CDRouter Support

Advanced DMZ testing

knowledge-base version 11.0

CDRouter contains a dmz.tcl test module that verifies DMZ functionality for a range of TCP and UDP ports. When testing the DMZ functionality on a router it is important to configure a CDRouter port range that contains all the services that you might expect to run in a DMZ.

As vendors have added special services to routers to handle new functionality such as TR-069 and SIP ALGs, the DMZ functionality can be inadvertently broken. We have seen cases where SIP does not work through a DMZ because the router’s SIP-ALG or SIP Proxy rejects certain packets from the WAN rather than passing them to a DMZ host.

There are two techniques you can use to improve your DMZ testing:

Large Port Range for DMZ Testing

Configure the entire port range when testing in a DMZ configuration. This will make sure all ports are getting through the DMZ. This can catch cases where new applications such as SIP do not actually make it through the DMZ.

testvar portScanStart 0
testvar portScanStop 65535

Back-to-Back Router Testing

CDRouter maked it easier to test two routers in a back-to-back configuration. This allows CDRouter to run more realistic application tests through the DMZ configuration of the router.

The first router is configured as the normal router under test. The second router should be placed in a DMZ configuration. Since the WAN interface of CDRouter actually connects to the LAN interface of the second router behind NAT, CDRouter can only use a single IP address for WAN connectivity.

This mode of operation can be enabled by configuring the remoteHostIp on the WAN side with an additional private IP address. When connecting from the LAN, clients will use the IP address remoteHostIp. However, the actual protocol stack will run using remoteHostPrivateIp. The second WAN router must be configured with a DMZ host that matches remoteHostPrivateIp.

testvar remoteHostIp 5.0.0.2
testvar remoteHostPrivateIp 192.168.1.100

When CDRouter is running in this type of configuration, several test cases that use multiple IP address on the WAN are skipped automatically. Only the remoteHostIp is used on the WAN side. Some test modules do not support this type of configuration.

Example Setup for Back-to-Back Routers

# -- the lanIp matches Router 1's LAN IP address
testvar lanIp                192.168.1.1

# -- CDRouter WAN configuration matches LAN side of Router 2
testvar wanIspIp             192.168.1.100
testvar wanIspAssignIp       192.168.1.1
testvar wanNatIp             5.0.0.1
testvar wanMode              static

# -- the remoteHostIp matches Router 2 WAN side
testvar remoteHostIp         5.0.0.2

# -- the remoteHostPrivateIp is an IP on Router 2's LAN
testvar remoteHostPrivateIp  192.168.1.100

# -- adjust the HOP count based on the number of hops
testvar IPv4HopCount         2

Contents

×

About CDRouter

CDRouter is made by QA Cafe, a technology company based in Portsmouth, NH.

Get in touch via our Contact page or by following us on your favorite service: