Testing Tips

Static NAT Testing with CDRouter

5 min read

The CDRouter Multiport add-on includes support for static NAT configurations. CPE devices that support this functionality will have two or more public IPv4 addresses. One public address is typically assigned to the primary WAN connection and one or more additional public IPv4 addresses are also assigned. These additional IPv4 addresses are used to allow a host on the LAN side of CPE to have its own public IPv4 address on the WAN. The IPv4 mapping between the public WAN and the private LAN is one-to-one and generally known as “static NAT”.

Test Coverage

CDRouter Multiport includes the nat-static.tcl test module specifically for testing static NAT hosts. This new module covers NAT functionality that is unique to static NAT mappings. However, all of CDRouter’s existing test modules can also be run on any configured static NAT hosts. CDRouter will automatically map traffic from specific LAN hosts to the appropriate public IP address based on the defined static NAT mappings.

CDRouter Multiport handles static NAT by defining a new LAN interface for each additional static NAT host. By repeating each test for all configured LAN interfaces, you can easily verify that the behavior of specific functionality supported by the DUT is consistent for both regular DHCP LAN hosts and any additional static NAT hosts that have been defined.

Getting Started

Support for static NAT is included in the CDRouter-Multiport add-on. As a result, you must have the CDRouter-Multiport add-on installed to enable the nat-static.tcl test module and test static NAT configurations. Static NAT hosts are defined within CDRouter-Multiport by creating additional LAN interfaces for each host using the _testvargroup concept. A LAN interface becomes a “static NAT” host when the testvars staticNatIp and the hostIp are defined.

The following example illustrates a basic static NAT configuration for CDRouter. In this example a second physical LAN interface (eth2) is added to the test setup using the testvar_group option. A new LAN host with an IP address of 192.168.1.100 is created on this interface. This host is designated a static NAT host by adding the staticNatIp testvar to the testvar_group, which creates a static NAT mapping from the LAN host to the public IP 68.1.2.18.

Basic configuration example

# -- Primary LAN interface setup

testvar lanInterface            eth1
testvar lanType                 ethernet

# -- Static NAT host setup

testvar_group lan2 {

   testvar lanInterface                    eth2
   testvar lanType                         ethernet
   testvar hostIp                          192.168.1.100
   testvar staticNatIp                     68.1.2.18

}

Note that static NAT hosts do not need to be created on separate physical LAN interfaces. Static NAT hosts can share physical LAN interfaces with other LAN or static NAT hosts provided the physical interface is Ethernet. Whenever a static NAT host is defined on the same physical LAN interface as another host, a unique MAC address should be configured for the static NAT host using the testvar lanMac. Static NAT hosts can be placed on wireless interfaces, although wireless interfaces can not be shared by multiple LAN and static NAT hosts.

The example below shows how a specific MAC address can be configured for a static NAT host that is sharing a physical interface with the primary LAN client (eth1).

Example with specific MAC address

# -- Primary LAN interface setup

testvar lanInterface            eth1
testvar lanType                 ethernet

# -- Static NAT host setup

testvar_group lan2 {

   testvar lanInterface                    eth1
   testvar lanType                         ethernet
   testvar hostIp                          192.168.1.100
   testvar staticNatIp                     68.1.2.18
   testvar lanMac                          00:01:22:33:44:55

}

Configure NAT Mode

By default, CDRouter will assume that the static NAT host is using the same NAT mode as the main WAN interface. The testvar natMode is used to define the expected NAT mode for the WAN interface. This testvar can also be defined inside of the testvar group to change the expected NAT mode for the static NAT host. For example, if the main WAN interface is using a port-restricted NAT, but the static NAT hosts use a full-cone NAT, the expected NAT mode on the static NAT host can be redefined.

Example with NAT mode

testvar_group lan2 {

   testvar lanInterface                    eth2
   testvar lanType                         ethernet
   testvar hostIp                          192.168.1.100
   testvar staticNatIp                     68.1.2.18
   testvar natMode                         full-cone

}

Configure Firewall, Virtual Services and Port Triggers

If a static NAT host does not have a firewall applied, the testvar staticNatFirewall can be set to “no”. Otherwise, CDRouter assumes that basic firewalling is enabled on all static NAT hosts. Any virtual services, port triggers, or firewall exceptions can also be defined using the same testvar syntax as the main LAN interface.

Example with no firewall enabled on static NAT host

testvar_group lan2 {

   testvar lanInterface                    eth2
   testvar lanType                         ethernet

   testvar hostIp                          192.168.1.100
   testvar staticNatIp                     68.1.2.18
   testvar lanMac                          00:07:07:07:07:01
   testvar staticNatFirewall               no

Example with additional services on static NAT host

testvar_group lan2 {

   testvar lanInterface                    eth2
   testvar lanType                         ethernet
   testvar hostIp                          192.168.1.100
   testvar staticNatIp                     68.1.2.18
   testvar lanMac                          00:07:07:07:07:01

   testvar virtualTcpServices              yes
   testvar virtualTcpServicePort1          21
   testvar virtualTcpServiceHost1          192.168.1.100
   testvar virtualTcpServiceName1          ftp
   testvar virtualTcpServiceLanPort1       21

   testvar virtualUdpServices              yes
   testvar virtualUdpServicePort1          69
   testvar virtualUdpServiceHost1          192.168.1.100
   testvar virtualUdpServiceName1          ftp
   testvar virtualUdpServiceLanPort1       69

   testvar portTriggers                    yes
   testvar triggerName1                    AIMtalk
   testvar triggerPort1                    4099
   testvar triggerType1                    tcp
   testvar triggerPublic1                  5190
   testvar triggerPublicType1              tcp

}

Running Tests

When multiple LAN interfaces are defined, CDRouter will automatically switch to the next LAN interface after each test. In order to ensure that you are fully testing your static NAT host, you may want to repeat each test for each LAN interface before moving on to the next test case. You can do this using the -scount option from the command-line or selecting the Repeat each test X times in a row option when setting up your BuddyWeb package.

For example, if your configuration contains a single main LAN interface and a second LAN group configured as a static NAT host, you could run each test in the nat.tcl module two times in a row to test both the regular LAN interface and the static NAT host.

# buddy -config static_nat.conf -module nat.tcl -trace -pt -capture -scount 2

Static Nat Translation Overview:

http://www.firewall.cx/nat-static-part1.php

Get articles like this in your inbox: