Home |
Last modified: 23-02-2007 |
When sold under the model name of Home, this ADSL Ethernet device is set to be used as a modem, ie. you need to connect it to a computer. But a simple software operation can make it into the Pro version, turning it into a full-fledged router, including NAT, PAT (port forwarding, ie. letting you run a server on a computer in your LAN, and make it reachable from the Net), DHCP, and DNS.
From a host connected to the Net, generate the admin password for the MAC address of your modem by visiting this site
If the Alcatel modem is currently connected to the ADSL line, disconnect it
Connect a regular RJ45 network cable from a computer to the modem (no cross-over required)
Set the computer's IP configuration to 10.0.0.1/255.0.0.0, gateway = 10.0.0.138 (which is the modem's IP default address)
(only needed when upgrading firmware, or commands different?) Since the ST comes in two flavors (G and K), launch a web browser to http://10.0.0.138/cgi/upgrade, and check whether the firmware version starts with GV (G series) or KHD (K series). If you are unable to connect to the modem on-board web server, the firmware version may be printed on the back of the modem
Use your favorite telnet application to connect to the modem (telnet 10.0.0.138)
Hit ENTER for the username (it'll use the modem's MAC addresse)
Since this is a brand new modem, there is no user password yet. You are now logged on as a regular user. To upgrade the STHome to Pro, you need to log on as admin.
Enter "td prompt" without the quotes (alternatively, type "EXPERT" on older models)
Enter the admin password that you generated above. You are now in admin mode.
Enter "rip"
Enter "drv_read 2 1 b" (yes, there are spaces between 2, 1, and b). Note the value that is returned by the modem, usually 8704, 8604, or even 9604. We want to change digit from 4 to 6
Depending on which number was returned, enter either "drv_write 2 1 b 8706", "drw_write 2 1 b 8606", or "drw_write 2 1 b 9606"
Enter "exit", followed by "system", and "reboot". The modem will reboot. Connect the modem to the ADSL line (without forgetting the filter)
At this point, depending on your ISP, you either need to set up a PPP connection, or generate and FTP a user.ini file into the modem's /dl directory.
If you don't want the modem to be hacked from the Net, it is recommended to set a password. Aim your browser to http://10.0.0.138/cgi/system/
Before we go on configuring the firewall part of the modem, do remember that firewalling only tells the modem whether to allow or deny the flow of packets through the modem. If you want to share the Internet connection and host a server on your LAN such as a web or FTP server, this is handled by the NAT (Network Address Translation) part, which is handled before any firewalling is done in the Input chain.
Also, always remember to activate the firewalling in the IP configuration; Otherwise, you can create all the rules you want: As long as firewalling=off, the modem won't block a thing :-) To check whether firewalling is on or off, telnet to the modem, and enter "ip config". To toggle its status, enter "config firewalling=on" (or =off), followed by "config save" to make the change permanent.
The firewall part of the modem works like this: At any time, a packet finds itself in one of those five states, called hooks. To each state/hook, you assign a chain (ie. group) of rules.
Here are the five different states a packet is while it is handled by the modem (and here's a diagram):
input: A packet enters the modem
sink: The packet is intended for the modem itself
forward: The packet is intended for a host on the other side
source: The packet was generated by the modem itself (after being routed by the sink hook), and is now sent to the outside
output: The packet is intended for another host on the outside, ie. went through input and forward states, and is not output
firewall chain create chain=input
firewall assign hook=input chain=input
firewall rule create chain=sink index=0 prot=udp dstport=dns action=accept
firewall list
firewall chain list
firewall rule list
You can delete a single rule using the "rule delete" command. You can remove all rules using "firewall flush".
firewall chain delete chain=input
:mymenu mycommand means that you wish to send commands to the mycommand menu, without first moving to this mode via mymenu<ENTER>, followed by mycommand<ENTER>. For example, when starting from the top level, you can either type ":config save" or "config<ENTER>save<ENTER>"
When in a given menu, either hit the TAB key or type help<ENTER> to get a list of available commands
Command completion is available by hitting TAB
To move up one level, type "..<ENTER>"
The Command Line Interface Reference Guide is here.
Use NAT to allow hosts on the Net to connect to servers located on your internal network. Here's how to set up NAT to allow hosts on the Net to connect to a web server (HTTP and HTTPS) and an FTP server located on a host in your private network:
Use "nat list" to list currently active NAT connections, including the static connections you built, which are marked as "template".
a.k.a. Port forwarding. Unlike Windows2000 port forwarding feature, the ST lets you redirect connections to a port that is different, eg. any connection made from the Net to TCP 1234 can be forwarded to TCP 5678 on a host on your LAN.
Here's a sample that bans any connection to the modem's embedded servers (telnet, ftp, www), while allowing incoming connections to an FTP and www server located on a host in your private network:
Provided you do not wish to use 10.0.0.0/8 on your LAN, here's how to add a new address to the modem's default address of 10.0.0.138/8 (it's safer to add an address instead of replacing the original address):
Aim at http://10.0.0.138, and log on with the MAC address and the user password
Click on Routing
In "IP address table", click on New, and input a new address + mask
To avoid getting a lowID, you must open up the firewall this way:
Since some ISP's block TCP 4662 and UDP 4672 in a foolish attempt to slow down the use of P2P, you might want to reconfigure your copy of eMule, along with the firewall rule above to use other ports. You're free to use any port between 80 and 65535. If you can read French, more info here on what a LowID is, why you should not want one, and how to change this.
(?) Si vous êtes en Speed Touch + Firewall ou 510v3 il n'y a pas de configuration de firewall particulière si vous êtes en firewall niveau 1. http://forpage.com/forum/viewtopic.php?t=624
What's that for? To have the modem add NAT/firewall stuff automagically?
firewall rule create chain=sink index=0 srcintf=!eth0 action=drop
OR
firewall rule create chain=SINK index=0 srcintfgrp=wan action=drop
Not if you are running either GV8BAA3.270 ou GV8BAA3.281.
It's an awkward syntax to refer to a range of ports, ie. dstport is the beginning of the range, and dstportend is the end of the range. For instance, here's how to define the range 8081-65535:
dstport=8081 dstportend=65535
FAQ - Transformation STH->Pro (Note: As of March 2005, www.forpage.com now requires a paying subscription to be allowed to post)
Configuration rapide du firewall (Speed Touch 510 & Pro with FW)
Some sites from which to fetch firmwares
Configuration rapide du firewall (Speed Touch 510 & Pro with FW)
