Speedtouch 510
In 2002 I created a site for the configuration of a firewall on the Alcatel Speedtouch 510, the site was a success and included quite an active forum. Unfortunately by 2008 it had become too costly to run pulling a lot of bandwidth and costing me £30-£50 a month in usage fees so I let the hosting lapse.
On moving my small blog back to my domain name I started seeing requests for the page on site stats coming from google and a few ISPs. Apparently people are still using the speedtouch 510 and the 580 which shared the same command set. Provided it does not cost me a fortune to host I have copied the core of the old site to this page so that it might still be useful.
Before you go please check out the rest of my blog.
Time to climb in the Delorean accelerate to 88mph and go back to 2002…..
The CLI (Telnet)
Disclaimer
The author of this website accepts no responsibilities for damage caused or problems encountered while you configure your Alcatel Speedtouch 510 Router. Should you encounter a problem remember you can restore factory defaults using the reset button on the back of your router.
This website is for information purposes only.
Before you can start configuring the firewall, we need to cover how to access the CLI or Command Line Interface.
Using the CLI is very similar to using DOS commands and fortunately the manual does cover accessing and getting around the CLI so we needn’t spend too much time on it.
To access the CLI you will need to know the IP address of the router. Which, if you left the default settings alone is 10.0.0.138. If you didn’t then you should know what you set the IP address to.
Armed with the IP address we connect to the router using the Telnet application available on all good operating systems.
Connect to the router
In Windows this is done by selecting Start | Run. In the box that appears type
Telnet <ip address of router>
E.g.
Telnet 10.0.0.138
Press enter or OK.
The telnet application will load and you should be prompted for the username and password. These are the same username and password that you set when configuring the router for the first time.
Access the firewall level
With the username and password correct you will see the welcome screen and the default prompt as below.
=>
As per the manual, to enter the firewall level or more simply the firewall configuration mode type the word firewall and press enter. E.g.
=> firewall
The prompt will change as shown blow.
[firewall]=>
Basic Configuration
The ultimate goal of this section is to configure the firewall with the basic settings to offer security and allow the normal list of services (protocol) through it. These services are,
- Web browsing
- FTP uploads and downloads
- Email (POP3 and SMTP)
For configuration tips for other protocols, please see the Intermediate section recently added.
Contents
- Terminology
- Default Configuration
- Web browsing
- Explanation of the rules parameters
- FTP uploads and downloads
- Email (POP3 and SMTP)
- Backup the configuration
A quick explanation of what these terms mean. Not for the technical, hopefully for the layman.
Packet – the parts that make up a messages transferred over the internet. When this page was downloaded to your machine it was first broken up into packets, sent from the server to your PC and then reassembled so that you could read it.
Port # - every packet that is sent is associated with a port number. Services/Protocols have different port numbers. That is how they are recognised by your PC and the firewall. This page was transmitted to you using port 80 or http.
Rules – a rule states whether packets associated with a defined port is allowed or not allowed from passing a given point in the router. Rules are contained in a chain.
Chains - a collection of rules. Associated with a Hook so that its ruled become active.
Hooks - it is best to think of these as parts of the router that packets pass though. The parts of the router are,
- input
- sink – packets bound for the firewall itself
- forward – packets that are to be forwarded or passed through the router
- source – packets that actually come from the firewall
- output
Hooks allow you to decide when to enforce a rule. A hook can have one chain.
Out of the box the firewall is configured with basic rules, which protect it from tampering from the outside world but allows everything to pass through it. In other words, no one but you can break your router 
Remember if you do mess up, you can always reset the router to factory defaults using the pen press button on the back. For more information see the manual.
A couple of chains are already defined, and are named by the hook that it is associated with. A forward chain is defined, however it is not yet assigned to the forward hook. Meaning the rules in it are not active. This confirms that your router is forwarding everything from the internet to your machine and everything from your machine to the internet.
We are interested in this chain, so we will first add a few rules and then we’ll assign the chain to the forward hook.
Convention – Please Read!
The following conventions apply when reading the examples,
- Text displayed by the router and commands typed by you are displayed in black font
- Of these normal font is displayed by the router
- Italic font should be typed by you
- You should be careful not misinterpret word wrapping for a return
- Press the return key when you see <R> always in red.
Step 1 – Allow web browsing stop everything else
Start connected to the router with Telnet and enter the firewall level. If you do not know how to do this, go back and read this page. Remember <R> means press the return key, don’t actually type it!
1. Make sure the forward chain is empty, do this using the list command shown below.
Firewall=> rule list chain=forward <R>
2. The list is probably empty. Add the first rule which allows http (port 80) out.
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=80 action=accept <R>
3. Add a second rule, which allows http back in. If you don’t you’ll never download the web pages, only ask for them.
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=80 action=accept <R>
4. Add the final rule for now. This will prevent all other packets from being forwarded through the firewall.
Firewall=> rule create chain=forward action=drop <R>
5. Finally assign the chain to the forward hook.
Firewall=> assign hook=forward chain=forward <R>
That’s it, try browsing to a website. This should work. Now try checking your email using your email program. This will not work.
Explanation of rule parameters
The rule create commands a straight forward and could be accomplished by typing rule create and entering the information as prompted. However you’ll find this is far simpler as it uses the parameters that are required instead of all the possible parameters. Of which there are many!
The parameters are explained below,
index – each rule has a number or index. Generally we add rules before the existing rules. With exception of the final drop rule. The drop rule should be the last in the chain and means if anything comes through the chain which isn’t defined in a rule then drop it/don’t allow it.
srcintfrgrp – the interface which the packet should be expected on. This will be lan or wan depending on what direction the packet is headed.
prot – stands for protocol.
srcport – the port used at the source of the packet. We generally only state the source or destination port not both.
dstport – the destination port. See above.
action – there are more possible actions but for basic configuration we will drop or allow packets.
Step 2 – Allow FTP downloads and uploads.
FTP uploads and downloads uses ports 21 and 20. The following rules allow packets to be forwarded that match those port numbers.
These rules should be added from the firewall level in your telnet session to the router. If you have closed your connection then refer to the CLI (Telnet) section for help.
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=21 action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=21 ack=yes action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=20 action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=20 action=accept <R>
With these rules entered try to open an FTP connection. For example, from a DOS prompt type the following command,
C:\> ftp ftp.microsoft.com
With the rules working you should see a similar greeting to that below,
Connected to ftp.microsoft.com.
220 CPMSFTFTPA04 Microsoft FTP Service (Version 5.0).
User (ftp.microsoft.com:(none)):
Step 3 – Allow email programs to work
Email clients use two protocols to transfer messages, POP3 to retrieve messages and SMTP to send messages. So to get your email software working again you have to add four rules. These are below and like the other two steps must be entered at the firewall level.
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=110 action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=110 ack=yes action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=25 action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=25 ack=yes action=accept <R>
Step 4 – Backup and save the configuration
Before you leave your PC to have a well earned drink. You should save the configuration to the router’s memory and download the configuration file to your PC. Both of these operations can be done in the GUI and are well documented. But briefly,
- Login to the GUI using your web browser
- Select the Save All button on the bottom left, select OK at the confirmation
- Select the upgrade button
- Under configuration select backup and download the user.ini to your PC with a suitable name
The user.ini file can be uploaded to the router to correct any problems. So it is a good idea to follow the above process before or after you make major changes.
Congratulations
You now have a basic firewall configuration allowing the common most protocols through but keeping everything else out!
The rules here can be modified to allow other types of packets through. Some of which are listed in the intermediate and advanced sections.
Another great source for advice is the forum, feel free to ask and answer any questions you wish.
Good luck.
Intermediate Configuration
This section covers the creation of rules for the following applications,
- Secure web pages – online shopping, banking etc
- Newsgroup access
- File sharing applications including Morpheus and eDonkey. Please only add these rules if you use these applications.
Contents
- Secure web pages
- Newsgroup access
Secure web pages (HTTPS/SSL port 443)
Assuming you are starting from the firewall level add the following two rules. If you need help accessing the firewall level please refer to The CLI (Telnet) section.
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=443 action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=443 action=accept <R>
Newsgroup access (NNTP port 119)
Again two rules.
Firewall=> rule create chain=forward index=0 srcintfgrp=lan prot=tcp dstport=119 action=accept <R>
Firewall=> rule create chain=forward index=0 srcintfgrp=wan prot=tcp srcport=119 action=accept <R>
[...] http://www.sdharris.com/speedtouch510/ [...]
It could not change the “USER” to “ADMIN” and they requires input the Username and Password in the server “Connect to 192.168.1.1″ page(for 2 times)But its come up so many times till ERROR! Please Help…Thank you so much.
Sorry it sounds like you do not have your admin password, you could reset the device but you would lose your ISP settings so I wouldn’t bother at this point