CDRouter 12.0

March 26, 2020

Notices

---

Important Installation Notes

The following prerequisites must be met before upgrading to CDRouter 12.0:

➊ New minimum system requirements

CDRouter 12.0 requires a CentOS 7 or CentOS 8 operating system. The Ubuntu and CentOS 6 operating systems are no longer supported, and CDRouter 12.0 will not install if you are using one of these operating systems.

NTA1000 platforms running CentOS 6 should be upgraded using the Rebuild the NTA1000 Operating System guide prior to installing CDRouter 12.0.

If you do not have an NTA1000 or are otherwise unable to upgrade your operating system from Ubuntu or CentOS 6, please contact support@qacafe.com for assistance.

➋ Minimum CDRouter version requirement

The auto-upgrade utility in CDRouter’s web interface will not be able to install CDRouter 12.0 unless you are already running version 11.8.2. You must install CDRouter 11.8.2 before upgrading to CDRouter 12.0 using the auto-upgrade methods in the web UI.

If you are running an earlier release of CDRouter, you may upgrade to CDRouter 12.0 or later versions using the manual upgrade procedure via the CLI. Please follow the “Manual installation” instructions in the CDRouter Installation and Upgrade Guide to manually upgrade your system.

➌ New procedure for installing CDRouter

CDRouter 12.0 and subsequent versions will now be distributed as an rpm file that is only supported by the CentOS 7 and 8 operating systems.

The CDRouter Installation and Upgrade Guide has been updated with instructions for manually installing and upgrading CDRouter with the new installer format.

Please contact support@qacafe.com if you need any assistance.

➍ Config upgrades

CDRouter 12.0 includes many new features and configuration testvars. Old config files can be automatically upgraded to include all new CDRouter 12.0 testvars using the config upgrade utility.

See the Testvar Updates section below for important notes about config file changes in this release.

New Features and Enhancements

---

CDRouter

• New Security Expansion!

  We are very excited to introduce the CDRouter Security expansion! This expansion includes a number of features designed to test and evaluate the overall security of a CPE device. Included with the Security expansion are port scanning tools utilizing Nmap, a new traffic analysis feature based on Suricata, and two new test modules for verifying schedule-based internet access restrictions which is a common parental controls feature.

  Please see the CDRouter Security User Guide for more information.

• New config editor view for displaying only modified testvars

  The config editor within CDRouter’s web UI includes a new button labeled Expand Changed that will collapse all SECTIONs and testvar_groups in the config file that do not contain any changes. This makes it easier to see which testvars are not set to their default values. Previously, config files were displayed with all sections collapsed. Note that the expand changed view is also now the default view for all config files. [ch3673]

CDRouter USP

• New USP controller domain name and TLS server certificates

  The USP controller certificates shipped with previous releases of CDRouter have been replaced by a new set of test certificates signed by Sectigo.

  In addition, the Common Name (CN) field of these certificates has been changed from controller.qacafe.com to controller.cdroutertest.com. The default value of the uspControllerDomain testvar, which identifies the fully-qualified domain name (FQDN) of CDRouter’s USP controller, has also been changed from controller.qacafe.com to controller.cdroutertest.com.

  It is important to note that these changes may break some existing CDRouter configurations. CPE devices may fail to resolve the controller IP address through DNS and and will not be able to validate the expired TLS server certificates until your configurations have been updated.

Testvar Updates

---

Testvars added to this release:

• enableSuricata - this enables the Suricata based traffic analysis feature that is included with the new CDRouter Security expansion.

• internetSchedule<day-of-week>Mode: there is one of these for each day of the week. Its value can be allow, deny or none. If set to none, the DUT has no schedule for the given LAN client for that day of the week. If set to allow or deny, then the tests are run and the time ranges specified dictate when the LAN client should be allowed (allow) or denied (deny) internet access. These testvars can be configured separately for each LAN testvar group (main, lan2, lan3, etc).

  • internetScheduleSundayMode
  • internetScheduleMondayMode
  • internetScheduleTuesdayMode
  • internetScheduleWednesdayMode
  • internetScheduleThursdayMode
  • internetScheduleFridayMode
  • internetScheduleSaturdayMode

• internetSchedule<day-of-week>Times: Again, there is one of these for each day of the week. Its value should be a time range such as 9:00am - 5:00pm which dictates when the LAN client should be allowed or denied internet access. These testvars can be configured separately for each LAN testvar group (main, lan2, lan3, etc).

  • internetScheduleSundayTimes
  • internetScheduleMondayTimes
  • internetScheduleTuesdayTimes
  • internetScheduleWednesdayTimes
  • internetScheduleThursdayTimes
  • internetScheduleFridayTimes
  • internetScheduleSaturdayTimes

Testvars modified or removed in this release:

• With the addition of the new CDRouter Security Expansion, testvars for the NMAP and ICS features have been moved and are no longer found at the top level of the config file hierarchy. These testvars can now be found immediately under the “CDRouter Security Expansion” section.

  Note that upgrading older config files will automatically reformat all testvars and move the NMAP and ICS testvar sections from their previous location to the “CDRouter Security Expansion” section.

  SECTION "CDRouter Security Expansion" {
  
      # testvar enableSuricata                   no
  
      SECTION "CDRouter ICS" {
  
          # testvar enableICS                        no
          # testvar icsInterface                     none
          # testvar icsShareIPv4                     yes
          # testvar icsShareIPv6                     yes
  
      }
  
      SECTION "CDRouter Nmap" {
  
          # testvar enableNmap                       no
          # testvar nmapPorts                        0-65535
          # testvar nmapScanTimeout                  600
          # testvar nmapTimingTemplate               5
  
      }
  
      SECTION "Parental Controls" {↔}
  
  }
  

• The testvars supportsNmap and supportsICS have been deprecated in favor of the new testvars enableNmap and enableICS , respectively. The original testvar names will continue to work until they are removed in a future release. All configs utilizing these testvars should be updated to use the new testvar names.

• The testvars supportsH323AlgOutbound, supportsH323AlgInbound, and inboundH323Host are obsolete and have been removed from this release.

• All wireless LAN and WAN testvars and testvar values that were deprecated in CDRouter 11.5 as part of the update required to support WPA3 have been removed. Any configs using deprecated testvars or testvar values must be updated.

Notes

---

CDRouter

• The wildcard test certificates shipped with CDRouter have been updated. These certificates are used by CDRouter’s DNS servers when testing DNS over TLS (DoT) or DNS over HTTPS (DoH). Configurations that reference the old wildcard certificates will need to be updated for compatibility with CDRouter 12.0. Please see this Knowledge Base article for more information. [ch3773]

• The test cases cdrouter_app_200, cdrouter_app_205, cdrouter_app_207, cdrouter_app_220, cdrouter_app_225, and cdrouter_app_227 are obsolete and have been removed from the apps test module. [ch3891]

• All wireless LAN and WAN testvars and testvar values that were deprecated in CDRouter 11.5 as part of the update required to support WPA3 have been removed. Any configs using deprecated testvars or testvar values must be updated. [ch4014]

• In certain configurations some wireless country codes are not fully supported by the underlying wifi drivers used by CDRouter. This may result in the drivers failing to load and the wifi interface(s) disappearing from the system.

  CDRouter now attempts to restore the system to a fully working state when this error condition is detected. Specifically, CDRouter will automatically reconfigure the system to use US/840 to restore the missing interface(s) and then attempt to set the regulatory domain to the system’s default which is based on timezone. If this fails CDRouter will attempt to set the domain to US/840, and generate an error to alert the user if this is unsuccessful.

  In addition, when determining the system’s default regulatory domain, which is based on timezone, US/840 will be used if the derived alpha2 domain code is considered invalid. [ch4134]

CDRouter TR-069

• The wireless configuration verification tests in the tr69_wireless and ir181 test modules now validate that the DUT includes the client MAC in the AssociatedDevice table 5 seconds after the basic traffic verification step has been performed. This provides ample time for the DUT to update the AssociatedDevice table. [ch3915]

• Resolved a fatal error with the wireless configuration tests in the tr69_wireless and ir181 test modules when run in multiport configurations utilizing both wireless and wired LAN interfaces. [ch3938]

• Resolved an issue with CDRouter’s device data model version detection algorithm. Also addressed an issue with a Complete versus Completed error associated with the Device:2.13 data model in the tr143_http test module [ch3944]

CDRouter Storage

• Resolved a false pass related to an error condition in the FTP storage tests if the initial connection was successfully established but subsequently timed out. [ch3936]