CDRouter ICS User Guide


CDRouter ICS enhances traditional closed loop testing by providing access to the internet or other outside networks for non-test traffic. This is accomplished by routing test traffic and network traffic separately, enabling testing for:

  • Devices that require access to external resources or start-up procedures
  • Devices that have cloud- or app-based management systems or user interfaces
  • Devices that access real-time web applications as part of regular operations
  • Devices that require access to CRLs or other certificate validation resources


CDRouter ICS is a licensed add-on that must be purchased from QA Cafe. For information on upgrading your license to include CDRouter ICS or any other add-ons, please contact

CDRouter will report the status of all available add-ons during the installation process and during startup. To verify that CDRouter ICS is enabled on a system, run the command cdrouter-cli -info as root and look for the line ICS is enabled, as shown below. If this line is present, CDRouter ICS is enabled and ready to use.

$ cdrouter-cli -info

Starting cdrouter-cli Tue Sep 20 11:49:39 EDT 2016
Copyright (c) 2001-2016 by QA Cafe
Version 10.2 build 1 (22730 trunk), built 2016-09-18 17:36:24 by nightly@cdr-forge6.lan (x86_64)
Loaded OS distro \S Kernel \r on an \m 
Loaded OS version Linux-3.10.0-327.10.1.el7.x86_64 x86_64
Loaded Tcl version 8.6.6
Loaded buddy version 10.2.1
( (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) )
Current testpath: /usr/cdrouter/tests
Trying to load modules from '/usr/cdrouter/tests /home/matt/customTests'
Start command: /usr/cdrouter/bin/cdrouter-cli -testpath /usr/cdrouter/tests -info
Test Suite cdrouter 10.2.1
The system ID is 2df9e2a1f8c359183cf0191a20f2cc5a
Using license installed at: /etc/cdrouter.lic
Registered to: qacafe: matt
Maintenance, Support and Upgrades until: 2017-06-01
Licensed to run: cdrouter
    Multiport   is enabled
    IPv6        is enabled
    Storage     is enabled
    IKE         is enabled
    TR69        is enabled
    TR69-EDM    is enabled
    Nmap        is enabled
    BBF.069     is enabled
    SNMP        is enabled
    Performance is enabled
    ICS is enabled                                                      <-- here
CPU is Intel(R) Core(TM) i5-4308U CPU @ 2.80GHz, bogomips 5599.87
Loaded TclXML version 3.1 (libxml2), TclDOM 3.0, xmldefs 3.1
Trying to load modules from '/usr/cdrouter/vendor/IOL/BBF.069/Tests'
BBF.069 version 6.0-5 (21451)

System Requirements

CDRouter ICS requires CDRouter 10.2 or newer. Please see the CDRouter installation and upgrade guide for information on upgrading an existing CDRouter system.

In addition, CDRouter ICS is only supported on QA Cafe’s NTA1000 hardware platform. The NTA1000v5 and newer platforms supports all CDRouter ICS features. Older NTA1000 platforms may also support certain CDRouter ICS features according to the requirements listed in the table below:

NTA1000 Supported CDRouter ICS Features Requirements
v1 CDRouter ICS not supported Please contact for hardware upgrade information
v2 IPv4 internet connection sharing NTA1000 software image 4.2 or greater
v3 IPv4 internet connection sharing NTA1000 software image 4.2 or greater
v4 IPv4 internet connection sharing NTA1000 software image 4.2 or greater
v5+ IPv4 and IPv6 internet connection sharing NTA1000 software image 5.0 or greater

Please contact for information on upgrading to the latest NTA1000 software image.

Test Methodology


CDRouter has traditionally been used for closed loop functional testing of CPE devices. In a closed loop setup, CDRouter’s LAN and WAN interfaces are connected directly to the CPE’s LAN and WAN interfaces, respectively. In this setup, the CPE alone is the device under test (DUT).

In certain situations an additional access concentrator may be required to terminate the CPE’s WAN interface. This occurs when the CPE’s WAN interface is not Ethernet and is instead LTE, DSL, DOCSIS, GPON, etc. In these situations a DSLAM, CMTS, or other access concentrator may be included in the closed loop setup.

In a closed loop setup, CDRouter controls all aspects of the test environment and provides end-to-end connectivity through the DUT for testing. CDRouter simulates the access network and all WAN servers with which the DUT communicates. This approach isolates the DUT and provides consistent and repeatable test results. Test failures in a closed loop setup can be traced directly to issues or functional problems with the DUT.

Traditional closed loop test setup

CDRouter ICS is an add-on that extends the traditional closed loop setup by providing Internet access to the DUT for non-test traffic. This makes it possible to test CPE devices that have cloud- or app-managed elements that require Internet access.

Closed loop test setup with internet connection sharing

CDRouter ICS implements internet connection sharing by reconfiguring the iptables and ip6tables rules within the host’s operating system. internet connection sharing can be enabled independently for IPv4 and IPv6 traffic in most CDRouter configurations. CDRouter ICS also provides extended DNS functionality that allows requests for non-test resources to be answered by CDRouter.

IPv4 Internet Connection Sharing

When IPv4 internet connection sharing is enabled, CDRouter will create a simple NAT44 configuration on the system’s management interface at the start of the test run. When a packet is later received on the WAN, CDRouter will make a routing decision based on the destination IP address of the received packet.

Packets that have destination IP’s matching a known test stack will be processed by CDRouter as usual. All other packets will be forwarded by CDRouter to the management interface where they will be NAT’ed by the operating system and sent out on the corporate LAN.

IPv6 Internet Connection Sharing

IPv6 internet connection sharing works much the same way as IPv4 internet connection sharing - when enabled, CDRouter will create a simple NAT66 configuration on the system’s management interface. There are some additional caveats that apply to IPv6 internet connection sharing, namely that IPv6 internet connection sharing can only be enabled if IPv4 internet connection sharing is also enabled.

In addition, IPv6 internet connection sharing is only compatible with CDRouter DHCPv6 prefix delegation configurations, and only addresses within the delegated prefix of the primary CDRouter WAN interface will have external access. As a result, if the DUT requires IPv6 internet connectivity, its global IPv6 address must be contained within the delegated prefix.


CDRouter ICS also includes enhanced DNS functionality to ensure that the DUT has seamless access to external resources.

In a typical closed loop setup, CDRouter’s DNS servers contain records for only a handful of static, well-known resources. Records are also added dynamically as needed during testing, and users have the option of defining additional records in the configuration file. CDRouter’s DNS servers are only able to provide answers to queries for known resources. As a result, queries for other external resources will go unanswered.

When internet connection sharing is enabled, CDRouter’s DNS servers will use the operating system’s DNS resolver when a query cannot be answered using its own records. The operating system may attempt to resolve queries locally via the /etc/hosts file before sending them to an upstream DNS server.

This additional functionality allows the DUT as well as its LAN clients to resolve external resources. Currently, this feature is only supported for queries for A, AAAA, CNAME, MX, PTR, SPF and TXT records.


The following testvars control internet connection sharing within CDRouter:

To enable internet connection sharing, the testvar enableICS must be set to “yes”. The testvar icsInterface must be set to the network interface on your CDRouter system which CDRouter ICS will use to route traffic to the internet.

The testvars icsShareIPv4 and icsShareIPv6 control whether internet connection sharing is enabled for IPv4 and IPv6 traffic, respectively. By default, both testvars are set to “yes” meaning internet connection sharing is enabled for both traffic types. To disable internet connection sharing for a traffic type, set that testvar’s value to “no”. Please note that enabling IPv6 internet connection sharing requires also enabling IPv4 internet connection sharing.


There are a number of caveats associated with internet connection sharing technique implemented by CDRouter ICS. Specifically:

  • Internet connection sharing is only available for traffic on the primary WAN interface defined within the CDRouter configuration file. Traffic received on all other WAN interfaces will be processed solely by CDRouter.

  • The CDRouter system’s management interface must have an IPv4 address and Internet connectivity in order for IPv4 Internet connection sharing to work. Likewise, the system must also have an IPv6 address and connectivity in order for IPv6 internet connection sharing to work.

  • No ALGs are enabled within the NAT44 and NAT66 configuration applied by CDRouter to the management interface. Some protocols are not compatible with NAT or require an ALG if NAT is present. As a result, some non-test services or features required by the DUT may not be compatible with this technique.

  • The IPv4 and IPv6 configuration of CDRouter’s primary WAN interface must not conflict with the IPv4 and IPv6 configuration of the management interface on the system. This requirement is imposed by the operating system when configuring NAT44 and NAT66 on the management interface. If encountered this requirement can be met by changing the IP addresses used by CDRouter on the primary WAN.

  • Internet connection sharing has the potential to generate very large log and capture files if a significant amount of traffic is forwarded to the system’s management interface.

  • Internet connection sharing is only enabled while CDRouter is running tests.

  • Packets destined for addresses within CDRouter’s free network range, for both IPv4 and IPv6, will not be forwarded to the internet. As a result, some care must be taken to ensure that the free network range does not conflict with real servers or services on the internet that users may want to reach.

  • Enabling ICS may impact test results if resources that are not normally accessible in a closed loop environment become accessible.

  • IPv6 internet connection sharing is only supported for configurations that utilize DHCPv6 Prefix Delegation on the WAN.

Testing Exercises

There are a number of interesting new test scenarios that are possible when internet connection sharing is enabled:

  • The reporting capabilities of any cloud or app elements can be verified in real-time while tests are being performed. Information such as the overall status or health of the DUT, the number of connected LAN clients, availability of new firmware, etc. an be analyzed for accuracy.

  • Diagnostic utilities built in to the DUT that rely on external resources can be tested. This includes well-known utilities such as ping and traceroute and also proprietary utilities that would not typically be available in a closed loop setup.

  • Verify the behavior of the DUT while performing actions such as a firmware download while CDRouter renumbers the WAN interface.

  • Test with and without internet connection sharing enabled to ensure that device operates properly if the internet and other external resources are not available.