Adding SLIP and PPP Clients

[Enable Dialin] [Password File] [SLIP login] [PPP login] [Routing] [Proxy Arp] [Dynamic IP]

Enabling Dialin for SLIP and PPP Clients

The following information is needed to configure a SLIP or PPP dialin, and needs to match exactly what was used to configure the remote end. There are minor differences depending on whether you are configuring the client or the server. See the page on IP Address and Routing for more details on this difference:

Client's hostname and domainname (this should be in NIS/YP, DNS, and (maybe) /etc/hosts)
IP address that matches other configuration
Login name and password used by the SLIP/PPP login

(At least) two files need to be edited for each client:

For IRIX SLIP:: /etc/passwd; /usr/etc/remoteslip
For IRIX PPP:: /etc/passwd; /etc/ppp.conf
For MorningStar (MST) PPP:: /etc/passwd; /usr/etc/ppp/Login

Terminology

Remember from other pages, that the server is the host connected to the larger network, and the client is the host connected to the smaller network (usually it is a stand-alone host, whose only network connection is to the server).

Password File Examples

For the sake of example, we will use a client hostname of client.domain.foo.bar with a username of Sclient (or Pclient) and a password of password.

The line to add in /etc/passwd for IRIX SLIP looks like the following (because of a potential security hole, the home directory for a SLIP or PPP account should only be writable by root, for example creating the special directory /var/secure, with permissions 700):

   Sclient::0:0:SLIP login client.sub.domain.foo.bar,,:/:/usr/etc/remoteslip

For IRIX PPP the /etc/passwd entry looks like:

   Pclient::0:0:Irix PPP login client.sub.domain.foo.bar,,:/:/usr/etc/ppp

(Note that IRIX SLIP and PPP must run as root!)

For MST PPP the /etc/passwd entry looks like:

   Pclient::0:0:MST PPP login client.sub.domain.foo.bar,,:/:/usr/etc/ppp/Login

The password can be set by typing the following, for SLIP, PPP is similar:

   % su
   # passwd Sclient
   Changing password for Sclient on server.
   New password: password
   Re-enter new password: password
   #

The password is not echoed.

Configuring the SLIP login "shell"

On IRIX, the file /usr/etc/remoteslip is the login shell for all SLIP logins. It is a shell script with a big case statement, one entry for each login. Examples of each type follow.

On an IRIX server, add a section like the following in /usr/etc/remoteslip for the client login:

   Sclient)
      exec /usr/etc/slip -i -p cslip -r client.sub.domain.foo.bar
      ;;
   #

The servers can dialout to the clients. The IRIX SLIP client needs an entry in /usr/etc/remoteslip just like the server, however for IRIX4 routing is a royal pain. It is almost easiest to just login and manually add the route after the link comes up. For IRIX4, the entry in /usr/etc/remoteslip looks almost identical to the server case:

   Sserver)
      exec /usr/etc/slip -i -p cslip -r server.sub.domain.foo.bar
      ;;
   #

For IRIX5 SLIP clients, routing on clients is easier because of the -R option, add the following section to the /usr/etc/remoteslip file:

   Sserver)
      exec /usr/etc/slip -i -p cslip -R "" -r server.sub.domain.foo.bar
      ;;
   #

Never use -R "" on a server! This advertises a default route, for which there can be only one on a network. Doing so will probably screw up routing on your whole net! At the very least, your network admins will be very annoyed.

The following section must remain the last one in the file:

   *)
       exec /usr/etc/slip -i -r $USER
       ;;
   esac

Configuring the PPP login "shell"

Because PPP is able to dynamically configure things during the login sequence, you generally do not need to edit the login "shell". The two different PPP versions on IRIX work a little differently:

MorningStar (aka MST) PPP

You usually do not need to edit the login "shell": /usr/etc/ppp/Login, unless you need to do something special for routing (which usually has the same problems as IRIX4 SLIP routing).

IRIX5 PPP (also IRIX6)

Uses the ppp binary as it's login shell. Configuration for both dialout and dialin is in the configuration file /etc/ppp.conf. If you are already dialing out to that host then you do not need to edit the file. If all the ppp defaults are acceptable, you don't even need an entry in the file for a dialin host, although I think it is wise to add a minimal entry:

   rmt in remotehost=client.domain.foo.bar

Where rmt is the login for the dialin-only clients (the remotehost=client.domain.foo.bar assigns the IP address to the dialin client). If this is the client, then you can use remotehost=0,0, but then the server must specify an IP address. It is vitally important that either the server or the client (or both) specifies an IP address to use. From a routing security point of view, the server should always specify the IP address.

If you are using PAP or CHAP authentication (CHAP is added in patch 517 for IRIX-5.3, and is in IRIX-6.2 and later), then you need to add the appropriate recv_name=Pclient and recv_passwd=password entries in /etc/ppp.conf, which might look like:

   Pclient in remotehost=client.domain.foo.bar
       recv_chap recv_pap
       recv_name=Pclient recv_passwd=password

There are some PPP implementations that do not handle protocol negotiation correctly. The Windoze95 stack seems to be one of these. This will either cause the link to fail to come up, or to cause it to fail "randomly" after a short uptime. The solution is to tell SGI's ppp to not try to negotiate the offending (advanced) protocols. Add the following options to the /etc/ppp.conf entry:

    -mp -ccp

Additional Client Dialin Considerations

If the connect time of each individual client is expected to be low, then there do not need to be as many server modems as there are clients to dial into the site. All of the clients should be able to connect to all of the servers, and the phone lines should be set up in a "hunt group" (aka "rotary"). Then any client calling in gets the first available server modem.

Dialup Server Routing Issues

An SGI machine can serve fine as a small dialup server. However, there are a couple of limitations if you want to do things the easy way. If you can use the defaults, then configuration is nearly painless:

use static IP addresses for each client
use IP addresses on a separate subnet, then routing is taken care of automatically via propagation of host routes (this is easier in IRIX-6.2, since it supports variable subnet masks, aka CIDR)

Proxy ARP

However, one of the common requirements for a small PPP (or SLIP) server is that you don't have another subnet available for the small number of remote hosts, and want to "borrow" IP addresses from your normal subnet. This requires (currently) proxy-ARP routing. This is harder than it should be, since the slip and ppp binaries do not have an autoarp option. It is much simpler to assume that an IP address being routed by proxy-ARP is associated with only one server. Otherwise you have to create a login script something like (example using ppp):

   #!/bin/sh
   arp -s client.domain.foo.bar
   ppp -r $USER
   arp -d client.domain.foo.bar

which won't work at all if you are running FlexFAX or HylaFAX software. Check out the faxd problem for more details.

The script above is unneccessary if the server is running IRIX-6.3 or later, as a new capability was added to the PPP daemon to support dynamic proxy-ARP configuration:

   proxy_arp=ifname

(see the ppp man page for details).

Server Assigned IP Addresses

This is something else that is desirable in some environments. It is a very common method among ISPs to reduce the number of IP addresses that they need to assign to dialup clients. The concept behind the idea is simple. Since IP addresses are only used for routing, and you can only route to hosts that are connected, you only need as many IP addresses as you have connection points (modems, in this case). Note that clients can't use the quiet keyword (for dynamic dialing) in most circumstances, since they will usually get a different IP address on each call, and this breaks TCP connections (such as rlogin, telnet, etc).

IRIX SLIP and PPP are not designed to handle this case. The degenerate case of one dialin modem per host is actually workable, though. Just assign the same IP address (in /etc/ppp.conf or /usr/etc/remoteslip) to all dialup accounts. Since only one dialup account can be in use at any one time, this solves the issue of determining which IP address to assign to the client when it logs in. Just make sure that each server host assigns a different IP address to it's client accounts. The accounts can be the same across multiple dialin servers, but they must have a different IP address on each server.

There is a hack to handle multiple modems on a server host and do server-assigned IP addressing. The two that have been tried (not by me, and I don't know details -- these are hints for your implementation!) are:

statically assigned per port

The login shell is a script that chooses an IP address to assign based upon the port that the client is connected on. For SLIP, this should be an easy addition to /usr/etc/remoteslip, something like:

   #!/bin/sh
   case `tty` in
       /dev/ttyf2)
           ipaddr=192.26.50.31
           ;;
       /dev/ttyf3)
           ipaddr=192.26.50.105
           ;;
   esac
   arp -s $ipaddr `netstat -ian | grep :` pub
   slip -i -p cslip -r $ipaddr
   arp -d $ipaddr
   exit 0

For PPP, you would need to create a login script that might look something like:

   #!/bin/sh
   port=`tty`
   USER=`echo $port | sed -e 's,/dev/,,'`
   arp -s $USER `netstat -ian | grep :` pub
   ppp -r $USER
   arp -d $USER
   exit 0

and the real trick is that the IP addresses for the logins (and the entries in /etc/ppp.conf) are named after the ports, ie: ttyf2, ttyf3, ttyf44, etc. Note that you probably have to change /etc/resolv.conf to hostresorder local bind on the server to make this work. Example /etc/ppp.conf entries might look like:

   ttyf2 in remotehost=ttyf2
   ttyf3 in remotehost=ttyf3

If you want to use PAP or CHAP authentication, you will have to get a lot more clever. You may be able to get away with using the reconfigure keyword to reduce your work. You'll have to experiment, since I haven't.

Least Recently Used IP address

This is the most common implementation in dedicated terminal servers. This assigns the IP addresses in a round-robin fashion to clients as they dial in. In order to approximate this with IRIX PPP or SLIP, you would have to keep some additional information around (which IP addresses are in the pool), and you would need to parse the output of /usr/etc/netstat -in to figure out which of those addresses are in use. Then pick one of the addresses that is available. I would recommend have a pool of IP addresses several larger than the number of modems, to deal with multiple simultaneous logins and other race conditions. This is not going to be an easy programming task. Good Luck!

Even so, this will not give you the full capability of commercial terminal servers (like the Livingston Portmaster, which will (among other things) allow a client to negotiate a different IP address in the pool, if it is still available. (I used the Portmaster because I am familiar with it. Other Terminal servers behave similarly).

For the Obscure Bug of the Month Award

(pre-IRIX-5.3) If you are changing a connection from SLIP to PPP or vice-versa, you need to reboot both machines before packets will pass. The reason is deep in the kernel routing mechanism. If you are really good at mucking around in /dev/kmem, you might be able to avoid a reboot, but I advise against it (I certainly don't know enough to do it!). If there are two interfaces to the same remote address, the kernel always uses just one of them, which may not be the one you want or expect. If you see something like the following output from `netstat -i`, then you must reboot before things will work:

% /usr/etc/netstat -i
Name Mtu   Network     Address            Ipkts Ierrs    Opkts Oerrs  Coll
ec0  1500  192.82.281  server.sub.doma 16704753  2490 14890682    98 14870035
lo0  32880 loopback    localhost        2142995     0  2142995     0     0
du0* 1500  (pt-to-pt)  client.sub.doma     2364     0   106924     0     0
sl0* 512   (pt-to-pt)  client.sub.doma        5     1        0     0     0
sl1* 1006  none        none                   0     0        0     0     0
sl2* 1006  none        none                   0     0        0     0     0
sl3* 1006  none        none                   0     0        0     0     0

du0 and sl0 have the same address as the culprit in this example.

Note: This is fixed in IRIX-5.3 (and later).

Hopefully there has been enough info here for you to figure out your connection problem. This info is based on looking at the problem from the client (dialing) end, becuase that is where most problems are discovered.

Other Useful Information

A random selection of potentially useful WWW pages:

[Enable Dialin] [Password File] [SLIP login] [PPP login] [Routing] [Proxy Arp] [Dynamic IP]

I hope and intend that this documentation can help you with your PPP connection problems. My other commitments (like work) permitting, I will attempt to help you on issues not covered, or that you are unclear on. Please make sure that you provide me a valid return email address! (I won't try to fix it).

Scott Henry <scotth@sgi.com>

Last modified: Sun Feb 1 14:37:09 1998