a delay of 10 seconds between redialing attempts. <sect3> <heading>The "<tt>interactive</tt>" Section</heading> <p>The '<tt>interactive:</tt>' section contains the values and settings used to set up an "interactive" PPP session with a specific remote system. Settings in this section will have the lines included in the "default" section included automatically. <p>The example cited in this section of the guide presumes that you'll be connecting to a remote system that understands how to authenticate a user without any fancy scripting language. That is, this sample uses the CHAP protocol to set up the connection. <p>A good rule of thumb is that if the Windows '95 dialer can set up a connection by just clicking the "Connect" button this sample configuration should work OK. <p>If, on the other hand, when you connect to your ISP using Microsoft Windows '95 Dial-Up Networking you need to resort to using the "Dial Up Scripting Tool" from the Microsoft Plus! pack or you have to select "Bring up a terminal windows after dialing" in the Windows '95 connection options then you'll need to look at the sample PPP configuration files and the ppp manpage for examples of "expect / -response" scripting to make your ISP connection. +response" scripting to make your ISP connection. The "set login" +command is used for this purpose. <p>Or even better, find an ISP who knows how to provide PAP or CHAP authentication! <p>The configuration examples shown here have been successfully used to connect to: <itemize> <item>Various Shiva LanRovers <item>The IBM Network (<url url="http://www.ibm.net">) <item>AT&T WorldNet (<url url="http://att.com/worldnet">) <item>Erol's (<url url="http://www.erols.com">) </itemize> Following are descriptions for each line in the "interactive" section of the sample '<tt>/etc/ppp/ppp.conf</tt>' file: <tscreen><verb> set authname Your_User_ID_On_Remote_System </verb></tscreen> This line specifies the name you would use to log in to the remote system. <tscreen><verb> set authkey Your_Password_On_Remote_System </verb></tscreen> This is the password you'd use to log in to the remote system. <tscreen><verb> set phone 1-800-123-4567 </verb></tscreen> This is the phone number of the remote system. If you're inside a PBX you can prepend '<tt>9, </tt>' to the number here. <tscreen><verb> set timeout 300 </verb></tscreen> This tells the PPP program that it should automatically hang up the phone if no data has be exchanged for 300 seconds (5 minutes). You may wish to tailor this number to your specific requirements. <tscreen><verb> set openmode active </verb></tscreen> This tells the PPP program that once the modems are connected it should immediately attempt to negotiate the connection. Some remote sites do this automatically, some don't. This instructs your side of the link to take the initiative and try to set up the connection. <tscreen><verb> accept chap </verb></tscreen> This tells the PPP program to use the "Challenge-Handshake Authentication Protocol" to authenticate you. The values exchanged between the local and remote side for UserID and password are taken from the 'authname' and 'authkey' entries above. <sect3> <heading>The "<tt>demand</tt>" Section</heading> <p>The "<tt>demand</tt>" section contains the values and settings used to set up a "Dial-on-demand" PPP session with a specific remote system. Settings in this section will also have the lines included in the "default" section included automatically. <p>Except for the last two lines in this section it is identical to the configuration section which defines the "interactive" configuration. <p>As noted in Paragraph ???, the examples cited in this section of the guide presume that you'll be connecting to a remote system that understands how to use the CHAP protocol to set up the connection. <p>Following are descriptions for each line in the "demand" section of the sample '<tt>/etc/ppp/ppp.conf</tt>' file: <tscreen><verb> set authname Your_User_ID_On_Remote_System </verb></tscreen> This line specifies the name you would use to log in to the remote system. <tscreen><verb> set authkey Your_Password_On_Remote_System </verb></tscreen> This is the password you'd use to log in to the remote system. <tscreen><verb> set phone 1-800-123-4567 </verb></tscreen> This is the phone number of the remote system. <tscreen><verb> set timeout 300 </verb></tscreen> This tells the PPP program that it should automatically hang up the phone if no data has be exchanged for 300 seconds (5 minutes). You may wish to tailor this number to your specific requirements. <tscreen><verb> set openmode active </verb></tscreen> This tells the PPP program that once the modems are connected it should immediately attempt to negotiate the connection. Some remote sites do this automatically, some don't. This instructs your side of the link to take the initiative and try to set up the connection. <tscreen><verb> accept chap </verb></tscreen> This tells the PPP program to use the "Challenge-Handshake Authentication Protocol" to authenticate you. The values exchanged between the local and remote side for UserID and password are taken from the 'authname' and 'authkey' entries above. <tscreen><verb> set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 </verb></tscreen> This command sets up a pair of "fake" IP addresses for the local and remote sides of the PPP link. It instructs the PPP program to create an IP address of 127.1.1.1 for the local side of the '<tt/tun0/' (tunnel) device (refer back to section ?? for a description of this device) and 127.2.2.2 for the remote side. Appending '<tt>/0</tt>' to each address tells the PPP program that zero of the bits that make up these addresses are significant and can (in fact, must!) be negotiated between the local and remote systems when the link is established. The 255.255.255.0 string tells the PPP program what Subnet mask to apply to these pseudo-interfaces. <p>Remember, we've assumed that your ISP provides the IP addresses for both ends of the link! If your ISP assigned you a specific IP address that you should use on your side when configuring your system, enter that IP address here <em/instead/ of <tt>127.1.1.1</tt>. Conversly, if your ISP gave you a specific IP address that he uses on his end you should enter that IP address here <em/instead/ of <tt>127.2.2.2</tt>. In both cases, it's probably a good idea to leave the '<tt>/0</tt>' on the end of each address. This gives the PPP program the opportunity to change the address(es) of the link if it <em/has/ to. <tscreen><verb> add 0 0 127.2.2.2 </verb></tscreen> This last line tells the PPP program that it should add a default route for IP traffic that points to the (fake) IP address of the ISP's system. <em><bf>Note: If you used an ISP-specified address instead of <tt>127.2.2.2</tt> on the preceeding line, use the same number here instead of <tt>127.2.2.2</tt></bf></em>. <p>By adding this "fake" route for IP traffic, the PPP program can, while idle: <itemize> <item>Accept packets that FreeBSD doesn't already know how to forward, <item>Establish a connection to the ISP "<em/on-the-fly/", <item>Reconfigure the IP addresses of the local and remote side of the link, <item>Forward packets between your workstation and the ISP. </itemize> automatically! <p>Once the number of seconds specified by the timeout value in the "default" section have elapsed without any TCP/IP traffic the PPP program will automatically close the dial-up connection and the process will begin again. <sect2> <heading>The '<tt>/etc/ppp/ppp.linkup</tt>' file</heading> <p>The other file needed to complete the PPP configuration is found in '<tt>/etc/ppp/ppp.linkup</tt>'. This file contains instructions for the PPP program on what actions to take after a dial-up link is established. In the case of dial-on-demand configurations the PPP program will need to delete the default route that was created to the fake IP address of the remote side (127.2.2.2 in our example in the previous section) and install a new default route that points the actual IP address of the remote end (discovered during the dial-up connection setup). A representative '<tt>/etc/ppp/ppp.linkup</tt>' file: <tscreen><verb> #########################################################################= # PPP Link Up File ('/etc/ppp/ppp.linkup') # # This file is checked after PPP establishes a network connection. # # This file is searched in the following order. # # 1) First, the IP address assigned to us is searched and # the associated command(s) are executed. # # 2) If the IP Address is not found, then the label name specified at # PPP startup time is searched and the associated command(s) # are executed. # # 3) If neither of the above are found then commands under the label # 'MYADDR:' are executed. # #########################################################################= # # This section is used for the "demand" configuration in # /etc/ppp/ppp.conf: demand: delete ALL add 0 0 HISADDR # # All other configurations in /etc/ppp/ppp.conf use this: # MYADDR: add 0 0 HISADDR ######################################################################## # End of /etc/ppp/ppp.linkup </verb></tscreen> Notice that there is a section in this file named "demand:", identical to the configuration name used in the '<tt>/etc/ppp/ppp.conf</tt>' file. This section instructs the PPP program that once a link is established using this configuration, it must: <enum> <item>Remove any IP routing information that the PPP program has created <item>Add a default route the remote end's actual address. </enum> <p>It's critical that those configurations in '<tt>/etc/ppp/ppp.conf</tt>' which include the '<tt/set ifaddr/' and '<tt/add 0 0/' statements (i.e.: those configurations used for Dial-on-Demand configurations) execute the "delete ALL" and "add 0 0 HISADDR" commands in <tt>/etc/ppp/ppp.linkup</tt>. <p><em><bf>This is the mechanism that controls the actual on-demand configuration of the link.</bf></em> <p>All configurations not explicitly named in <tt>/etc/ppp/ppp.linkup</tt> will use whatever commands are in the "MYADDR:" section of the file. This is where non-Demand-Dial configurations (such as our "interactive:" sample) will fall through to. This section simply adds a default route to the ISP's IP address (at the remote end). <sect1> <heading>IP Aliasing</heading> <p>All of the configuration steps described thus far are relevant to any FreeBSD system which will be used to connect to an ISP via dial-up connection. <p>If your sole objective in reading this guide is to connect your FreeBSD box to the Internet using dial-out ppp you can proceed to Section 6, "Testing the Network". One very attractive feature of the PPP program in on-demand mode is its ability to route IP traffic between other systems on the Local Area Network automatically. This feature is known by various names, "<em/IP Aliasing/", "<em/Network Address Translation/", "<em/Address Masquerading/" or "<em/Transparent Proxying/". <p>Regardless of the terminology used, this mode is not, however, automatic. If the PPP program is started normally then the program will not forward packets between LAN interface(s) and the dial-out connection. In effect, only the FreeBSD system is connected to the ISP; other workstations cannot "share" the same connection. For example, if the program is started with either of the following command lines: <p><tt># ppp interactive (Interactive mode)</tt><p> or <p><tt># ppp -auto demand (Dial-on-Demand mode)</tt> <p>then the system will function as an Internet-connected workstation <em/only/ for the FreeBSD box. To start the PPP program as a gateway between LAN resources and the Internet, one of the following command lines would be used instead: <p><tt># ppp -alias interactive (Interactive mode)</tt><p> or <p><tt># ppp -auto -alias demand (Dial-on-Demand mode)</tt> <p>Keep this in mind if you intend to proceed with Section 5, "Configuring Windows Systems". </sect> <sect> <heading>Configuring Windows Systems</heading> <p>As indicated in Section 1, our example network consists of a FreeBSD system ("Curly") which acts as a gateway (or router) between a Local Area Network consisting of two different flavors of Windows Workstations. In order for the LAN nodes to use Curly as a router they need to be properly configured. Note that this section does not explain how to configure the Windows workstations for Dial-Up networking. If you need a good explanation of that procedure, I recommend <url url="http://www.aladdin.co.uk/techweb">. <sect1> <heading> Configuring Windows 95</heading> <p>Configuring Windows 95 to act as an attached resource on your LAN is relatively simple. The Windows 95 network configuration must be slightly modified to use the FreeBSD system as the default gateway to the ISP. Perform the following steps: <p><bf>Create the Windows 95 "hosts" file:</bf> <p>In order to connect to the other TCP/IP systems on the LAN you'll need to create an identical copy of the "hosts" file that you installed on the FreeBSD system in Section 3.4. <itemize> <item>Click the "Start" button; select "Run..."; enter "notepad \WINDOWS\HOSTS" (without the quotes) and click "OK" <item>In the editor, enter the addresses and system names from the hosts file shown in Section 3.4. <item>When finished editing, close the notepad application (making sure that you save the file!). </itemize> <p><bf>Configure the Windows 95 TCP/IP Network Configuation settings</bf>: <itemize> <item>Click the "Start" button on the taskbar; select "Settings" and "Control Panel". <item>Double-click the "Network" icon to open it.<p> The settings for all Network Elements are displayed. <item>With the "Configuration" tab selected, scroll down the list of installed components and highlight the "TCP/IP-><em/YourInterfaceType/" line (where "<em/YourInterfaceType/" is the name or type of Ethernet adapter in your system). <p>If TCP/IP is not listed in the list of installed network components, click the "Add" button and install it before proceeding. <p>(Hint: "Add | Protocol | Microsoft | TCP/IP | OK") <item>Click on the "Properties" button to display a list of the settings associated with the TCP component. </itemize> <p><bf>Configure the IP Address Information:</bf> <itemize> <item>Click the "IP Address" tab <item>Click the "Specify an IP address" radio button. <p>(In our example LAN the Windows 95 system is the one we've called "Larry".) <item>In the "IP Address" field enter "192.168.1.2". <item>Enter 255.255.255.0 in the "Subnet Mask" field. </itemize> <p><bf>Configure the Gateway information:</bf> <itemize> <item>Click on the "Gateway" tab <p>For our example network the FreeBSD box will be acting as our gateway to the Internet (routing packets between the Ethernet LAN and the PPP dial-up connection. Enter the IP address of the FreeBSD Ethernet interface, 192.168.1.1, in the "New gateway" field and click the "Add" button. If any other gateways are defined in the "Installed gateways" list you may wish to consider removing them. </itemize> <p><bf>Configure the DNS Information:</bf> <p>This guide assumes that your Internet Service Provider has given you a list of Domain Name Servers (or "DNS Servers") that you should use. If you wish to run a DNS server on your local FreeBSD system, refer to Section 6, "Exercise for the Interested Student" for tips on setting up DNS on your FreeBSD system. <itemize> <item>Click the "DNS Configuration" tab <item>Make sure that the "Enable DNS" radio button is selected. <p>(If this button is not selected only the entries that we put in the host file(s) will be available and your Net-Surfing will not work as you expect!) <item>In the "Host" field enter the name of the Windows 95 box, in this case: "Larry". <item>In the "Domain" field enter the name of our local network, in this case: "my.domain" <item>In the "DNS Server Search Order" section, enter the IP address of the DNS server(s) that your ISP provided, clicking the "Add" button after every address is entered. Repeat this step as many times as necessary to add all of the addresses that your ISP provided. </itemize> <p><bf>Other Windows 95 TCP/IP options:</bf> <p>For our purposes the settings under the "Advanced", "WINS Configuration" and "Bindings" tabs are not necessary. <p>If you wish to use the Windows Internet Naming Service ("WINS") your attention is invited to <url url="http://www.localnet.org"> for more information about WINS settings, specifically regarding sharing files transparently across the Internet. <p><bf>Mopping up:</bf> <itemize> <item>Click on the "OK" button to close the TCP/IP Properties window. <item>Click on the "OK" button to close the Network Control Panel. <item>Reboot your computer if prompted to do so. </itemize> <p> That's it! <sect1> <heading>Configuring Windows NT</heading> <p>Configuring Windows NT to act as a LAN resource is also relatively straightforward. The procedures for configuring Windows NT are similar to Windows 95 with minor exceptions in the user interface. <p>The steps shown here are appropriate for a Windows NT 4.0 Workstation, but the principles are the same for NT 3.5x. You may wish to refer to the "Configuring Windows for Workgroups" section if you're configuring Windows NT 3.5<it/x/, since the user interface is the same for NT 3.5 and WfW. <p>Perform the following steps: <p><bf>Create the Windows NT "hosts" file:</bf> <p>In order to connect to the other TCP/IP systems on the LAN you'll need to create an identical copy of the "hosts" file that you installed on the FreeBSD system in Section 3.4 <itemize> <item>Click the "Start" button; select "Run..."; enter "notepad \WINDOWS\SYSTEM\DRIVERS\ETC\HOSTS" (without the quotes) and click "OK" <item>In the editor, enter the addresses and system names from Section 3.4. <item>When finished editing, close the notepad application (making sure that you save the file!). </itemize> <p><bf>Configure the Windows NT TCP/IP Network Configuation settings</bf>: <itemize> <item>Click the "Start" button on the taskbar; select "Settings" and "Control Panel". <item>Double-click the "Network" icon to open it. <item>With the "Identification" tab selected, verify the "Computer Name" and "Workgroup" fields. In this example we'll use "Shemp" for the name and "Stooges" for the workgroup. Click the "Change" button and amend these entries as necessary. <item>Select the "Protocols" tab. <p>The installed Network Protocols will be displayed. There may be a number of protocols listed but the one of interest to this guide is the "TCP/IP Protocol". If "TCP/IP Protocol" is not listed, click the "Add" button to load it. <p>(Hint: "Add | TCP/IP Protocol | OK") <item>Highlight "TCP/IP Protocol" and click the "Properties" button. <p>Tabs for specifying various settings for TCP/IP will be displayed. </itemize> <p><bf>Configuring the IP Address:</bf> <p>Make sure that the Ethernet Interface is shown in the "Adapter" box; if not, scroll through the list of adapters until the correct interface is shown. <itemize> <item>Click the "Specify an IP address" radio button to enable the three text boxes. <p>In our example LAN the Windows NT system is the one we've called "Shemp" <item>In the "IP Address" field enter "192.168.1.4". <item>Enter 255.255.255.0 in the "Subnet Mask" field. </itemize> <p><bf>Configure the Gateway information:</bf> <p>For our example network the FreeBSD box will be acting as our gateway to the Internet (routing packets between the Ethernet LAN and the PPP dial-up connection. <itemize> <item>Enter the IP address of the FreeBSD Ethernet interface, 192.168.1.1, in the "New gateway" field and click the "Add" button. <p>If any other gateways are defined in the "Installed gateways" list you may wish to consider removing them. </itemize> <p><bf>Configuring DNS:</bf> <p>Again, this guide assumes that your Internet Service Provider has given you a list of Domain Name Servers (or "DNS Servers") that you should use. If you wish to run a DNS server on your local FreeBSD system, refer to Section 6, "Exercise for the Interested Student" for tips on setting up DNS on your FreeBSD system. <itemize> <item>Click the "DNS" tab <item>In the "Host Name" field enter the name of the Windows NT box, in this case: "Shemp". <item>In the "Domain" field enter the name of our local network, in this case: "my.domain" <item>In the "DNS Server Search Order" section, enter the IP address of the DNS server that your ISP provided, clicking the "Add" button after every address is entered. Repeat this step as many times as necessary to add all of the addresses that your ISP provided. </itemize> <p><bf>Other Windows NT TCP/IP options:</bf> <p>For our purposes the settings under the "WINS Address" and "Routing" tabs are not used. <p>If you wish to use the Windows Internet Naming Service ("WINS") your attention is invited to <url url="http://www.localnet.org"> for more information about WINS settings, specifically regarding sharing files transparently across the Internet. <p><bf>Mopping up:</bf> <itemize> <item>Click on the "OK" button to close the TCP/IP Properties section. <item>Click on the "Close" button to close the Network Control Panel. <item>Restart your computer if prompted to do so. </itemize> <p>That's it! <sect1> <heading>Configuring Windows for Workgroups</heading> <p>Configuring Windows for Workgroups to act as a network client requires that the Microsoft TCP/IP-32 driver diskette has been installed on the workstation. The TCP/IP drivers are not included with the WfW CD or diskettes; if you need a copy they're available at <url url="ftp://ftp.microsoft.com:/peropsys/windows/public/tcpip">. <p>Once the TCP/IP drivers have been loaded, perform the following steps: <p><bf>Create the Windows for Workgroups "hosts" file:</bf> <p>In order to connect to the other TCP/IP systems on the LAN you'll need to create an identical copy of the "hosts" file that you installed on the FreeBSD system in Section 3.4. <itemize> <item>In Program Manager, click the "File" button; select "Run"; and enter: "notepad \WINDOWS\HOSTS" (without the quotes) and click "OK" <item>In the editor, enter the addresses and system names from the hosts file shown in Section 3.4. <item>When finished editing, close the notepad application (making sure that you save the file!). </itemize> <p><bf>Configure the Windows 95 TCP/IP Network Configuation settings</bf> <itemize> <item>In the main window of Program Manager, open the "Network" group by double-clicking the icon. <item>Double click on the "Network Setup" icon. <item>In the "Network Drivers Box" double-click the "Microsoft TCP/IP-32" entry. </itemize> <p><bf>Configure the Windows for Workgroups IP Address:</bf> <p>Ensure the correct Ethernet Interface is selected in the "Adapter" list. If not, scroll down until it is displayed and select it by clicking on it. <itemize> <item>Ensure that the "Enable Automatic DHCP Configuration" check box is blank. If it is checked, click it to remove the "X". <item>In our example LAN the Windows for Workgroups system is the one we've called "Moe"; in the "IP Address" field enter "192.168.1.3". <item>Enter 255.255.255.0 in the "Subnet Mask" field. </itemize> <p><bf>Configure the Gateway information:</bf> <p>For our example network the FreeBSD box will be acting as our gateway to the Internet (routing packets between the Ethernet LAN and the PPP dial-up connection). <itemize> <item>Enter the IP address of the FreeBSD system, 192.168.1.1, in the "Default Gateway" field. </itemize> <p><bf>Configuring DNS:</bf> <p>Again, this guide assumes that your Internet Service Provider has given you a list of Domain Name Servers (or "DNS Servers") that you should use. If you wish to run a DNS server on your local FreeBSD system, refer to Section 6, "Exercise for the Interested Student" for tips on setting up DNS on your FreeBSD system. <itemize> <item>Click the "DNS" button. <item>In the "Host Name" field enter the name of the Windows for Workgroups box, in this case: "Moe". <item>In the "Domain" field enter the name of our local network, in this case: "my.domain" <item>In the "Domain Name Service (DNS) Search Order" section, enter the IP address of the DNS server that your ISP provided, clicking the "Add" button after each address is entered. Repeat this step as many times as necessary to add all of the addresses that your ISP provided. <item>Click on the "OK" button to close the DNS Configuration window. </itemize> <p><bf>Mopping up:</bf> <itemize> <item>Click on the "OK" button to close the TCP/IP Configuration window. <item>Click on the "OK" button to close the Network Setup window. <item>Reboot your computer if prompted. </itemize> <p>That's it! <sect> <heading>Testing the Network</heading> <p> Once you've completed that appropriate tasks above you should have a functioning PPP gateway to the Internet. <sect1> <heading>Testing the Dial-Up link:</heading> <p> The first thing to test is that the connection is being made between your modem and the ISP. <sect1> <heading>Testing the Ethernet LAN</heading> <p> *** TBD *** </sect> <sect> <heading>Exercises for the Interested Student</heading> <p> <sect1> <heading>Creating a mini-DNS system</heading> <p>While managing a Domain Name Service (DNS) hierarchy can be a black art, it is possible to set up a Mini-DNS server on the FreeBSD system that also acts as your gateway to your ISP. <p>Building on the files in <tt>/etc/namedb</tt> when the FreeBSD system was installed it's possible to create a name server that is both authoritative for the example network shown here as well as a front-door to the Internet DNS architecture. <p>In this minimal DNS configuration, only three files are necessary: <tscreen><verb> /etc/namedb/named.boot /etc/namedb/named.root /etc/namedb/mydomain.db </verb></tscreen> <p>The <tt>/etc/namedb/named.root</tt> file is automatically installed as part of the FreeBSD base installation; the other two files must be created manually. <sect2> <heading>The <tt>/etc/namedb/named.boot</tt> file</heading> <p>The <tt>/etc/namedb/named.boot</tt> file controls the startup settings of the DNS server. Esentially, it tells the Name Server: <enum> <item>Where to find configuration files, <item>What "domain names" it's responsible for, and <item>Where to find other DNS servers. </enum> <p>Using the '<tt/ee/' editor, create a <tt>/etc/namedb/named.boot</tt> with the following contents: <tscreen><verb> ; boot file for mini-name server directory /etc/namedb ; type domain source host/file backup file cache . named.root primary my.domain. mydomain.db </verb></tscreen> <p>Lines that begin with a semi-colon are comments. The significant lines in this file are: <itemize> <item><tt>directory /etc/namedb</tt> <p>Tells the Name Server where to find the configuration files referenced in the remaining sections of the '<tt>/etc/namedb/named.boot</tt>' file. <item><tt>cache . named.root</tt> <p>Tells the Name Server that the list of "Top-Level" DNS servers for the Internet can be found in a file called '<tt>named.root</tt>'. (This file is included in the base installation and its contents are not described in this document.) <item><tt>primary my.domain. mydomain.db</tt> <p>Tells the Name Server that it will be "authoritative" for a DNS domain called "my.domain" and that a list of names and IP addresses for the systems in "my.domain" (the local network) can be found in a file named '<tt>mydomain.db</tt>'. </itemize> <p>Once the <tt>/etc/namedb/named.boot</tt> file has been created and saved, proceed to the next section to create the <tt>/etc/namedb/mydomain.db</tt> file. <sect2> <heading>The <tt>/etc/namedb/mydomain.db</tt> file</heading> <p>The <tt>/etc/namedb/mydomain.db</tt> file lists the names and IP addresses of <em/every/ system in the Local Area Network. <p><em>For a detailed description of the statements used in this file, refer to the <tt/named/ manpage.</em> <p>The <tt>/etc/namedb/mydomain.db</tt> file for our minimal DNS server has the following contents: <tscreen><verb> @ IN SOA my.domain. root.my.domain. ( 961230 ; Serial 3600 ; Refresh 300 ; Retry 3600000 ; Expire 3600 ) ; Minimum IN NS curly.my.domain. curly.my.domain. IN A 192.168.1.1 # The FreeBSD box larry.my.domain. IN A 192.168.1.2 # The Win'95 box moe.my.domain. IN A 192.168.1.3 # The WfW box shemp.my.domain. IN A 192.168.1.4 # The Windows NT box $ORIGIN 1.168.192.IN-ADDR.ARPA IN NS curly.my.domain. 1 IN PTR curly.my.domain. 2 IN PTR larry.my.domain. 3 IN PTR moe.my.domain. 4 IN PTR shemp.my.domain. $ORIGIN 0.0.127.IN-ADDR.ARPA IN NS curly.my.domain. 1 IN PTR localhost.my.domain. </verb></tscreen> <p>In simple terms, this file declares that the local DNS server is: <itemize> <item>The Start of Authority for ("SOA") for a domain called 'my.domain', <item>The Name Server ("NS") for 'my.domain', <item>Responsible for the reverse-mapping for all IP addresses that start with '192.168.1.' and '127.0.0.' ("$ORIGIN ...") </itemize> <p>To add workstation entries to this file you'll need to add two lines for each system; one in the top section where the name(s) are mapped into Internet Addresses ("IN A"), and another line that maps the addresses back into names in the <tt>$ORIGIN 1.168.192.IN-ADDR.ARPA</tt> section. <sect2> <heading>Starting the DNS Server</heading> <p>By default the DNS server ('<tt>/usr/sbin/named</tt>') is not started when the system boots. You can modify this behavior by changing a single line in '<tt>/etc/sysconfig</tt>' as follows: <p> Using the '<tt/ee/' editor, load <tt>/etc/sysconfig</tt>. Scroll down approximately 200 lines until you come to the section that says: <tscreen><verb> --- # Set to appropriate flags for named, if you have a full-time # connection to the Internet. # For most hosts, flags should be "-b /etc/namedb/named.boot" namedflags="NO" --- </verb></tscreen> Change this section to read: <tscreen><verb> --- # Set to appropriate flags for named, if you have a full-time # connection to the Internet. # For most hosts, flags should be "-b /etc/namedb/named.boot" namedflags="-b /etc/namedb/named.boot" --- </verb></tscreen> Save the file and reboot. Alternatively, start the Name Server daemon by entering the following command: <tscreen><verb> # named -b /etc/namedb/named.boot </verb></tscreen> <p>Whenever you modify any of the files in <tt>/etc/namedb</tt> you'll need to kick-start the Name Server process to make it pick up the modifications. This is performed with the following system command: <tscreen><verb> # kill -HUP `cat /var/run/named.pid` </verb></tscreen> <sect1> <heading>Playing with PPP filters</heading> <p>The PPP program has the ability to apply selected filtering rules to the traffic it routes. While this is not nearly as secure as a formal firewall it does provide some access control as to how the link is used. <p>('<tt>man ipfw</tt>' for information on setting up a more secure FreeBSD system.) <p>The complete documentation for the various filters and rules under PPP are availabe in the PPP manpage. <p>There are four distinct classes of rules which may be applied to the PPP program: <itemize> <item><tt/afilter/ - Access Counter (or "Keep Alive") filters <p>These control which events are ignored by the <tt/set timeout=/ statement in the configuration file. <item><tt/dfilter/ - Dialing filters <p>These filtering rules control which events are ignored by the demand-dial mode of PPP. <item><tt/ifilter/ - Input filters <p>Control whether incoming packets should be discarded or passed into the system. <item><tt/ofilter/ - Output filters <p>Control whether outgoing packets should be discarded or passed into the system. </itemize> <p> What follows is a snippet from an operating system which provides a good foundation for "normal" Internet operations while preventing PPP from pumping <em/all/ data over the dial-up connection. Comments briefly describe the logic of each rule set: <tscreen><verb> # # KeepAlive filters # Don't keep Alive with ICMP,DNS and RIP packet # set afilter 0 deny icmp set afilter 1 deny udp src eq 53 set afilter 2 deny udp dst eq 53 set afilter 3 deny udp src eq 520 set afilter 4 deny udp dst eq 520 set afilter 5 permit 0/0 0/0 # # Dial Filters: # Note: ICMP will trigger a dial-out in this configuration! # set dfilter 0 permit 0/0 0/0 # # Allow ident packet pass through # set ifilter 0 permit tcp dst eq 113 set ofilter 0 permit tcp src eq 113 # # Allow telnet connection to the Internet # set ifilter 1 permit tcp src eq 23 estab set ofilter 1 permit tcp dst eq 23 # # Allow ftp access to the Internet # set ifilter 2 permit tcp src eq 21 estab set ofilter 2 permit tcp dst eq 21 set ifilter 3 permit tcp src eq 20 dst gt 1023 set ofilter 3 permit tcp dst eq 20 # # Allow access to DNS lookups # set ifilter 4 permit udp src eq 53 set ofilter 4 permit udp dst eq 53 # # Allow DNS Zone Transfers # set ifilter 5 permit tcp src eq 53 set ofilter 5 permit tcp dst eq 53 # # Allow access from/to local network # set ifilter 6 permit 0/0 192.168.1.0/24 set ofilter 6 permit 192.168.1.0/24 0/0 # # Allow ping and traceroute response # set ifilter 7 permit icmp set ofilter 7 permit icmp set ifilter 8 permit udp dst gt 33433 set ofilter 9 permit udp dst gt 33433 # # Allow cvsup # set ifilter 9 permit tcp src eq 5998 set ofilter 9 permit tcp dst eq 5998 set ifilter 10 permit tcp src eq 5999 set ofilter 10 permit tcp dst eq 5999 # # Allow NTP for Time Synchronization # set ifilter 11 permit tcp src eq 123 dst eq 123 set ofilter 11 permit tcp src eq 123 dst eq 123 set ifilter 12 permit udp src eq 123 dst eq 123 set ofilter 12 permit udp src eq 123 dst eq 123 # # SMTP'd be a good idea! # set ifilter 13 permit tcp src eq 25 set ofilter 13 permit tcp dst eq 25 # # # We use a lot of `whois`, let's pass that # set ifilter 14 permit tcp src eq 43 set ofilter 14 permit tcp dst eq 43 set ifilter 15 permit udp src eq 43 set ofilter 15 permit udp dst eq 43 # # If none of above rules matches, then packet is blocked. #------- </verb></tscreen> <p>Up to 20 distinct filtering rules can be applied to each class of filter. Rules in each class are number sequentially from 0 to 20 <em/but none of the rules for a particular filter class take affect until ruleset '0' is defined!/ <p>If you choose <em/not/ to use Filtering Rules in the PPP configuration then <em/ALL/ traffic will be permitted both into and out of your system while it's connected to your ISP. If you decide that you want to implement filtering rules, add the above lines to your <tt>/etc/ppp/ppp.conf</tt> file in either the "default:", "demand:", or "interactive:" section (or all of them - the choice is yours). </sect> </article> diff --git a/en_US.ISO_8859-1/tutorials/ppp/ppp.sgml b/en_US.ISO_8859-1/tutorials/ppp/ppp.sgml index 8edeb42750..cbe3c327ec 100644 --- a/en_US.ISO_8859-1/tutorials/ppp/ppp.sgml +++ b/en_US.ISO_8859-1/tutorials/ppp/ppp.sgml @@ -1,1736 +1,1737 @@ <!DOCTYPE linuxdoc PUBLIC "-//FreeBSD//DTD linuxdoc//EN"> -<!-- $Id: ppp.sgml,v 1.3 1997-01-21 05:49:54 jkh Exp $ --> +<!-- $Id: ppp.sgml,v 1.4 1997-12-30 02:47:15 brian Exp $ --> <article> <title>PPP - Pedantic PPP Primer <author>Maintainer: Steve Sims <tt><htmlurl url="mailto:SimsS@IBM.NET" name="<SimsS@IBM.NET>"></tt> -<date>$Date: 1997-01-21 05:49:54 $ +<date>$Date: 1997-12-30 02:47:15 $ <abstract> This is a step-by-step guide for configuring FreeBSD systems to act as a dial-up router/gateway in a Local Area Environment. All entries may be assumed to be relevant to FreeBSD 2.2+, unless otherwise noted. </abstract> <toc> <sect> <heading>Overview:</heading> <p>The User-Mode PPP dialer in FreeBSD Version 2.2 (also known as: <it>"IIJ-PPP"</it> ) now supports Packet Aliasing for dial up connections to the Internet. This feature, also known as "<IT/Masquerading/", "<IT/IP Aliasing/", or "<IT/Network Address Translation/", allows a FreeBSD system to act as a dial- on-demand router between an Ethernet-based Local Area Network and an Internet Service Provider. Systems on the LAN can use the FreeBSD system to forward information between the Internet by means of a single dial-connection. <sect1> <heading>Purpose of this Guide.</heading> <p> This guide explains how to: <itemize> <item>Configure the FreeBSD system to support dial-out connections, <item>Share a dial-out connection with other systems in a network, <item>Configure Windows platforms to use the FreeBSD system as a gateway to the Internet. </itemize> <p> While the focus of this guide is to assist in configuring IP Aliasing, it also includes specific examples of the configuration steps necessary to configure and install each individual component; each section stands alone and may be used to assist in the configuration of various aspects of FreeBSD internetworking. </sect> <sect> <heading>Building the Local Area Network</heading> <p> While the ppp program can, and usually is, be configured to provide services to <em/only/ the local FreeBSD box it can also be used to serve as a "Gateway" (or "router") between other LAN-connected resources and the Internet or other Dial-Up service. <sect1> <heading>Typical Network Topology</heading> <p>This guide assumes a typical Local Area Network lashed together as follows: <verb> +---------+ ----> Dial-Up Internet Connection | FreeBSD | \ (i.e.: NetCom, AOL, AT&T, EarthLink, etc) | |-------- | "Curly" | | | +----+----+ | |----+-------------+-------------+----| <-- Ethernet Network | | | | | | +----+----+ +----+----+ +----+----+ | | | | | | | Win95 | | WFW | | WinNT | | "Larry" | | "Moe" | | "Shemp" | | | | | | | +---------+ +---------+ +---------+ </verb> <sect1> <heading>Assumptions about the Local Area Network</heading> <p>Some specific assumptions about this sample network are: <p>Three workstations and a Server are connected with Ethernet cabling: <itemize> <item>a FreeBSD Server ("Curly") with an NE-2000 adapter configured as 'ed0' <item>a Windows-95 workstation ("Larry") with Microsoft's "native" 32-bit TCP/IP drivers <item>a Windows for Workgroups workstation ("Moe") with Microsoft's 16-bit TCP/IP extensions <item>a Windows NT workstation ("Shemp") with Microsoft's "native" 32-bit TCP/IP drivers </itemize> <p>The IP Addresses on the Ethernet side of this sample LAN have been taken from the pool of "reserved" addresses proposed in RFC-1597. IP addresses are assigned as follows: <verb>Name IP Address "Curly" 192.168.1.1 # The FreeBSD box "Larry" 192.168.1.2 # The Win'95 box "Moe" 192.168.1.3 # The WfW box "Shemp" 192.168.1.4 # The Windows NT box </VERB> <p>This guide assumes that the modem on the FreeBSD box is connected to the first serial port ('<tt>/dev/cuaa0</tt>' or '<tt>COM1:</tt>' in DOS-terms). <p>Finally, we'll also assume that your Internet Service Provider (ISP) automatically provides the IP addresses of both your PPP/FreeBSD side as well as the ISP's side. (i.e.: Dynamic IP Addresses on both ends of the link.) Specific details for configuring the Dial-Out side of PPP will be addressed in Section 2, "Configuring the FreeBSD System". </sect> <sect> <heading>FreeBSD System Configuration</heading> <p>There are three basic pieces of information that must be known to the FreeBSD box before you can proceed with integrating the sample Local Area Network: <itemize> <item>The Host Name of the FreeBSD system; in our example it's "Curly", <item>The Network configuration, <item>The <tt>/etc/hosts</tt> file (which lists the names and IP addresses of the other systems in your network) </itemize> <p>If you performed the installation of FreeBSD over a network connection some of this information may already be configured into your FreeBSD system. <p>Even if you believe that the FreeBSD system was properly configured when it was installed you should at least verify each of these bits of information to prevent trouble in subsequent steps. <sect1> <heading>Verifying the FreeBSD Host Name</heading> <p>It's possible that the FreeBSD host name was specified and saved when the system was initially installed. To verify that it was, enter the following command at a prompt:<p> <tscreen><verb> # hostname </verb></tscreen> <p>The name of the host FreeBSD system will be displayed on a single line. If the name looks correct (this is very subjective :-) skip ahead to Section 3.2, "Verifying the Ethernet Interface Configuration". <p>For example, in our sample network, we would see 'curly.my.domain' as a result of the `hostname` command if the name had been set correctly during, or after, installation. (At this point, don't worry too much about the ".my.domain" part, we'll sort this out later. The important part is the name up to the first dot.) <p>If a host name wasn't specified when FreeBSD was installed you'll probably see 'myname.my.domain` as a response. You'll need to edit <tt>/etc/sysconfig</tt> to set the name of the machine. <sect2><heading>Configuring the FreeBSD Host Name</heading> <p><em><bf>Reminder: You must be logged in as 'root' to edit the system configuration files!</bf></em> <em><bf>CAUTION: If you mangle the system configuration files, chances are your system WILL NOT BOOT correctly! Be careful!</bf></em> <p>The configuration file that specifies the FreeBSD system's host name when the system boots is in <tt>/etc/sysconfig</tt>. Use the default text editor ('<tt/ee/') to edit this file. <p>Logged in as user 'root' load <tt>/etc/sysconfig</tt> into the editor with the following command: <tscreen><verb> # ee /etc/sysconfig </verb></tscreen> <p>Using the arrow keys, scroll down until you find the line that specifies the host name of the FreeBSD system. By default, this section says: <tscreen><verb> --- # Set to the name of your host - this is pretty important! hostname=myname.my.domain --- </verb></tscreen> Change this section to say (in our example): <tscreen><verb> --- # Set to the name of your host - this is pretty important! hostname=curly.my.domain --- </verb></tscreen> Once the change to the host name has been made, press the 'Esc' key to access the command menu. Select "leave editor" and make sure to specify "save changes" when prompted. <sect1> <heading>Verifying the Ethernet Interface Configuration</heading> <p>To reiterate our basic assumption, this guide assumes that the Ethernet Interface in the FreeBSD system is named '<tt/ed0/'. This is the default for NE-1000, NE-2000, WD/SMC models 8003, 8013 and Elite Ultra (8216) network adapters. <p>Other models of network adapters may have different device names in FreeBSD. Check the FAQ for specifics about your network adapter. If you're not sure of the device name of your adapter, check the FreeBSD FAQ to determine the device name for the card you have and substitute that name (i.e.: '<tt/de0/', '<tt/zp0/', or similar) in the following steps. <p>As was the case with the host name, the configuration for the FreeBSD system's Ethernet Interface may have been specified when the system was installed. To display the configuration for the interfaces in your FreeBSD system (Ethernet and others), enter the following command: <tscreen><verb> # ifconfig -a </verb></tscreen> (In layman's terms: "Show me the <BF/I/nter<BF/F/ace <BF/CONFIG/uration for my network devices.") <p>An example: <tscreen><verb> # ifconfig -a ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 ether 01:02:03:04:05:06 lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 tun0: flags=8050<POINTOPOINT,RUNNING, MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 # _ </verb></tscreen> <p>In this example, the following devices were displayed:<p> <tt/ed0:/ The Ethernet Interface<p> <tt/lp0:/ The Parallel Port Interface (ignored in this guide)<p> <tt/tun0:/ The "tunnel" device; <em/This is the one user-mode ppp uses!/<p> <tt/sl0:/ The SL/IP device (ignored in this guide)<p> <tt/ppp0:/ Another PPP device (for kernel ppp; ignored in this guide)<p> <tt/lo0:/ The "Loopback" device (ignored in this guide)<p> In this example, the 'ed0' device is up and running. The key indicators are: <enum> <item>Its status is "<tt/UP/", <item>It has an Internet ("<tt/inet/") address, (in this case, 192.168.1.1) <item>It has a valid Subnet Mask ("netmask"; 0xffffff00 is the same as 255.255.255.0), and <item>It has a valid broadcast address (in this case, 192.168.1.255). </enum> <p>If the line for the Ethernet card had shown something similar to: <tscreen><verb> ed0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 ether 01:02:03:04:05:06 </verb></tscreen> then the Ethernet card hasn't been configured yet. <p>If the configuration for the Ethernet interface is correct you can skip forward to Section 3.4, "Creating the list of other LAN hosts". Otherwise, proceed with the next section. <sect2> <heading>Configuring your Ethernet Interface</heading> <p><em><bf>Reminder: You must be logged in as 'root' to edit the system configuration files!</bf></em> <em><bf>CAUTION: If you mangle the system configuration files, chances are your system WILL NOT BOOT correctly! Be careful!</bf></em> <p>The configuration file that specifies settings for the network interfaces when the system boots is in <tt>/etc/sysconfig</tt>. Use the default text editor ('ee') to edit this file. <p>Logged in as user 'root' load <tt>/etc/sysconfig</tt> into the editor with the following command: <p> <tt> # ee /etc/sysconfig</tt> <p> About 100 lines from the top of <tt>/etc/sysconfig</tt> is the section that describes which network interfaces should be activated when the system boots. In the default configuration file the specific line that controls this is: <tscreen><verb> network_interfaces="lo0" </verb></tscreen> <p>You'll need to amend this line to tell FreeBSD that you want to add another device, namely the '<tt/ed0/' device. Change this line to read: <tscreen><verb> network_interfaces="lo0 ed0" </verb></tscreen> <p>(Note the space between the definition for the loopback device ("lo0") and the Ethernet device ("<tt/ed0/")! <p><em><bf> Reminder: If your Ethernet card isn't named '<tt/ed0/', specify the correct device name here instead.</bf></em> <p>If you performed the installation of FreeBSD over a network connection then the '<tt/network_interfaces=/' line may already include a reference to your Ethernet adapter. If it is, verify that it is the correct device name. <p>Specify the Interface Settings for the Ethernet device ('<tt/ed0/'): <p>Beneath the line that specifies which interfaces should be activated are the lines that specify the actual settings for each interface. In the default <tt>/etc/sysconfig</tt> file is a single line that says: <tscreen><verb> ifconfig_lo0="inet localhost" </verb></tscreen> <p>You'll need to add another line after that to specify the settings for your '<tt/ed0/' device. <p>If you performed the installation of FreeBSD over a network connection then there may already be an '<tt>ifconfig_ed0=</tt>' line after the loopback definition. If so, verify that it has the correct values. <p>For our sample configuration we'll insert a line immediately after the loopback device definition that says: <tscreen><verb> ifconfig_ed0="inet 192.168.1.1 netmask 255.255.255.0" </verb></tscreen> <p>When you've finished editing <tt>/etc/sysconfig</tt> to specify and configure the network interfaces the section should look really close to: <tscreen><verb> --- network_interfaces="lo0 ed0" ifconfig_lo0="inet localhost" ifconfig_ed0="inet 192.168.1.1 netmask 0xffffff00" --- </verb></tscreen> <p>Once all of the necessary changes to <tt>/etc/sysconfig</tt> have been made, press the 'Esc' key to invoke the control menu. Select "leave editor" and be sure to select "save changes" when prompted. <sect1> <heading>Enabling Packet Forwarding</heading> <p>By default the FreeBSD system will not forward IP packets between various network interfaces. In other words, routing functions (also known as gateway functions) are disabled. <p>If your intent is to use a FreeBSD system as stand-alone Internet workstation and not as a gateway between LAN nodes and your ISP you should skip forward to Section 3.4, "Creating the List of Other LAN Hosts". <p>If you intend for the PPP program to service the local FreeBSD box as well as LAN workstations (as a router) you'll need to enable IP forwarding. <p>To enable IP Packet forwarding you'll need to edit the <tt>/etc/sysconfig</tt> file. Load this file into your editor with the following command: <tscreen><verb> # ee /etc/sysconfig </verb></tscreen> <p>About 250 lines down from the top of the file will be the configuration section which controls IP forwarding, which will look like: <tscreen><verb> ===== # If you want this host to be a gateway, set to YES. gateway=NO ===== </verb></tscreen> <p>Change this line to read: <tscreen><verb> ===== # If you want this host to be a gateway, set to YES. gateway=YES ===== </verb></tscreen> and exit the editor (saving the changes!). <p><em><bf>NOTE: This line may already be set to '<tt/gateway=YES/' if IP forwarding was enabled when the FreeBSD system was installed.</bf></em> <sect1> <heading>Creating the List of other LAN Hosts(<tt>/etc/hosts</tt>)</heading> <p>The final step in configuring the LAN side of the FreeBSD system is to create a list of the names and TCP/IP addresses of the various systems that are connected to the Local Area Network. This list is stored in the '<tt>/etc/hosts</tt>' file. <p>The default version of this file has only a single host name listing in it: the name and address of the loopback device ('lo0'). By networking convention, this device is always named "localhost" and always has an IP address of 127.0.0.1. (See the interface configuration example in Section 3.2.) <p>To edit the <tt>/etc/hosts</tt> file enter the following command: <tscreen><verb> # ee /etc/hosts </verb></tscreen> <p>Scroll all the way to the bottom of the file (paying attention to the comments along the way; there's some good information there!) and enter (assuming our sample network) the following IP addresses and host names: <tscreen><verb> 192.168.1.1 curly curly.my.domain # FreeBSD System 192.168.1.2 larry larry.my.domain # Windows '95 System 192.168.1.3 moe moe.my.domain # Windows for Workgroups System 192.168.1.4 shemp shemp.my.domain # Windows NT System </verb></tscreen> <p>(No changes are needed to the line for the '<tt>127.0.0.1 localhost</tt>' entry.) <p>Once you've entered these lines, press the 'Esc' key to invoke the control menu. Select "leave editor" and be sure to select "save changes" when prompted. <sect1> <heading>Testing the FreeBSD system</heading> <p>Congratulations! Once you've made it to this point, the FreeBSD system is configured as a network-connected UNIX system! If you made any changes to the <tt>/etc/sysconfig</tt> file you should probably re-boot your FreeBSD system. This will accomplish two important objectives: <itemize> <item>Allow the changes to the interface configurations to be applied, and <item>Verify that the system restarts without any glaring configuration errors. </itemize> Once the system has been rebooted you should test the network interfaces. <p> <sect2> <heading>Verifying the operation of the loopback device</heading> <p>To verify that the loopback device is configured correctly, log in as 'root' and enter: <tscreen><verb> # ping localhost </verb></tscreen> <p>You should see: <tscreen><verb> # ping localhost PING localhost.my.domain. (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.219 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.287 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=0.214 m [...] </verb></tscreen> messages scroll by until you hit Ctrl-C to stop the madness. <sect2> <heading>Verifying the operation of the Ethernet Device</heading> <p>To verify that the Ethernet device is configured correctly, enter: <tscreen><verb> # ping curly </verb></tscreen> You should see: <tscreen><verb> # ping curly PING curly.my.domain. (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.219 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.200 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.187 ms [...] </verb></tscreen> messages. <p>One important thing to look at in these two examples is that the names (loopback and curly) correctly correlate to their IP addresses (127.0.0.1 and 192.168.1.1). This verifies that the <tt>/etc/hosts</tt> files is correct. <p>If the IP address for "curly" isn't 192.168.1.1 or the address for "localhost" isn't 127.0.0.1, return to Section 3.4 and review your entries in '<tt>/etc/hosts</tt>'. <p>If the names and addresses are indicated correctly in the result of the ping command but there are errors displayed then something is amiss with the interface configuration(s). Return to Section 3.1 and verify everything again. <p>If everything here checks out, proceed with the next section. </sect> <sect> <heading>Configuring the PPP Dial-Out Connection</heading> <p>There are two basic modes of operation of the ppp driver: "Interactive" and "Automatic". In Interactive mode you:<p> <itemize> <item>Manually establish a connection to your ISP, <item>Browse, surf, transfer files and mail, etc..., <item>Manually disconnect from your ISP. </itemize> <p>In Automatic mode, the PPP program silently watches what goes on inside the FreeBSD system and automagically connects and disconnects with your ISP as required to make the Internet a seamless element of your network. <p>In this section we'll address the configuration(s) for both modes with emphasis on configuring your `ppp` environment to operate in "Automatic" mode. <sect1> <heading>Backing up the original PPP configuration files</heading> <p>Before making any changes to the files which are used by PPP you should make a copy of the default files that were created when the FreeBSD system was installed. Log in as the 'root' user and perform the following steps: Change to the '<tt>/etc</tt> directory: <p><tt># cd /etc</tt> Make a backup copy the original files in the 'ppp' directory: <p><tt># cp -R ppp ppp.ORIGINAL</TT> <p>You should now be able to see both a '<tt>ppp</tt>' and a '<tt>ppp.ORIGINAL</tt>' subdirectory in the '<tt>/etc</tt>' directory. <sect1> <heading>Create your own PPP configuration files</heading> <p>By default, the FreeBSD installation process creates a number of sample configuration files in the /etc/ppp directory. Please take some time to review these files; they were derived from working systems and represent the features and capabilities of the PPP program. <p>I <em/strongly/ encourage you to learn from these sample files and apply them to your own configuration as necessary. <p>For detailed information about the `ppp` program, read the ppp manpage: <tscreen><verb> # man ppp </verb></tscreen> <p>For detailed information about the `chat` scripting language used by the PPP dialer, read the chat manpage: <tscreen><verb> # man chat </verb></tscreen> <p>The remainder of this section describes the recommended contents of the PPP configuration files. <sect2> <heading>The '<tt>/etc/ppp/ppp.conf</tt>' file</heading> <p>The '<tt>/etc/ppp/ppp.conf</tt>' file contains the information and settings required to set up a dial-out PPP connection. More than one configuration may be contained in this file. The FreeBSD handbook (XXX URL? XXX) describes the contents and syntax of this file in detail. <p>This section will describe only the minimal configuration to get a dial-out connection working. <p>Below is the /etc/ppp/ppp.conf file that we'll be using to provide a dial-out Internet gateway for our example LAN: <tscreen><verb> ################################################################ # PPP Configuration File ('/etc/ppp/ppp.conf') # # Default settings; These are always executed always when PPP # is invoked and apply to all system configurations. ################################################################ default: set device /dev/cuaa0 set speed 57600 disable pred1 deny pred1 disable lqr deny lqr set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0 OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT" set redial 3 10 # # ################################################################ # # For interactive mode use this configuration: # # Invoke with `ppp -alias interactive` # ################################################################ interactive: set authname Your_User_ID_On_Remote_System set authkey Your_Password_On_Remote_System set phone 1-800-123-4567 set timeout 300 set openmode active accept chap # ################################################################ # # For demand-dial (automatic) mode we'll use this configuration: # # Invoke with: 'ppp -auto -alias demand' # ################################################################ demand: set authname Your_User_ID_On_Remote_System set authkey Your_Password_On_Remote_System set phone 1-800-123-4567 set timeout 300 set openmode active accept chap set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 add 0 0 127.2.2.2 ################################################################ # End of /etc/ppp/ppp.conf </verb></tscreen> This file, taken verbatim from a working system, has three relevant configuration sections: <sect3> <heading>The "<tt>default</tt>" Section</heading> <p>The '<tt>default:</tt>' section contains the values and settings used by every other section in the file. Essentially, this section is implicitly added to the configuration lines to each other section. <p>This is a good place to put "global defaults" applicable to all dial-up sessions; especially modem settings and dialing prefixes which typically don't change based on which destination system you're connecting to. <p>Following are the descriptions of each line in the "default" section of the sample '<tt>/etc/ppp/ppp.conf</tt>' file: <tscreen><verb> set device /dev/cuaa0 </verb></tscreen> This statement informs the PPP program that it should use the first serial port. Under FreeBSD the '<tt>/dev/cuaa0</tt>' device is the same port that's known as "<tt>COM1:</tt>" under DOS, Windows, Windows 95, etc.... <p>If your modem is on <tt>COM2:</tt> you should specify '<tt>/dev/cua01</tt>; <tt>COM3:</tt> would be '<tt>/dev/cua02</tt>'. <tscreen><verb> set speed 57600 </verb></tscreen> This line sets the transmit and receive speed for the connection between the serial port and the modem. While the modem used for this configuration is only a 28.8 device, setting this value to 57600 lets the serial link run at a higher rate to accommodate higher throughput as a result of the data compression built into late-model modems. If you have trouble communicating with your modem, try setting this value to 38400 or even as low as 19200. <tscreen><verb> disable pred1 deny pred1 </verb></tscreen> These two lines disable the "CCP/Predictor type 1" compression features of the PPP program. The current version of `ppp` supports data compression in accordance with draft Internet standards. Unfortunately many ISPs use equipment that does not support this capability. Since most modems try to perform on-the-fly compression anyway you're probably not losing much performance by disabling this feature on the FreeBSD side and denying the remote side from forcing it on you. <tscreen><verb> disable lqr deny lqr </verb></tscreen> These two lines control the "Line Quality Reporting" functions which are part of the complete Point-to-Point (PPP) protocol specification. (See RFC-1989 for details.) The first line, "disable lqr", instructs the PPP program to not attempt to report line quality status to the device on the remote end. The second line, "deny lqr", instructs the PPP program to deny any attempts by the remote end to reports line quality. As most modern dial-up modems have automatic error correction and detection and LQR reporting is not fully implemented in many vendor's products it's generally a safe bet to include these two lines in the default configuration. <tscreen><verb> set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0M0 OK-AT-OK\\dATDT\\T TIMEOUT 40 CONNECT" </verb></tscreen> <em>NOTE: (This statement should appear on a single line; ignore any line wrapping that may appear in this document.)</em> This line instructs the PPP program how to dial the modem and specifies some rudimentary guidelines for doing so: <itemize> <item>Attempts to dial should fail if the modem returns a "BUSY" result code, <item>Attempts to dial should also fail if the modem returns a "NO CARRIER" result code, <item>The PPP program should expect each of the following events to complete within a 5-second timeout period: <itemize> <item>The PPP program will initially expect nothing (specified above by the \"\" portion of the statement) from the modem <item>The program will send the modem initialization string "ATE1Q0M0" to the modem and await a response of "OK". If a response is not received, the program should send an attention command to the modem ("AT") and look again for a response of "OK", <item>The program should delay for one second (specified by the "\\d" part of the statement, and send the dialing string to the modem. The "ATDT" portion of the statement is the standard modem prefix to dial using tone-dialing; if you do not have touch-tone service on your local phone line, replace the "ATDT" with "ATDP". The "\\T" string is a placeholder for the actual phone number (which will be automatically inserted as specified by the "set dial 123-4567"). </itemize> <item>Finally, before a (maximum) timeout of 40 seconds, the PPP program should expect to see a "CONNECT" result code returned from the modem. </itemize> A failure at any point in this dialog will be interpreted as a dialing failure and the PPP program will fail to connect. (For a detailed description of the mini-scripting language used by the PPP dialer, refer to the "chat" manpage.) <tscreen><verb> set redial 3 10 </verb></tscreen> This line specifies that if a dial connection cannot immediately be made the PPP program should retry (up to 3 times if necessary) with a delay of 10 seconds between redialing attempts. <sect3> <heading>The "<tt>interactive</tt>" Section</heading> <p>The '<tt>interactive:</tt>' section contains the values and settings used to set up an "interactive" PPP session with a specific remote system. Settings in this section will have the lines included in the "default" section included automatically. <p>The example cited in this section of the guide presumes that you'll be connecting to a remote system that understands how to authenticate a user without any fancy scripting language. That is, this sample uses the CHAP protocol to set up the connection. <p>A good rule of thumb is that if the Windows '95 dialer can set up a connection by just clicking the "Connect" button this sample configuration should work OK. <p>If, on the other hand, when you connect to your ISP using Microsoft Windows '95 Dial-Up Networking you need to resort to using the "Dial Up Scripting Tool" from the Microsoft Plus! pack or you have to select "Bring up a terminal windows after dialing" in the Windows '95 connection options then you'll need to look at the sample PPP configuration files and the ppp manpage for examples of "expect / -response" scripting to make your ISP connection. +response" scripting to make your ISP connection. The "set login" +command is used for this purpose. <p>Or even better, find an ISP who knows how to provide PAP or CHAP authentication! <p>The configuration examples shown here have been successfully used to connect to: <itemize> <item>Various Shiva LanRovers <item>The IBM Network (<url url="http://www.ibm.net">) <item>AT&T WorldNet (<url url="http://att.com/worldnet">) <item>Erol's (<url url="http://www.erols.com">) </itemize> Following are descriptions for each line in the "interactive" section of the sample '<tt>/etc/ppp/ppp.conf</tt>' file: <tscreen><verb> set authname Your_User_ID_On_Remote_System </verb></tscreen> This line specifies the name you would use to log in to the remote system. <tscreen><verb> set authkey Your_Password_On_Remote_System </verb></tscreen> This is the password you'd use to log in to the remote system. <tscreen><verb> set phone 1-800-123-4567 </verb></tscreen> This is the phone number of the remote system. If you're inside a PBX you can prepend '<tt>9, </tt>' to the number here. <tscreen><verb> set timeout 300 </verb></tscreen> This tells the PPP program that it should automatically hang up the phone if no data has be exchanged for 300 seconds (5 minutes). You may wish to tailor this number to your specific requirements. <tscreen><verb> set openmode active </verb></tscreen> This tells the PPP program that once the modems are connected it should immediately attempt to negotiate the connection. Some remote sites do this automatically, some don't. This instructs your side of the link to take the initiative and try to set up the connection. <tscreen><verb> accept chap </verb></tscreen> This tells the PPP program to use the "Challenge-Handshake Authentication Protocol" to authenticate you. The values exchanged between the local and remote side for UserID and password are taken from the 'authname' and 'authkey' entries above. <sect3> <heading>The "<tt>demand</tt>" Section</heading> <p>The "<tt>demand</tt>" section contains the values and settings used to set up a "Dial-on-demand" PPP session with a specific remote system. Settings in this section will also have the lines included in the "default" section included automatically. <p>Except for the last two lines in this section it is identical to the configuration section which defines the "interactive" configuration. <p>As noted in Paragraph ???, the examples cited in this section of the guide presume that you'll be connecting to a remote system that understands how to use the CHAP protocol to set up the connection. <p>Following are descriptions for each line in the "demand" section of the sample '<tt>/etc/ppp/ppp.conf</tt>' file: <tscreen><verb> set authname Your_User_ID_On_Remote_System </verb></tscreen> This line specifies the name you would use to log in to the remote system. <tscreen><verb> set authkey Your_Password_On_Remote_System </verb></tscreen> This is the password you'd use to log in to the remote system. <tscreen><verb> set phone 1-800-123-4567 </verb></tscreen> This is the phone number of the remote system. <tscreen><verb> set timeout 300 </verb></tscreen> This tells the PPP program that it should automatically hang up the phone if no data has be exchanged for 300 seconds (5 minutes). You may wish to tailor this number to your specific requirements. <tscreen><verb> set openmode active </verb></tscreen> This tells the PPP program that once the modems are connected it should immediately attempt to negotiate the connection. Some remote sites do this automatically, some don't. This instructs your side of the link to take the initiative and try to set up the connection. <tscreen><verb> accept chap </verb></tscreen> This tells the PPP program to use the "Challenge-Handshake Authentication Protocol" to authenticate you. The values exchanged between the local and remote side for UserID and password are taken from the 'authname' and 'authkey' entries above. <tscreen><verb> set ifaddr 127.1.1.1/0 127.2.2.2/0 255.255.255.0 </verb></tscreen> This command sets up a pair of "fake" IP addresses for the local and remote sides of the PPP link. It instructs the PPP program to create an IP address of 127.1.1.1 for the local side of the '<tt/tun0/' (tunnel) device (refer back to section ?? for a description of this device) and 127.2.2.2 for the remote side. Appending '<tt>/0</tt>' to each address tells the PPP program that zero of the bits that make up these addresses are significant and can (in fact, must!) be negotiated between the local and remote systems when the link is established. The 255.255.255.0 string tells the PPP program what Subnet mask to apply to these pseudo-interfaces. <p>Remember, we've assumed that your ISP provides the IP addresses for both ends of the link! If your ISP assigned you a specific IP address that you should use on your side when configuring your system, enter that IP address here <em/instead/ of <tt>127.1.1.1</tt>. Conversly, if your ISP gave you a specific IP address that he uses on his end you should enter that IP address here <em/instead/ of <tt>127.2.2.2</tt>. In both cases, it's probably a good idea to leave the '<tt>/0</tt>' on the end of each address. This gives the PPP program the opportunity to change the address(es) of the link if it <em/has/ to. <tscreen><verb> add 0 0 127.2.2.2 </verb></tscreen> This last line tells the PPP program that it should add a default route for IP traffic that points to the (fake) IP address of the ISP's system. <em><bf>Note: If you used an ISP-specified address instead of <tt>127.2.2.2</tt> on the preceeding line, use the same number here instead of <tt>127.2.2.2</tt></bf></em>. <p>By adding this "fake" route for IP traffic, the PPP program can, while idle: <itemize> <item>Accept packets that FreeBSD doesn't already know how to forward, <item>Establish a connection to the ISP "<em/on-the-fly/", <item>Reconfigure the IP addresses of the local and remote side of the link, <item>Forward packets between your workstation and the ISP. </itemize> automatically! <p>Once the number of seconds specified by the timeout value in the "default" section have elapsed without any TCP/IP traffic the PPP program will automatically close the dial-up connection and the process will begin again. <sect2> <heading>The '<tt>/etc/ppp/ppp.linkup</tt>' file</heading> <p>The other file needed to complete the PPP configuration is found in '<tt>/etc/ppp/ppp.linkup</tt>'. This file contains instructions for the PPP program on what actions to take after a dial-up link is established. In the case of dial-on-demand configurations the PPP program will need to delete the default route that was created to the fake IP address of the remote side (127.2.2.2 in our example in the previous section) and install a new default route that points the actual IP address of the remote end (discovered during the dial-up connection setup). A representative '<tt>/etc/ppp/ppp.linkup</tt>' file: <tscreen><verb> #########################################################################= # PPP Link Up File ('/etc/ppp/ppp.linkup') # # This file is checked after PPP establishes a network connection. # # This file is searched in the following order. # # 1) First, the IP address assigned to us is searched and # the associated command(s) are executed. # # 2) If the IP Address is not found, then the label name specified at # PPP startup time is searched and the associated command(s) # are executed. # # 3) If neither of the above are found then commands under the label # 'MYADDR:' are executed. # #########################################################################= # # This section is used for the "demand" configuration in # /etc/ppp/ppp.conf: demand: delete ALL add 0 0 HISADDR # # All other configurations in /etc/ppp/ppp.conf use this: # MYADDR: add 0 0 HISADDR ######################################################################## # End of /etc/ppp/ppp.linkup </verb></tscreen> Notice that there is a section in this file named "demand:", identical to the configuration name used in the '<tt>/etc/ppp/ppp.conf</tt>' file. This section instructs the PPP program that once a link is established using this configuration, it must: <enum> <item>Remove any IP routing information that the PPP program has created <item>Add a default route the remote end's actual address. </enum> <p>It's critical that those configurations in '<tt>/etc/ppp/ppp.conf</tt>' which include the '<tt/set ifaddr/' and '<tt/add 0 0/' statements (i.e.: those configurations used for Dial-on-Demand configurations) execute the "delete ALL" and "add 0 0 HISADDR" commands in <tt>/etc/ppp/ppp.linkup</tt>. <p><em><bf>This is the mechanism that controls the actual on-demand configuration of the link.</bf></em> <p>All configurations not explicitly named in <tt>/etc/ppp/ppp.linkup</tt> will use whatever commands are in the "MYADDR:" section of the file. This is where non-Demand-Dial configurations (such as our "interactive:" sample) will fall through to. This section simply adds a default route to the ISP's IP address (at the remote end). <sect1> <heading>IP Aliasing</heading> <p>All of the configuration steps described thus far are relevant to any FreeBSD system which will be used to connect to an ISP via dial-up connection. <p>If your sole objective in reading this guide is to connect your FreeBSD box to the Internet using dial-out ppp you can proceed to Section 6, "Testing the Network". One very attractive feature of the PPP program in on-demand mode is its ability to route IP traffic between other systems on the Local Area Network automatically. This feature is known by various names, "<em/IP Aliasing/", "<em/Network Address Translation/", "<em/Address Masquerading/" or "<em/Transparent Proxying/". <p>Regardless of the terminology used, this mode is not, however, automatic. If the PPP program is started normally then the program will not forward packets between LAN interface(s) and the dial-out connection. In effect, only the FreeBSD system is connected to the ISP; other workstations cannot "share" the same connection. For example, if the program is started with either of the following command lines: <p><tt># ppp interactive (Interactive mode)</tt><p> or <p><tt># ppp -auto demand (Dial-on-Demand mode)</tt> <p>then the system will function as an Internet-connected workstation <em/only/ for the FreeBSD box. To start the PPP program as a gateway between LAN resources and the Internet, one of the following command lines would be used instead: <p><tt># ppp -alias interactive (Interactive mode)</tt><p> or <p><tt># ppp -auto -alias demand (Dial-on-Demand mode)</tt> <p>Keep this in mind if you intend to proceed with Section 5, "Configuring Windows Systems". </sect> <sect> <heading>Configuring Windows Systems</heading> <p>As indicated in Section 1, our example network consists of a FreeBSD system ("Curly") which acts as a gateway (or router) between a Local Area Network consisting of two different flavors of Windows Workstations. In order for the LAN nodes to use Curly as a router they need to be properly configured. Note that this section does not explain how to configure the Windows workstations for Dial-Up networking. If you need a good explanation of that procedure, I recommend <url url="http://www.aladdin.co.uk/techweb">. <sect1> <heading> Configuring Windows 95</heading> <p>Configuring Windows 95 to act as an attached resource on your LAN is relatively simple. The Windows 95 network configuration must be slightly modified to use the FreeBSD system as the default gateway to the ISP. Perform the following steps: <p><bf>Create the Windows 95 "hosts" file:</bf> <p>In order to connect to the other TCP/IP systems on the LAN you'll need to create an identical copy of the "hosts" file that you installed on the FreeBSD system in Section 3.4. <itemize> <item>Click the "Start" button; select "Run..."; enter "notepad \WINDOWS\HOSTS" (without the quotes) and click "OK" <item>In the editor, enter the addresses and system names from the hosts file shown in Section 3.4. <item>When finished editing, close the notepad application (making sure that you save the file!). </itemize> <p><bf>Configure the Windows 95 TCP/IP Network Configuation settings</bf>: <itemize> <item>Click the "Start" button on the taskbar; select "Settings" and "Control Panel". <item>Double-click the "Network" icon to open it.<p> The settings for all Network Elements are displayed. <item>With the "Configuration" tab selected, scroll down the list of installed components and highlight the "TCP/IP-><em/YourInterfaceType/" line (where "<em/YourInterfaceType/" is the name or type of Ethernet adapter in your system). <p>If TCP/IP is not listed in the list of installed network components, click the "Add" button and install it before proceeding. <p>(Hint: "Add | Protocol | Microsoft | TCP/IP | OK") <item>Click on the "Properties" button to display a list of the settings associated with the TCP component. </itemize> <p><bf>Configure the IP Address Information:</bf> <itemize> <item>Click the "IP Address" tab <item>Click the "Specify an IP address" radio button. <p>(In our example LAN the Windows 95 system is the one we've called "Larry".) <item>In the "IP Address" field enter "192.168.1.2". <item>Enter 255.255.255.0 in the "Subnet Mask" field. </itemize> <p><bf>Configure the Gateway information:</bf> <itemize> <item>Click on the "Gateway" tab <p>For our example network the FreeBSD box will be acting as our gateway to the Internet (routing packets between the Ethernet LAN and the PPP dial-up connection. Enter the IP address of the FreeBSD Ethernet interface, 192.168.1.1, in the "New gateway" field and click the "Add" button. If any other gateways are defined in the "Installed gateways" list you may wish to consider removing them. </itemize> <p><bf>Configure the DNS Information:</bf> <p>This guide assumes that your Internet Service Provider has given you a list of Domain Name Servers (or "DNS Servers") that you should use. If you wish to run a DNS server on your local FreeBSD system, refer to Section 6, "Exercise for the Interested Student" for tips on setting up DNS on your FreeBSD system. <itemize> <item>Click the "DNS Configuration" tab <item>Make sure that the "Enable DNS" radio button is selected. <p>(If this button is not selected only the entries that we put in the host file(s) will be available and your Net-Surfing will not work as you expect!) <item>In the "Host" field enter the name of the Windows 95 box, in this case: "Larry". <item>In the "Domain" field enter the name of our local network, in this case: "my.domain" <item>In the "DNS Server Search Order" section, enter the IP address of the DNS server(s) that your ISP provided, clicking the "Add" button after every address is entered. Repeat this step as many times as necessary to add all of the addresses that your ISP provided. </itemize> <p><bf>Other Windows 95 TCP/IP options:</bf> <p>For our purposes the settings under the "Advanced", "WINS Configuration" and "Bindings" tabs are not necessary. <p>If you wish to use the Windows Internet Naming Service ("WINS") your attention is invited to <url url="http://www.localnet.org"> for more information about WINS settings, specifically regarding sharing files transparently across the Internet. <p><bf>Mopping up:</bf> <itemize> <item>Click on the "OK" button to close the TCP/IP Properties window. <item>Click on the "OK" button to close the Network Control Panel. <item>Reboot your computer if prompted to do so. </itemize> <p> That's it! <sect1> <heading>Configuring Windows NT</heading> <p>Configuring Windows NT to act as a LAN resource is also relatively straightforward. The procedures for configuring Windows NT are similar to Windows 95 with minor exceptions in the user interface. <p>The steps shown here are appropriate for a Windows NT 4.0 Workstation, but the principles are the same for NT 3.5x. You may wish to refer to the "Configuring Windows for Workgroups" section if you're configuring Windows NT 3.5<it/x/, since the user interface is the same for NT 3.5 and WfW. <p>Perform the following steps: <p><bf>Create the Windows NT "hosts" file:</bf> <p>In order to connect to the other TCP/IP systems on the LAN you'll need to create an identical copy of the "hosts" file that you installed on the FreeBSD system in Section 3.4 <itemize> <item>Click the "Start" button; select "Run..."; enter "notepad \WINDOWS\SYSTEM\DRIVERS\ETC\HOSTS" (without the quotes) and click "OK" <item>In the editor, enter the addresses and system names from Section 3.4. <item>When finished editing, close the notepad application (making sure that you save the file!). </itemize> <p><bf>Configure the Windows NT TCP/IP Network Configuation settings</bf>: <itemize> <item>Click the "Start" button on the taskbar; select "Settings" and "Control Panel". <item>Double-click the "Network" icon to open it. <item>With the "Identification" tab selected, verify the "Computer Name" and "Workgroup" fields. In this example we'll use "Shemp" for the name and "Stooges" for the workgroup. Click the "Change" button and amend these entries as necessary. <item>Select the "Protocols" tab. <p>The installed Network Protocols will be displayed. There may be a number of protocols listed but the one of interest to this guide is the "TCP/IP Protocol". If "TCP/IP Protocol" is not listed, click the "Add" button to load it. <p>(Hint: "Add | TCP/IP Protocol | OK") <item>Highlight "TCP/IP Protocol" and click the "Properties" button. <p>Tabs for specifying various settings for TCP/IP will be displayed. </itemize> <p><bf>Configuring the IP Address:</bf> <p>Make sure that the Ethernet Interface is shown in the "Adapter" box; if not, scroll through the list of adapters until the correct interface is shown. <itemize> <item>Click the "Specify an IP address" radio button to enable the three text boxes. <p>In our example LAN the Windows NT system is the one we've called "Shemp" <item>In the "IP Address" field enter "192.168.1.4". <item>Enter 255.255.255.0 in the "Subnet Mask" field. </itemize> <p><bf>Configure the Gateway information:</bf> <p>For our example network the FreeBSD box will be acting as our gateway to the Internet (routing packets between the Ethernet LAN and the PPP dial-up connection. <itemize> <item>Enter the IP address of the FreeBSD Ethernet interface, 192.168.1.1, in the "New gateway" field and click the "Add" button. <p>If any other gateways are defined in the "Installed gateways" list you may wish to consider removing them. </itemize> <p><bf>Configuring DNS:</bf> <p>Again, this guide assumes that your Internet Service Provider has given you a list of Domain Name Servers (or "DNS Servers") that you should use. If you wish to run a DNS server on your local FreeBSD system, refer to Section 6, "Exercise for the Interested Student" for tips on setting up DNS on your FreeBSD system. <itemize> <item>Click the "DNS" tab <item>In the "Host Name" field enter the name of the Windows NT box, in this case: "Shemp". <item>In the "Domain" field enter the name of our local network, in this case: "my.domain" <item>In the "DNS Server Search Order" section, enter the IP address of the DNS server that your ISP provided, clicking the "Add" button after every address is entered. Repeat this step as many times as necessary to add all of the addresses that your ISP provided. </itemize> <p><bf>Other Windows NT TCP/IP options:</bf> <p>For our purposes the settings under the "WINS Address" and "Routing" tabs are not used. <p>If you wish to use the Windows Internet Naming Service ("WINS") your attention is invited to <url url="http://www.localnet.org"> for more information about WINS settings, specifically regarding sharing files transparently across the Internet. <p><bf>Mopping up:</bf> <itemize> <item>Click on the "OK" button to close the TCP/IP Properties section. <item>Click on the "Close" button to close the Network Control Panel. <item>Restart your computer if prompted to do so. </itemize> <p>That's it! <sect1> <heading>Configuring Windows for Workgroups</heading> <p>Configuring Windows for Workgroups to act as a network client requires that the Microsoft TCP/IP-32 driver diskette has been installed on the workstation. The TCP/IP drivers are not included with the WfW CD or diskettes; if you need a copy they're available at <url url="ftp://ftp.microsoft.com:/peropsys/windows/public/tcpip">. <p>Once the TCP/IP drivers have been loaded, perform the following steps: <p><bf>Create the Windows for Workgroups "hosts" file:</bf> <p>In order to connect to the other TCP/IP systems on the LAN you'll need to create an identical copy of the "hosts" file that you installed on the FreeBSD system in Section 3.4. <itemize> <item>In Program Manager, click the "File" button; select "Run"; and enter: "notepad \WINDOWS\HOSTS" (without the quotes) and click "OK" <item>In the editor, enter the addresses and system names from the hosts file shown in Section 3.4. <item>When finished editing, close the notepad application (making sure that you save the file!). </itemize> <p><bf>Configure the Windows 95 TCP/IP Network Configuation settings</bf> <itemize> <item>In the main window of Program Manager, open the "Network" group by double-clicking the icon. <item>Double click on the "Network Setup" icon. <item>In the "Network Drivers Box" double-click the "Microsoft TCP/IP-32" entry. </itemize> <p><bf>Configure the Windows for Workgroups IP Address:</bf> <p>Ensure the correct Ethernet Interface is selected in the "Adapter" list. If not, scroll down until it is displayed and select it by clicking on it. <itemize> <item>Ensure that the "Enable Automatic DHCP Configuration" check box is blank. If it is checked, click it to remove the "X". <item>In our example LAN the Windows for Workgroups system is the one we've called "Moe"; in the "IP Address" field enter "192.168.1.3". <item>Enter 255.255.255.0 in the "Subnet Mask" field. </itemize> <p><bf>Configure the Gateway information:</bf> <p>For our example network the FreeBSD box will be acting as our gateway to the Internet (routing packets between the Ethernet LAN and the PPP dial-up connection). <itemize> <item>Enter the IP address of the FreeBSD system, 192.168.1.1, in the "Default Gateway" field. </itemize> <p><bf>Configuring DNS:</bf> <p>Again, this guide assumes that your Internet Service Provider has given you a list of Domain Name Servers (or "DNS Servers") that you should use. If you wish to run a DNS server on your local FreeBSD system, refer to Section 6, "Exercise for the Interested Student" for tips on setting up DNS on your FreeBSD system. <itemize> <item>Click the "DNS" button. <item>In the "Host Name" field enter the name of the Windows for Workgroups box, in this case: "Moe". <item>In the "Domain" field enter the name of our local network, in this case: "my.domain" <item>In the "Domain Name Service (DNS) Search Order" section, enter the IP address of the DNS server that your ISP provided, clicking the "Add" button after each address is entered. Repeat this step as many times as necessary to add all of the addresses that your ISP provided. <item>Click on the "OK" button to close the DNS Configuration window. </itemize> <p><bf>Mopping up:</bf> <itemize> <item>Click on the "OK" button to close the TCP/IP Configuration window. <item>Click on the "OK" button to close the Network Setup window. <item>Reboot your computer if prompted. </itemize> <p>That's it! <sect> <heading>Testing the Network</heading> <p> Once you've completed that appropriate tasks above you should have a functioning PPP gateway to the Internet. <sect1> <heading>Testing the Dial-Up link:</heading> <p> The first thing to test is that the connection is being made between your modem and the ISP. <sect1> <heading>Testing the Ethernet LAN</heading> <p> *** TBD *** </sect> <sect> <heading>Exercises for the Interested Student</heading> <p> <sect1> <heading>Creating a mini-DNS system</heading> <p>While managing a Domain Name Service (DNS) hierarchy can be a black art, it is possible to set up a Mini-DNS server on the FreeBSD system that also acts as your gateway to your ISP. <p>Building on the files in <tt>/etc/namedb</tt> when the FreeBSD system was installed it's possible to create a name server that is both authoritative for the example network shown here as well as a front-door to the Internet DNS architecture. <p>In this minimal DNS configuration, only three files are necessary: <tscreen><verb> /etc/namedb/named.boot /etc/namedb/named.root /etc/namedb/mydomain.db </verb></tscreen> <p>The <tt>/etc/namedb/named.root</tt> file is automatically installed as part of the FreeBSD base installation; the other two files must be created manually. <sect2> <heading>The <tt>/etc/namedb/named.boot</tt> file</heading> <p>The <tt>/etc/namedb/named.boot</tt> file controls the startup settings of the DNS server. Esentially, it tells the Name Server: <enum> <item>Where to find configuration files, <item>What "domain names" it's responsible for, and <item>Where to find other DNS servers. </enum> <p>Using the '<tt/ee/' editor, create a <tt>/etc/namedb/named.boot</tt> with the following contents: <tscreen><verb> ; boot file for mini-name server directory /etc/namedb ; type domain source host/file backup file cache . named.root primary my.domain. mydomain.db </verb></tscreen> <p>Lines that begin with a semi-colon are comments. The significant lines in this file are: <itemize> <item><tt>directory /etc/namedb</tt> <p>Tells the Name Server where to find the configuration files referenced in the remaining sections of the '<tt>/etc/namedb/named.boot</tt>' file. <item><tt>cache . named.root</tt> <p>Tells the Name Server that the list of "Top-Level" DNS servers for the Internet can be found in a file called '<tt>named.root</tt>'. (This file is included in the base installation and its contents are not described in this document.) <item><tt>primary my.domain. mydomain.db</tt> <p>Tells the Name Server that it will be "authoritative" for a DNS domain called "my.domain" and that a list of names and IP addresses for the systems in "my.domain" (the local network) can be found in a file named '<tt>mydomain.db</tt>'. </itemize> <p>Once the <tt>/etc/namedb/named.boot</tt> file has been created and saved, proceed to the next section to create the <tt>/etc/namedb/mydomain.db</tt> file. <sect2> <heading>The <tt>/etc/namedb/mydomain.db</tt> file</heading> <p>The <tt>/etc/namedb/mydomain.db</tt> file lists the names and IP addresses of <em/every/ system in the Local Area Network. <p><em>For a detailed description of the statements used in this file, refer to the <tt/named/ manpage.</em> <p>The <tt>/etc/namedb/mydomain.db</tt> file for our minimal DNS server has the following contents: <tscreen><verb> @ IN SOA my.domain. root.my.domain. ( 961230 ; Serial 3600 ; Refresh 300 ; Retry 3600000 ; Expire 3600 ) ; Minimum IN NS curly.my.domain. curly.my.domain. IN A 192.168.1.1 # The FreeBSD box larry.my.domain. IN A 192.168.1.2 # The Win'95 box moe.my.domain. IN A 192.168.1.3 # The WfW box shemp.my.domain. IN A 192.168.1.4 # The Windows NT box $ORIGIN 1.168.192.IN-ADDR.ARPA IN NS curly.my.domain. 1 IN PTR curly.my.domain. 2 IN PTR larry.my.domain. 3 IN PTR moe.my.domain. 4 IN PTR shemp.my.domain. $ORIGIN 0.0.127.IN-ADDR.ARPA IN NS curly.my.domain. 1 IN PTR localhost.my.domain. </verb></tscreen> <p>In simple terms, this file declares that the local DNS server is: <itemize> <item>The Start of Authority for ("SOA") for a domain called 'my.domain', <item>The Name Server ("NS") for 'my.domain', <item>Responsible for the reverse-mapping for all IP addresses that start with '192.168.1.' and '127.0.0.' ("$ORIGIN ...") </itemize> <p>To add workstation entries to this file you'll need to add two lines for each system; one in the top section where the name(s) are mapped into Internet Addresses ("IN A"), and another line that maps the addresses back into names in the <tt>$ORIGIN 1.168.192.IN-ADDR.ARPA</tt> section. <sect2> <heading>Starting the DNS Server</heading> <p>By default the DNS server ('<tt>/usr/sbin/named</tt>') is not started when the system boots. You can modify this behavior by changing a single line in '<tt>/etc/sysconfig</tt>' as follows: <p> Using the '<tt/ee/' editor, load <tt>/etc/sysconfig</tt>. Scroll down approximately 200 lines until you come to the section that says: <tscreen><verb> --- # Set to appropriate flags for named, if you have a full-time # connection to the Internet. # For most hosts, flags should be "-b /etc/namedb/named.boot" namedflags="NO" --- </verb></tscreen> Change this section to read: <tscreen><verb> --- # Set to appropriate flags for named, if you have a full-time # connection to the Internet. # For most hosts, flags should be "-b /etc/namedb/named.boot" namedflags="-b /etc/namedb/named.boot" --- </verb></tscreen> Save the file and reboot. Alternatively, start the Name Server daemon by entering the following command: <tscreen><verb> # named -b /etc/namedb/named.boot </verb></tscreen> <p>Whenever you modify any of the files in <tt>/etc/namedb</tt> you'll need to kick-start the Name Server process to make it pick up the modifications. This is performed with the following system command: <tscreen><verb> # kill -HUP `cat /var/run/named.pid` </verb></tscreen> <sect1> <heading>Playing with PPP filters</heading> <p>The PPP program has the ability to apply selected filtering rules to the traffic it routes. While this is not nearly as secure as a formal firewall it does provide some access control as to how the link is used. <p>('<tt>man ipfw</tt>' for information on setting up a more secure FreeBSD system.) <p>The complete documentation for the various filters and rules under PPP are availabe in the PPP manpage. <p>There are four distinct classes of rules which may be applied to the PPP program: <itemize> <item><tt/afilter/ - Access Counter (or "Keep Alive") filters <p>These control which events are ignored by the <tt/set timeout=/ statement in the configuration file. <item><tt/dfilter/ - Dialing filters <p>These filtering rules control which events are ignored by the demand-dial mode of PPP. <item><tt/ifilter/ - Input filters <p>Control whether incoming packets should be discarded or passed into the system. <item><tt/ofilter/ - Output filters <p>Control whether outgoing packets should be discarded or passed into the system. </itemize> <p> What follows is a snippet from an operating system which provides a good foundation for "normal" Internet operations while preventing PPP from pumping <em/all/ data over the dial-up connection. Comments briefly describe the logic of each rule set: <tscreen><verb> # # KeepAlive filters # Don't keep Alive with ICMP,DNS and RIP packet # set afilter 0 deny icmp set afilter 1 deny udp src eq 53 set afilter 2 deny udp dst eq 53 set afilter 3 deny udp src eq 520 set afilter 4 deny udp dst eq 520 set afilter 5 permit 0/0 0/0 # # Dial Filters: # Note: ICMP will trigger a dial-out in this configuration! # set dfilter 0 permit 0/0 0/0 # # Allow ident packet pass through # set ifilter 0 permit tcp dst eq 113 set ofilter 0 permit tcp src eq 113 # # Allow telnet connection to the Internet # set ifilter 1 permit tcp src eq 23 estab set ofilter 1 permit tcp dst eq 23 # # Allow ftp access to the Internet # set ifilter 2 permit tcp src eq 21 estab set ofilter 2 permit tcp dst eq 21 set ifilter 3 permit tcp src eq 20 dst gt 1023 set ofilter 3 permit tcp dst eq 20 # # Allow access to DNS lookups # set ifilter 4 permit udp src eq 53 set ofilter 4 permit udp dst eq 53 # # Allow DNS Zone Transfers # set ifilter 5 permit tcp src eq 53 set ofilter 5 permit tcp dst eq 53 # # Allow access from/to local network # set ifilter 6 permit 0/0 192.168.1.0/24 set ofilter 6 permit 192.168.1.0/24 0/0 # # Allow ping and traceroute response # set ifilter 7 permit icmp set ofilter 7 permit icmp set ifilter 8 permit udp dst gt 33433 set ofilter 9 permit udp dst gt 33433 # # Allow cvsup # set ifilter 9 permit tcp src eq 5998 set ofilter 9 permit tcp dst eq 5998 set ifilter 10 permit tcp src eq 5999 set ofilter 10 permit tcp dst eq 5999 # # Allow NTP for Time Synchronization # set ifilter 11 permit tcp src eq 123 dst eq 123 set ofilter 11 permit tcp src eq 123 dst eq 123 set ifilter 12 permit udp src eq 123 dst eq 123 set ofilter 12 permit udp src eq 123 dst eq 123 # # SMTP'd be a good idea! # set ifilter 13 permit tcp src eq 25 set ofilter 13 permit tcp dst eq 25 # # # We use a lot of `whois`, let's pass that # set ifilter 14 permit tcp src eq 43 set ofilter 14 permit tcp dst eq 43 set ifilter 15 permit udp src eq 43 set ofilter 15 permit udp dst eq 43 # # If none of above rules matches, then packet is blocked. #------- </verb></tscreen> <p>Up to 20 distinct filtering rules can be applied to each class of filter. Rules in each class are number sequentially from 0 to 20 <em/but none of the rules for a particular filter class take affect until ruleset '0' is defined!/ <p>If you choose <em/not/ to use Filtering Rules in the PPP configuration then <em/ALL/ traffic will be permitted both into and out of your system while it's connected to your ISP. If you decide that you want to implement filtering rules, add the above lines to your <tt>/etc/ppp/ppp.conf</tt> file in either the "default:", "demand:", or "interactive:" section (or all of them - the choice is yours). </sect> </article>