This page will contain various documentation about Thomson SpeedTouch DSL products. It will mainly focus on end-user products going from the ST510 to the ST780WL. This page will include my earlier completed SpeedTouch manual as well as more advanced command line configuration using Telnet access to the modem.
Please note that all information on this page can only be used at your own risk. I do not accept any responsibility for damage to SpeedTouch hardware or any other damage resulting from using the information on this page.
Any suggestions and/or comments can be sent to j0hanb00nstra_@_dds.nl. E-mail address is munged of course...
Firewall configuration:
How to block an IP range with an expressionThis is a piece of documentation that describes general configuration of
SpeedTouch modems running firmware version R4.3/R5.3 and higher. Besides
explaining how to configure Internet access it will also give you instructions
on how to configure port forwarding, Dynamic DNS, Voice over IP and much
more.
The SpeedTouch manual can be downloaded by clicking on the
following link: speedtouchmanual.pdf
The manual is in the PDF format. Software to read this file type is
installed on most computers. If not, you can download reader software at http://www.adobe.com/.
This section will contain several examples of how to configure more advanced settings of the SpeedTouch device using the command line interface accessible by Telnet.
Two notes about the SpeedTouch command line: Always use the :saveall command to make changes permanent. Not using the saveall command can cause the modem to lose settings when it is rebooted. Colons (:) in front of commands are used in my documentation to distinguish command line commands from the rest of the text. They will be automatically ignored when entered on the SpeedTouch command line.
I know most people accessing command lines know how to establish a telnet
session. Still I am going to include instructions on how to do it for people who
do not have this knowledge and still want to apply command line settings In most
operating systems you have to start up a console and use the telnet
command from there. To open a telnet session in Windows, go to
Start>Run and enter the command cmd and press
<Enter>. On the command prompt enter telnet 192.168.1.254 and
press <Enter>. Of course, when your SpeedTouch device set to a different
IP address you need to enter this address next to the Telnet command. Now the
SpeedTouch device should ask for a username. By default the username is
Administrator and the password is blank, you just have to press
This command results in the modem responding to ping requests from the Internet. By default this functionality is disabled. To enable ping, login to the modem and enter the following commands:
:service system ifadd name=PING_RESPONDER group=wan
:saveall
After applying this setting the modem will respond to pings from the
Internet.
You can also setup other services running on the modem to be accessible from the Internet.
Services like telnet and HTTP(s) require an account with SuperUser rights to login in remotely from the Internet.
The following instructions explain how to create an Administrator user with SuperUser rights
Delete all users and create an Administrator with SuperUser rights:
:user flush
Disconnect the telnet session and reconnect. No username or password will be asked to login. Now enter the following commands:
:user add name=Administrator password=password role=SuperUser
:saveall
The SuperUser account has been created. Of course password has to be a secure password because it will be used for remote access. Now, use the following commands to open HTTP(s) or telnet to the Internet:
:service system ifadd name=HTTPs group=wan
:saveall
These commands open up the webinterface to the Internet with secure http (https). You can now access the SpeedTouch from any computer on the Internet using the address https://xxx.xxx.xxx.xxx where the x's are the public IP address of your connection. You can also open services like telnet and normal http using HTTP or TELNET for name. Enabling these services is not recommended in my opinion because they can be hacked or eavesdropped on.
Sometimes the port forwarding on the webinterface does not work properly. That is why you might want to manually forward a port. That can be done with the following commands:
:nat mapadd intf=Internet type=napt outside_addr=0.0.0.1 inside_addr=local ip protocol=tcp/udp
outside_port=outside tcp/udp port inside_port=inside tcp/udp port
:saveall
To properly set up a port forwarding rule, you need to enter the following data properly: First, lookup the expression used by Game and Application Sharing in the list: Game and Application sharing entries will often look like this: In the rule you need to fill in the following variables correctly:
The exclamation mark in front of the IP address means that the firewall rule applies to all IP address except the one specified. To allow more IP addresses, just add the same rule, but with a different IP address. This rule is used when you want to firewall a range of IP addresses completely. For example, you want to deny an entire subnet access to your IP address. First, add an expression defining the IP range you want to block: You can define an IP range with numbers between brackets, and with the * wildcard symbol.
Then add a rule to drop all traffic coming from this range of IP addresses:
The following variables need to be entered correctly: Now all traffic from that range of IP addresses will be silently dropped without any reaction.
local ip - the local IP address of the computer to which the port needs to be forwarded
tcp/udp - the protocol, either tcp or udp
outside tcp/udp port - the outside port that needs to be opened
inside tcp/udp port - the port on which the computer/server listens on the local network
Restrict forwarded ports to certain public IP addresses
:expr list type=serv
_sv_x:yyyy:yyyy where the x's are numbers and the y's define the ports that are forwarded. For example, FTP will show up as _sv_6:21_21 and Remote Desktop as _sv_0:3389_3389. Next, add the following firewall rule to block all WAN IP addresses except the one you want to be able to access the server or computer on your LAN::firewall rule add chain=forward_fire index=1 name=name srcip=!allowed_ip serv=service_expression state=enabled action=deny
:saveallname - The name of your firewall rule. This name is not critical.
!allowed_ip - The IP that is allowed to access the server or computer.
service_expression - The expression of the service defined by Game and Application sharing.
How to block an IP range with an expression
:expr add name=
:firewall rule add chain=forward_fire index=1 name=name srcip=expression state=enabled action=drop
:saveallname - Name of the rule, not critical
expression - name of the expression defined with the range of IP addresses