Using the Alcatel SpeedTouch Home Ethernet


When sold under the model name of Home, this ADSL Ethernet device is set to be used as a modem, ie. you need to connect it to a computer. But a simple software operation can make it into the Pro version, turning it into a full-fledged router, including NAT, PAT (port forwarding, ie. letting you run a server on a computer in your LAN, and make it reachable from the Net), DHCP, and DNS.

Upgrading to SpeedTouch Pro

  1. From a host connected to the Net, generate the admin password for the MAC address of your modem by visiting this site
  2. If the Alcatel modem is currently connected to the ADSL line, disconnect it
  3. Connect a regular RJ45 network cable from a computer to the modem (no cross-over required)
  4. Set the computer's IP configuration to, gateway = (which is the modem's IP default address)
  5. (only needed when upgrading firmware, or commands different?) Since the ST comes in two flavors (G and K), launch a web browser to, and check whether the firmware version starts with GV (G series) or KHD (K series). If you are unable to connect to the modem on-board web server, the firmware version may be printed on the back of the modem
  6. Use your favorite telnet application to connect to the modem (telnet
  7. Hit ENTER for the username (it'll use the modem's MAC addresse)
  8. Since this is a brand new modem, there is no user password yet. You are now logged on as a regular user. To upgrade the STHome to Pro, you need to log on as admin.
  9. Enter "td prompt" without the quotes (alternatively, type "EXPERT" on older models)
  10. Enter the admin password that you generated above. You are now in admin mode.
  11. Enter "rip"
  12. Enter "drv_read 2 1 b" (yes, there are spaces between 2, 1, and b). Note the value that is returned by the modem, usually 8704, 8604, or even 9604. We want to change digit from 4 to 6
  13. Depending on which number was returned, enter either "drv_write 2 1 b 8706", "drw_write 2 1 b 8606", or "drw_write 2 1 b 9606"
  14. Enter "exit", followed by "system", and "reboot". The modem will reboot. Connect the modem to the ADSL line (without forgetting the filter)

At this point, depending on your ISP, you either need to set up a PPP connection, or generate and FTP a user.ini file into the modem's /dl directory.

Upgrading the firmware

Generating a user.ini

Setting a password

If you don't want the modem to be hacked from the Net, it is recommended to set a password. Aim your browser to


Before we go on configuring the firewall part of the modem, do remember that firewalling only tells the modem whether to allow or deny the flow of packets through the modem. If you want to share the Internet connection and host a server on your LAN such as a web or FTP server, this is handled by the NAT (Network Address Translation) part, which is handled before any firewalling is done in the Input chain.

Also, always remember to activate the firewalling in the IP configuration; Otherwise, you can create all the rules you want: As long as firewalling=off, the modem won't block a thing :-) To check whether firewalling is on or off, telnet to the modem, and enter "ip config". To toggle its status, enter "config firewalling=on" (or =off), followed by "config save" to make the change permanent.

The firewall part of the modem works like this: At any time, a packet finds itself in one of those five states, called hooks. To each state/hook, you assign a chain (ie. group) of rules.

Here are the five different states a packet is while it is handled by the modem (and here's a diagram):

Creating a chain

firewall chain create chain=input

Assigning a chain to a hook

firewall assign  hook=input chain=input

Assigning a rule to a chain

firewall rule create chain=sink index=0 prot=udp dstport=dns action=accept

Listing the current hooks

firewall list

Listing the chains

firewall chain list

Listing current rules

firewall rule list

Deleting a single rule

You can delete a single rule using the "rule delete" command. You can remove all rules using "firewall flush".

Deleting a chain

firewall chain delete chain=input

Tips when telneting


Use NAT to allow hosts on the Net to connect to servers located on your internal network. Here's how to set up NAT to allow hosts on the Net to connect to a web server (HTTP and HTTPS) and an FTP server located on a host in your private network:

nat flush
nat create protocol=tcp inside_addr= outside_addr=
nat create protocol=tcp inside_addr= outside_addr=
nat create protocol=tcp inside_addr= outside_addr=
config save

Use "nat list" to list currently active NAT connections, including the static connections you built, which are marked as "template".

nat bind

nat applist


a.k.a. Port forwarding. Unlike Windows2000 port forwarding feature, the ST lets you redirect connections to a port that is different, eg. any connection made from the Net to TCP 1234 can be forwarded to TCP 5678 on a host on your LAN.

Firewall + NAT Sample

Here's a sample that bans any connection to the modem's embedded servers (telnet, ftp, www), while allowing incoming connections to an FTP and www server located on a host in your private network:

firewall rule flush
firewall flush
firewall chain create chain=input
firewall chain create chain=output
firewall chain create chain=source
firewall chain create chain=sink
firewall chain create chain=forward
firewall assign hook=input chain=input
firewall assign hook=sink chain=sink
firewall assign hook=forward chain=forward
firewall assign hook=source chain=source
firewall assign hook=output chain=output
firewall rule create chain=sink srcintfgrp=wan action=drop
nat flush
//Required to allow outgoing connectoins to FTP servers in active mode
nat bind application=FTP port=ftp
nat create protocol=tcp inside_addr= outside_addr=
nat create protocol=tcp inside_addr= outside_addr=
ip config firewalling=on
config save

Adding an IP address to the modem's Ethernet interface

Provided you do not wish to use on your LAN, here's how to add a new address to the modem's default address of (it's safer to add an address instead of replacing the original address):

  1. Aim at, and log on with the MAC address and the user password
  2. Click on Routing
  3. In "IP address table", click on New, and input a new address + mask




To avoid getting a lowID, you must open up the firewall this way:

//By default, eMule clients use TCP 4662 and UDP 4672
nat create protocol=tcp inside_addr= outside_addr=
nat create protocol=udp inside_addr= outside_addr=
config save

Since some ISP's block TCP 4662 and UDP 4672 in a foolish attempt to slow down the use of P2P, you might want to reconfigure your copy of eMule, along with the firewall rule above to use other ports. You're free to use any port between 80 and 65535. If you can read French, more info here on what a LowID is, why you should not want one, and how to change this.

(?) Si vous êtes en Speed Touch + Firewall ou 510v3 il n'y a pas de configuration de firewall particulière si vous êtes en firewall niveau 1.



What's that for? To have the modem add NAT/firewall stuff automagically?

:nat bind application=H323 port=1720
:nat bind application=FTP port=ftp
:nat bind application=RTSP port=554
:nat bind application=IRC port=6667
:nat bind application=RAUDIO(PNA) port=7070

srcintf, dstintf, srcintfgrp?

Why isn't this enough to forbid access from the Net to the modem?

firewall rule create chain=sink index=0 srcintf=!eth0 action=drop


firewall rule create chain=SINK index=0 srcintfgrp=wan action=drop

Do I need to upgrade the STH's firmware before turning the modem into an STP?

Not if you are running either GV8BAA3.270 ou GV8BAA3.281.

What is the difference between dstport and dstportend?

It's an awkward syntax to refer to a range of ports, ie. dstport is the beginning of the range, and dstportend is the end of the range. For instance, here's how to define the range 8081-65535:

dstport=8081 dstportend=65535