Using the Alcatel SpeedTouch Home Ethernet

Introduction

When sold under the model name of Home, this ADSL Ethernet device is set to be used as a modem, ie. you need to connect it to a computer. But a simple software operation can make it into the Pro version, turning it into a full-fledged router, including NAT, PAT (port forwarding, ie. letting you run a server on a computer in your LAN, and make it reachable from the Net), DHCP, and DNS.

Upgrading to SpeedTouch Pro

From a host connected to the Net, generate the admin password for the MAC address of your modem by visiting this site
If the Alcatel modem is currently connected to the ADSL line, disconnect it
Connect a regular RJ45 network cable from a computer to the modem (no cross-over required)
Set the computer's IP configuration to 10.0.0.1/255.0.0.0, gateway = 10.0.0.138 (which is the modem's IP default address)
(only needed when upgrading firmware, or commands different?) Since the ST comes in two flavors (G and K), launch a web browser to http://10.0.0.138/cgi/upgrade, and check whether the firmware version starts with GV (G series) or KHD (K series). If you are unable to connect to the modem on-board web server, the firmware version may be printed on the back of the modem
Use your favorite telnet application to connect to the modem (telnet 10.0.0.138)
Hit ENTER for the username (it'll use the modem's MAC addresse)
Since this is a brand new modem, there is no user password yet. You are now logged on as a regular user. To upgrade the STHome to Pro, you need to log on as admin.
Enter "td prompt" without the quotes (alternatively, type "EXPERT" on older models)
Enter the admin password that you generated above. You are now in admin mode.
Enter "rip"
Enter "drv_read 2 1 b" (yes, there are spaces between 2, 1, and b). Note the value that is returned by the modem, usually 8704, 8604, or even 9604. We want to change digit from 4 to 6
Depending on which number was returned, enter either "drv_write 2 1 b 8706", "drw_write 2 1 b 8606", or "drw_write 2 1 b 9606"
Enter "exit", followed by "system", and "reboot". The modem will reboot. Connect the modem to the ADSL line (without forgetting the filter)

At this point, depending on your ISP, you either need to set up a PPP connection, or generate and FTP a user.ini file into the modem's /dl directory.

Upgrading the firmware

Generating a user.ini

Setting a password

If you don't want the modem to be hacked from the Net, it is recommended to set a password. Aim your browser to http://10.0.0.138/cgi/system/

Firewalling

Before we go on configuring the firewall part of the modem, do remember that firewalling only tells the modem whether to allow or deny the flow of packets through the modem. If you want to share the Internet connection and host a server on your LAN such as a web or FTP server, this is handled by the NAT (Network Address Translation) part, which is handled before any firewalling is done in the Input chain.

Also, always remember to activate the firewalling in the IP configuration; Otherwise, you can create all the rules you want: As long as firewalling=off, the modem won't block a thing :-) To check whether firewalling is on or off, telnet to the modem, and enter "ip config". To toggle its status, enter "config firewalling=on" (or =off), followed by "config save" to make the change permanent.

The firewall part of the modem works like this: At any time, a packet finds itself in one of those five states, called hooks. To each state/hook, you assign a chain (ie. group) of rules.

Here are the five different states a packet is while it is handled by the modem (and here's a diagram):

input: A packet enters the modem
sink: The packet is intended for the modem itself
forward: The packet is intended for a host on the other side
source: The packet was generated by the modem itself (after being routed by the sink hook), and is now sent to the outside
output: The packet is intended for another host on the outside, ie. went through input and forward states, and is not output

Creating a chain

firewall chain create chain=input

Assigning a chain to a hook

firewall assign hook=input chain=input

Assigning a rule to a chain

firewall rule create chain=sink index=0 prot=udp dstport=dns action=accept

Listing the current hooks

firewall list

Listing the chains

firewall chain list

Listing current rules

firewall rule list

Deleting a single rule

You can delete a single rule using the "rule delete" command. You can remove all rules using "firewall flush".

Deleting a chain

firewall chain delete chain=input

Tips when telneting

:mymenu mycommand means that you wish to send commands to the mycommand menu, without first moving to this mode via mymenu<ENTER>, followed by mycommand<ENTER>. For example, when starting from the top level, you can either type ":config save" or "config<ENTER>save<ENTER>"
When in a given menu, either hit the TAB key or type help<ENTER> to get a list of available commands
Command completion is available by hitting TAB
To move up one level, type "..<ENTER>"
The Command Line Interface Reference Guide is here.

NAT

Use NAT to allow hosts on the Net to connect to servers located on your internal network. Here's how to set up NAT to allow hosts on the Net to connect to a web server (HTTP and HTTPS) and an FTP server located on a host in your private network:

nat flush

nat create protocol=tcp inside_addr=10.0.0.1:80 outside_addr=0.0.0.0:80

nat create protocol=tcp inside_addr=10.0.0.1:443 outside_addr=0.0.0.0:443

nat create protocol=tcp inside_addr=10.0.0.1:21 outside_addr=0.0.0.0:21

config save

Use "nat list" to list currently active NAT connections, including the static connections you built, which are marked as "template".

nat bind

nat applist

PAT

a.k.a. Port forwarding. Unlike Windows2000 port forwarding feature, the ST lets you redirect connections to a port that is different, eg. any connection made from the Net to TCP 1234 can be forwarded to TCP 5678 on a host on your LAN.

Firewall + NAT Sample

Here's a sample that bans any connection to the modem's embedded servers (telnet, ftp, www), while allowing incoming connections to an FTP and www server located on a host in your private network:

firewall rule flush

firewall flush

firewall chain create chain=input

firewall chain create chain=output

firewall chain create chain=source

firewall chain create chain=sink

firewall chain create chain=forward

firewall assign hook=input chain=input

firewall assign hook=sink chain=sink

firewall assign hook=forward chain=forward

firewall assign hook=source chain=source

firewall assign hook=output chain=output

firewall rule create chain=sink srcintfgrp=wan action=drop

nat flush

//Required to allow outgoing connectoins to FTP servers in active mode

nat bind application=FTP port=ftp

nat create protocol=tcp inside_addr=192.168.0.1:80 outside_addr=0.0.0.0:80

nat create protocol=tcp inside_addr=192.168.0.1:21 outside_addr=0.0.0.0:21

ip config firewalling=on

config save

Adding an IP address to the modem's Ethernet interface

Provided you do not wish to use 10.0.0.0/8 on your LAN, here's how to add a new address to the modem's default address of 10.0.0.138/8 (it's safer to add an address instead of replacing the original address):

Aim at http://10.0.0.138, and log on with the MAC address and the user password
Click on Routing
In "IP address table", click on New, and input a new address + mask

DHCP

DNS

Emule

To avoid getting a lowID, you must open up the firewall this way:

//By default, eMule clients use TCP 4662 and UDP 4672

nat create protocol=tcp inside_addr=10.0.0.1:4662 outside_addr=0.0.0.0:4662

nat create protocol=udp inside_addr=10.0.0.1:4672 outside_addr=0.0.0.0:4672

config save

Since some ISP's block TCP 4662 and UDP 4672 in a foolish attempt to slow down the use of P2P, you might want to reconfigure your copy of eMule, along with the firewall rule above to use other ports. You're free to use any port between 80 and 65535. If you can read French, more info here on what a LowID is, why you should not want one, and how to change this.

(?) Si vous êtes en Speed Touch + Firewall ou 510v3 il n'y a pas de configuration de firewall particulière si vous êtes en firewall niveau 1. http://forpage.com/forum/viewtopic.php?t=624

Q&A

bind?

What's that for? To have the modem add NAT/firewall stuff automagically?

:nat bind application=H323 port=1720

:nat bind application=FTP port=ftp

:nat bind application=RTSP port=554

:nat bind application=IRC port=6667

:nat bind application=RAUDIO(PNA) port=7070

srcintf, dstintf, srcintfgrp?

Why isn't this enough to forbid access from the Net to the modem?

firewall rule create chain=sink index=0 srcintf=!eth0 action=drop

firewall rule create chain=SINK index=0 srcintfgrp=wan action=drop

Do I need to upgrade the STH's firmware before turning the modem into an STP?

Not if you are running either GV8BAA3.270 ou GV8BAA3.281.

What is the difference between dstport and dstportend?

It's an awkward syntax to refer to a range of ports, ie. dstport is the beginning of the range, and dstportend is the end of the range. For instance, here's how to define the range 8081-65535:

dstport=8081 dstportend=65535

Home

Using the Alcatel SpeedTouch Home Ethernet

Introduction

Upgrading to SpeedTouch Pro

Upgrading the firmware

Generating a user.ini

Setting a password

Firewalling

Creating a chain

Assigning a chain to a hook

Assigning a rule to a chain

Listing the current hooks

Listing the chains

Listing current rules

Deleting a single rule

Deleting a chain

Tips when telneting

NAT

nat bind

nat applist

PAT

Firewall + NAT Sample

Adding an IP address to the modem's Ethernet interface

DHCP

DNS

Emule

Q&A

bind?

srcintf, dstintf, srcintfgrp?

Why isn't this enough to forbid access from the Net to the modem?

Do I need to upgrade the STH's firmware before turning the modem into an STP?

What is the difference between dstport and dstportend?

Resources