Copyright © 2000 Paul Sheer - Click here for copying permissions       Source by FTP

Point to Point Protocol -- Dialup Networking

Add comments here

Dial up networking is unreliable and difficult to configure. This is simply because telephones were not designed for data. However, considering that the telephone network is by far the largest electronic network on the globe, it makes sense to make use of it. This is why modems were created. On the other hand the recent advent of ISDN is slightly more expensive and a better choice for all but home dial-up. See Section 43.5 for more info.

Basic Dialup

For home use, dial up network is not all that difficult to configure. /usr/doc/HOWTO/PPP-HOWTO contains lots on this. For my machine this boils down to creating the files /etc/ppp/chap-secrets and /etc/ppp/pap-secrets both containing the following line of text:

<username>  *  <password>  *

And then running the following command at a shell prompt:

5

pppd connect \             "chat -S -s -v \             '' 'AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0' \             OK ATDT<tel-number> CONNECT '' \             name: <username> assword: '\q<password>' \             con: ppp" \     /dev/<modem> 57600 debug crtscts modem lock nodetach \     hide-password defaultroute \     user <username>

This is a minimalists dial in command and it's specific to my ISP only. Don't use the exact command unless you have an account with the Internet Solution ISP in South Africa.

The command-line options are explained as follows:

connect <script>

This is the script that pppd is going to use to start things up. When you use a modem manually (as you will be shown further below), you need to go through the steps of initialising the modem, causing a dial, connecting, logging in, and finally telling the remote computer that you would like to start modem data communication mode, called the point to point protocol, or PPP. The <script> is the automation of this manual procedure.

Determining your chat script

To determine the list of expect-send sequences, you need to do a manual dial in. The command

dip -t

stands for dial-IP and talks directly to your modem.

The following session demonstrates a manual dial for user psheer. Using dip manually like this is a game of trying to get the garbage lines you see below: this is PPP starting to talk. When you get this junk you have won, and can press ^C. Then paste your session for future reference.

5          10          15          20          25

[root@cericon root]# dip -t DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96) Written by Fred N. van Kempen, MicroWalt Corporation. DIP> port ttyS0 DIP> speed 57600 DIP> term [ Entering TERMINAL mode.  Use CTRL-] to get back ] ATZ OK ATDT4068500 CONNECT 26400/ARQ/V34/LAPM/V42BIS Checking authorization, lease wait... name:psheer password: c2-ctn-icon:ppp Entering PPP mode. Async interface address is unnumbered (FastEthernet0) Your IP address is 196.34.157.148. MTU is 1500 bytes ~y}#A!}!e} }3}"}&} }*} } }~}&4}2Iq}'}"}(}"N$~~y}#A!}!r} }4}"}&} } [ Back to LOCAL mode. ] DIP> quit You have mail in /var/spool/mail/root [root@cericon root]#

Now you can modify the above chat script as you need. The kinds of things that will differ are trivial: like having login: instead of name:. Some also require you to type something instead of ppp, and some require nothing to be typed after your password. Some further require nothing to be typed at all, thus immediately entering PPP mode.

CHAP and PAP

You may ask why there are /etc/ppp/chap-secrets and /etc/ppp/pap-secrets files if a username and password is already specified inside the the chat script. CHAP (Challenge Handshake Authentication Protocol) and PAP (Password Authentication Protocol) are authentication mechanisms used after logging in -- in other words, somewhere amidst the ~y}#A!}!e} }3}"}&} }*} } }~}&4}2Iq}'}"}(}"N$~~y}#A!}!r} }4}"}&} }.

Running pppd

If you run the pppd command above, you will get output something like this:

5          10          15          20          25          30          35          40          45          50          55

send (AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0^M) expect (OK) AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0^M^M OK  -- got it send (ATDT4068500^M) expect (CONNECT) ^M ATDT4068500^M^M CONNECT  -- got it send (^M) expect (name:)  45333/ARQ/V90/LAPM/V42BIS^M Checking authorization, Please wait...^M username:  -- got it send (psheer^M) expect (assword:) psheer^M password:  -- got it send (??????) expect (con:) ^M ^M c2-ctn-icon:  -- got it send (ppp^M) Serial connection established. Using interface ppp0 Connect: ppp0 <--> /dev/ttyS0 sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x88c5a54f> <pcomp> <accomp>] rcvd [LCP ConfReq id=0x3d <asyncmap 0xa0000> <magic 0x3435476c> <pcomp> <accomp>] sent [LCP ConfAck id=0x3d <asyncmap 0xa0000> <magic 0x3435476c> <pcomp> <accomp>] rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x88c5a54f> <pcomp> <accomp>] sent [IPCP ConfReq id=0x1 <addr 192.168.3.9> <compress VJ 0f 01>] sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>] rcvd [IPCP ConfReq id=0x45 <addr 168.209.2.67>] sent [IPCP ConfAck id=0x45 <addr 168.209.2.67>] rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>] sent [IPCP ConfReq id=0x2 <addr 192.168.3.9>] rcvd [LCP ProtRej id=0x3e 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f] rcvd [IPCP ConfNak id=0x2 <addr 196.34.157.131>] sent [IPCP ConfReq id=0x3 <addr 196.34.157.131>] rcvd [IPCP ConfAck id=0x3 <addr 196.34.157.131>] local  IP address 196.34.25.95 remote IP address 168.209.2.67 Script /etc/ppp/ip-up started (pid 671) Script /etc/ppp/ip-up finished (pid 671), status = 0x0  Terminating on signal 2. Script /etc/ppp/ip-down started (pid 701) sent [LCP TermReq id=0x2 "User request"] rcvd [LCP TermAck id=0x2]

You can see the expect-send sequences working, so its easy to correct if you made a mistake somewhere.

At this point you might want to type route -n and ifconfig in another terminal:

5

Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 168.209.2.67    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo 0.0.0.0         168.209.2.69    0.0.0.0         UG    0      0        0 ppp0

5          10

lo        Link encap:Local Loopback             inet addr:127.0.0.1  Mask:255.0.0.0           UP LOOPBACK RUNNING  MTU:3924  Metric:1           RX packets:2547933 errors:0 dropped:0 overruns:0 frame:0           TX packets:2547933 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0  ppp0      Link encap:Point-to-Point Protocol             inet addr:196.34.25.95  P-t-P:168.209.2.67  Mask:255.255.255.255           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1           RX packets:7 errors:0 dropped:0 overruns:0 frame:0           TX packets:7 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:10

This clearly shows what pppd has done: both creating a network device as well as a route to it.

If your name server is configured, you should now be able to ping metalab.unc.edu or some well known host.

Dial on demand

Dial-on-demand really just envolves adding the demand option to the pppd command-line above. The other way of doing dial-on-demand is using the diald package, but here we discuss the pppd implementation.

With the demand option, you will notice that spurious dial-outs take place. You need to add some filtering rules to ensure that only the services you are interested in cause a dial-out. This is not ideal since there is still the possibility of other services connecting on ports outside of the 1-1024 range. In addition you should also make sure there are no services running except the ones you are interested in.

A firewall script might look as follows. This uses the old ipfwadm command possibly called /sbin/ipfwadm-wrapper on your machine^43.1 The ports 21, 22, 25, 53, 80, 113 and 119 represent ftp, ssh (Secure Shell), smtp (Mail), domain (DNS), www, auth and nntp (News) services respectively. The auth service is not needed, but should be kept open so that connecting services get a failure instead of waiting for a timeout. You can comment out the auth line in /etc/inetd.conf for security.

5          10          15          20          25          30          35

# enable ip forwarding and dynamic address changing echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr # masquerading for ftp requires special handling /sbin/modprobe ip_masq_ftp # clear all firewall rules /sbin/ipfwadm -O -f /sbin/ipfwadm -I -f # Allow all local comms /sbin/ipfwadm -O -a accept -D 192.168.0.0/16 /sbin/ipfwadm -O -a accept -D 192.168.0.0/16 /sbin/ipfwadm -O -a accept -D 127.0.0.0/24 /sbin/ipfwadm -O -a accept -D 127.0.0.0/24 /sbin/ipfwadm -I -a accept -S 192.168.0.0/16 /sbin/ipfwadm -I -a accept -S 192.168.0.0/16 /sbin/ipfwadm -I -a accept -S 127.0.0.0/24 /sbin/ipfwadm -I -a accept -S 127.0.0.0/24 # allow ports outgoing /sbin/ipfwadm -O -a accept -P tcp -D 0.0.0.0/0 20 21 22 25 53 80 119 /sbin/ipfwadm -O -a accept -P udp -D 0.0.0.0/0 53 # restrict all other ports outgoing /sbin/ipfwadm -O -a deny -P tcp -D 0.0.0.0/0 1:1023 /sbin/ipfwadm -O -a deny -P udp -D 0.0.0.0/0 1:1023 # allow ports incoming /sbin/ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 20 113 # restrict all other ports /sbin/ipfwadm -I -a deny -P tcp -D 0.0.0.0/0 1:1023 /sbin/ipfwadm -I -a deny -P udp -D 0.0.0.0/0 1:1023 # deny anything else /sbin/ipfwadm -I -a deny -P icmp -D 0.0.0.0/0 /sbin/ipfwadm -O -a deny -P icmp -D 0.0.0.0/0

IP masquerading can be done with:

# Masquerade the domain 192.168.2.0/255.255.128.0 /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S 192.168.0.0/17 -D 0.0.0.0/0

The pppd script becomes (note that you need pppd-2.3.11 or later for this to work as I have it here):

5          10

pppd connect \             "chat -S -s -v \             '' 'AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0' \             OK ATDT<tel-number> CONNECT '' \             name: <username> assword: '\q<password>' \             con: ppp" \     /dev/ttyS0 57600 debug crtscts modem lock nodetach \     hide-password defaultroute \     user <username> \     demand \     :10.112.112.112 \     idle 180 \     holdoff 30

Dynamic DNS

(See also Chapter 42 for other named setups, and Chapter 31 for configuring your machine's DNS lookups.)

Having pppd give IP connectivity on demand is not enough. You also need to your DNS configuration to change dynamically to reflect the current IP address that your ISP would have assigned you.

Now on creation of a connection, pppd runs /etc/ppp/ip-up, which in turn runs /etc/ppp/ip-up.local. Creating /etc/ppp/ip-up.local as the following script, correctly sets up bind. This script assumes that you have one eth0 interface with the IP 192.168.1.1 and that this interface is the gateway for a LAN of four machines masq-a, masq-b, masq-c and masq-d. The domain name of your LAN should be some non-existing name like my-lan.priv.

5          10          15          20          25          30          35          40          45          50          55          60          65          70          75          80          85          90          95

#!/bin/sh #       $1            $2        $3       $4                $5           $6 # interface-name tty-device speed local-IP-address remote-IP-address ipparam mkdir /etc/named-dynamic/ >& /dev/null SERIAL=`expr 2000000000 + \`date '+%s'\` / 10` IP=$4 ARPA=`echo $IP | cut -f4 -d.`.`echo $IP | cut -f3 -d.`.`echo $IP | cut -f2 -d.`.`echo $IP | cut -f1 -d.` NAMESERVER=<name-server-of-your-isp> HOST=`hostname | cut -f1 -d.` DOMAIN=`hostname | cut -f2,3,4,5,6 -d.` cat > /etc/resolv.conf <<EOF search $DOMAIN nameserver 127.0.0.1 options timeout:18 attempts:4 EOF cat > /etc/host.conf <<EOF order hosts,bind multi on EOF cat > /etc/named.conf <<EOF options {     forwarders { $NAMESERVER; }; directory "/etc/named-dynamic/";     dialup yes; notify no; forward only }; zone "."                        { type hint;    file "named.ca";        }; zone "0.0.127.in-addr.arpa"     { type master;  file "named.local";     }; zone "1.168.192.in-addr.arpa"   { type master;  file "named.192.168.1"; }; zone "$ARPA.in-addr.arpa"       { type master;  file "named.$IP";       }; zone "$DOMAIN"                  { type master;  file "named.$DOMAIN";   }; EOF cat > /etc/named-dynamic/named.local <<EOF @       IN      SOA     localhost. root.localhost.  ( $SERIAL 28800 14400 3600000 345600 )         IN      NS      localhost. 1       IN      PTR     localhost. EOF cat > /etc/named-dynamic/named.ca <<EOF .                        3600000  IN  NS    A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4 .                        3600000      NS    B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107 .                        3600000      NS    C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12 .                        3600000      NS    D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90 .                        3600000      NS    E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10 .                        3600000      NS    F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241 .                        3600000      NS    G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4 .                        3600000      NS    H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53 .                        3600000      NS    I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17 .                        3600000      NS    J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET.      3600000      A     198.41.0.10 .                        3600000      NS    K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129  .                        3600000      NS    L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12 .                        3600000      NS    M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33 EOF cat > /etc/named-dynamic/named.$IP <<EOF @       IN      SOA     localhost. root.localhost.  ( $SERIAL 28800 14400 3600000 345600 )         IN      NS      $HOST.$DOMAIN.         IN      PTR     $HOST.$DOMAIN. EOF cat > /etc/named-dynamic/named.192.168.1 <<EOF @       IN      SOA     localhost. root.localhost.  ( $SERIAL 28800 14400 3600000 345600 )         IN      NS      $HOST.$DOMAIN. 1       IN      PTR     $HOST.$DOMAIN. 2       IN      PTR     masq-a.$DOMAIN. 3       IN      PTR     masq-b.$DOMAIN. 4       IN      PTR     masq-c.$DOMAIN. 5       IN      PTR     masq-d.$DOMAIN. EOF cat > /etc/named-dynamic/named.$DOMAIN <<EOF @       IN      SOA     localhost. root.localhost.  ( $SERIAL 28800 14400 3600000 345600 )         IN      NS      $HOST.$DOMAIN. $HOST   IN      A       $IP masq-a  IN      A       192.168.1.2 masq-b  IN      A       192.168.1.3 masq-c  IN      A       192.168.1.4 masq-d  IN      A       192.168.1.5 EOF killall -1 named

The options dialup yes; notify no; forward first tell bind to use the link as little as possible; not send notify messages (there are no slave servers on our LAN to notify; and try forward requests to the name server under forwarders before trying to answer them itself; respectively.

There is one problem with this configuration. Queued DNS requests are flushed when the configuration is reread with killall -1 named. When you try, say ftp sunsite.unc.edu, the first DNS request by ftp causes a dial-out, but then is discarded. The next DNS request (18 seconds later -- options timeout:18 attempts:4) also doesn't make it (dial-outs take more than 30 seconds on my machine). Only the third request gets through. What is really needed is a DNS program designed especially for masquerading dynamically-assigned-IP servers.

The above scripts are probably over-kill, so use them sparingly. For example, there is probably no application that really needs forward and reverse lookups on the ppp0 device, hence you can do with a DNS configuration that doesn't need restarting on every dial-out. The bind documentation promises better support for dialup servers in the future.

There is a further option: that is to use the dnrd, a DNS package especially for dial-out servers. It was not created with dial-on-demand in mind though, hence it has some limitations.

Using tcpdump to watch your connection

If a dial out does occur unexpectedly, you can run tcpdump to dump packets going to your ppp0 device. This will probably highlight the error. You can then look at the TCP port of the service and try to figure out what process the packet might have come from. The command is:

tcpdump -n -N -f -i ppp0

tcpdump is also discussed in Section .

Using ISDN instead of Modems

A lot of companies will see a regular modem as the best way to get connected to the Internet. Because ISDN is considered esoteric, they may have not looked at it as an option. In fact ISDN is preferable everywhere except for single user dial-up (i.e. home use).

For those who are not familiar with ISDN, this paragraph will give you a quick summary. ISDN stands for Integrated Services Digital Network. ISDN lines are like regular telephone lines, except that an ISDN line comes with two analogue and two digital channels. The analogue channels are regular telephone lines in every respect -- just plug your phone in and start making calls. The digital lines each support 64 kilobits/second data transfer -- only ISDN communication equipment is meant to plug into these. To communicate over the digital line you need to dial an ISP just like with a regular telephone. Now it used to be that only very expensive ISDN routers could work with ISDN, but ISDN modems and ISDN ISA/PCI cards have become cheap enough to allow anyone to use ISDN, while most telephone companies will install an ISDN line as readily as a regular telephone line. So you may ask whats with the ``Integrated Services''. I suppose it was thought that this service, in both allowing data as well as regular telephone, would be the ubiquitous communications service. This remains to be seen.

If you have a hundred ISDN boxes to setup, it would be well worth it to buy internal ISDN cards: they are really low priced these days. Configuring these is not covered here for now. However, if you have one ISDN box to configure and no clue about ISDN, an internal card is going to waist your time. In this case a ISDN external modem is the best option. These are devices designed as drop in replacements to a normal external modem -- they plug into your serial port and accept (probably ignore) the same AT command strings as a normal modem.

Although these are supposed to be drop in replacements, ISDN is a completely different technology. In particular, there are different protocols for different countries which have to be specified to the card. I myself have not ever had to set up ISDN, but the advice I get so far is:

For an Asyscom modem running on a particular ISP here in South Africa we had to enter the AT commands:

ATB4  ATP=17

and also add asyncmap 0x00000000 to the pppd command-line.

Also ATDTXXXXXXX should become just ATDXXXXXXX.

Another source of info recommends for Zyxel modems ATB20 for V.120 Standard LAPD and euro DSS1 protocols, and ATB40 for 64K sync PPP used with CISCO ISP equipment. And then also

AT&ZI4=0 AT&W0 ATZ0

This should give you an idea of what you may have to change to get ISDN working, it is by no means a product endorsement.

Be weary when setting up ISDN. ISDN dials really fast. It can dial out a thousand times in a few minutes which is expensive.