CDRouter contains a dmz.tcl test module that verifies DMZ functionality for a range of TCP and UDP ports. When testing the DMZ functionality on a router it is important to configure a CDRouter port range that contains all the services that you might expect to run in a DMZ.
As vendors have added special services to routers to handle new functionality such as TR-069 and SIP ALGs, the DMZ functionality can be inadvertently broken. We have seen cases where SIP does not work through a DMZ because the router’s SIP-ALG or SIP Proxy rejects certain packets from the WAN rather than passing them to a DMZ host.
There are two techniques you can use to improve your DMZ testing:
Large Port Range for DMZ Testing
Configure the entire port range when testing in a DMZ configuration. This will make sure all ports are getting through the DMZ. This can catch cases where new applications such as SIP do not actually make it through the DMZ.
testvar portScanStart 0 testvar portScanStop 65535
Back-to-Back Router Testing
CDRouter maked it easier to test two routers in a back-to-back configuration. This allows CDRouter to run more realistic application tests through the DMZ configuration of the router.
The first router is configured as the normal router under test. The second router should be placed in a DMZ configuration. Since the WAN interface of CDRouter actually connects to the LAN interface of the second router behind NAT, CDRouter can only use a single IP address for WAN connectivity.
This mode of operation can be enabled by configuring the remoteHostIp on the WAN side with an additional private IP address. When connecting from the LAN, clients will use the IP address remoteHostIp. However, the actual protocol stack will run using remoteHostPrivateIp. The second WAN router must be configured with a DMZ host that matches remoteHostPrivateIp.
testvar remoteHostIp 188.8.131.52 testvar remoteHostPrivateIp 192.168.1.100
When CDRouter is running in this type of configuration, several test cases that use multiple IP address on the WAN are skipped automatically. Only the remoteHostIp is used on the WAN side. Some test modules do not support this type of configuration.
Example Setup for Back-to-Back Routers
# -- the lanIp matches Router 1's LAN IP address testvar lanIp 192.168.1.1 # -- CDRouter WAN configuration matches LAN side of Router 2 testvar wanIspIp 192.168.1.100 testvar wanIspAssignIp 192.168.1.1 testvar wanNatIp 184.108.40.206 testvar wanMode static # -- the remoteHostIp matches Router 2 WAN side testvar remoteHostIp 220.127.116.11 # -- the remoteHostPrivateIp is an IP on Router 2's LAN testvar remoteHostPrivateIp 192.168.1.100 # -- adjust the HOP count based on the number of hops testvar IPv4HopCount 2