Helmholz WALL IE Manual
Industrial nat gateway and firewall
Hide thumbs
Also See for WALL IE:
- Quick start manual (24 pages) ,
- Quick start manual (16 pages) ,
- Quick start manual (22 pages)
Table of Contents
Advertisement
Quick Links
WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall
Manual
Version 10 | 26.08.2022
Order numbers:
WALL IE
700-860-WAL01 as of firmware V 1.10.100
WALL IE PLUS
700-862-WAL01 as of firmware V 1.00.000
Helmholz GmbH & Co. KG | Hannberger Weg 2 | 91091 Großenseebach | Germany
Phone +49 9135 7380-0 | Fax +49 9135 7380-110 | info@helmholz.de | www.helmholz.com
Link to the latest version
of the manual
Advertisement
Table of Contents
Related Manuals for Helmholz WALL IE
Summary of Contents for Helmholz WALL IE
- Page 1 700-862-WAL01 as of firmware V 1.00.000 Link to the latest version of the manual Helmholz GmbH & Co. KG | Hannberger Weg 2 | 91091 Großenseebach | Germany Phone +49 9135 7380-0 | Fax +49 9135 7380-110 | info@helmholz.de | www.helmholz.com...
- Page 2 (photocopy, microfilm, or any other methods), even for training purposes or with the use of electronic systems, without written approval from Helmholz GmbH & Co. KG. To download the latest version of this manual, please visit our website at www.helmholz.de. We welcome all ideas and suggestions.
-
Page 3: Table Of Contents
Initial registration ........................19 Main view ..........................20 4.2.1 Menu overview ........................21 4.2.2 Responsive design ......................21 Port assignment WAN/LAN ....................22 WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... - Page 4 DNS-Server for LAN ....................... 50 11.3 Host name (WAN) ........................51 11.4 Syslog server ......................... 52 11.4.1 Syslog local ........................52 11.4.2 Syslog remote ........................ 52 WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
- Page 5 FAQ ......................60 Technical data....................61 15.1 Dimension drawing WALL IE (700-860-WAL01) ..............63 15.2 Dimension drawing WALL IE PLUS (700-862-WAL01) ............. 63 WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
-
Page 6: General
The safety instructions must be observed in order to prevent harm to living creatures, material goods, and the environment. The safety notes indicate possible hazards and provide information about how hazardous situations can be prevented. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 7: Note Symbols And Signal Words
If the hazard warning is ignored, people can be injured or harmed. Draws attention to sources of error that can damage equipment or the environment. Gives an indication for better understanding or preventing errors. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 8: Intended Use
The device may not be used as the only means for preventing hazardous situations on machinery and systems. The WALL IE Industrial Bridge and Firewall cannot be used for a direct connection to the Internet. Always use a dedicated router with a sufficiently dimensioned Internet firewall for an Internet connection. -
Page 9: Installation
Overcurrent protection isn’t necessary as the device transports no load current. The power supply of the device electronics is to be secured externally with a fuse of maximum 1 A (slow-blowing). WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 10: Emc Protection
When the WALL IE is switched off, connections are interrupted! Before starting any work on the device, make sure that no impermissible interference occurs in connected systems when the connections are interrupted. -
Page 11: Liability
1.7.1 Disclaimer of liability Helmholz GmbH & Co. KG is not liable for damages if these were caused by use or application of products that was improper or not as intended. Helmholz GmbH & Co. KG assumes no liability for any printing errors or other inaccuracies that may appear in the operating manual unless there are serious errors of which Helmholz GmbH &... -
Page 12: Security Recommendations
You can help too: Report any product incidents to our Product Security Incident Response Team at psirt@helmholz.de or support@helmholz.de. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... - Page 13 You can find more information on the topic of security here, for example: • CERT@VDE • Sichere-industrie.de • Bundesamt für Sicherheit in der Informationstechnik (BSI) • Allianz für Cyber-Sicherheit WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
-
Page 14: Overview
NAT and uses packet filters for the limitation of access to the automation network located behind. In the Bridge operating mode, the WALL IE acts as a network bridge in an IPv4 subnetwork. In contrast to normal switches, packet filtering is possible in this operating mode. This means that the restriction of access to individual areas of your network can be achieved without having to use different networks for this purpose. -
Page 15: Setup Of Wall Ie (700-860-Wal01)
The WALL IE PLUS has 8 switched ports with 100/1000Mbit (X1 P1- X1 P8). The ports can be assigned as desired in the configuration of the WALL IE PLUS for WAN or LAN (see ch. 4.3). A LED on each port indicates the assignment. -
Page 16: Connecting The Wall Ie
3.3 Connecting the WALL IE The WALL IE must be supplied with 24 V DC at the wide range input 18-30 V DC via the provided connector. Connection FE is for the functional ground. The WALL IE is designed exclusively for operation with safety extra-low voltage (SELV/PELV). -
Page 17: Leds Status Information
Green (Link) flashing Connected with 100 Mbps RJ45 LEDs Green (Link) on Connected with 1000 Mbps Orange (Act) Data transfer at the port WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 18: Initial Access To The Web Interface
255.255.255.0 on the LAN side. The web interface of the WALL IE (700-860-WAL01) can be accessed via the LAN ports P2 - P4. With the WALL IE PLUS (700-862-WAL01), access is possible via the ports P2 - P8 or via all ports whose LED lights up green in the delivery state. -
Page 19: Initial Registration
Please note the password carefully! For security reasons it is not possible to reset the password without setting the device to the factory settings. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 20: Main View
WALL IE. The topmost line contains the menu with the functions for configuration. Please check at the website of the WALL IE or WALL IE PLUS for a newer firmware version. The firmware update is described in chapter 12. -
Page 21: Menu Overview
The web interface is also suitable for use on tablets and smartphones (“Responsive design”). Please note that web access to the WALL IE is equipped with inactivity monitoring for security reasons. When the website isn’t used for several minutes, an automatic “log out” takes place. -
Page 22: Port Assignment Wan/Lan
At least one port of the WALL IE PLUS must be assigned to LAN and at least one port for WAN WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 23: Choosing The Operating Mode
Broadcast traffic is generally filtered at the WALL IE, which means that the time behavior of the machine network is not impaired by the company network. Basic NAT, also known as “1:1 NAT” or “Static NAT”, is the translation of individual IP addresses or of complete IP address ranges. -
Page 24: The Bridge Operating Mode
5.2 The Bridge operating mode In the Bridge operating mode, WALL IE behaves like a layer 2 switch between the machine network (automation cell) and the company network. The IP addresses in the company network are in this case in the same IP address space (subnet) as the addresses in the machine network. -
Page 25: Application "Nat
It is necessary to indicate a DNS server for the SNTP service (see ch. 11.8). When you change the LAN IP address, you may need to reopen the website of the WALL IE in the browser using the new IP address and log in again. -
Page 26: Activate Dhcp Client At The Wan Interface
The use of the DHCP client presumes that a DHCP server is active in the WAN network. The IP settings acquired from the DHCP client are made visible on the overview page by clicking on “INTERFACE”. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 27: Setting Up "Basic Nat" Rules
= Rule is inactive, a click on the lamp symbol changes the rule status to active Possible actions: delete a rule edit a rule copy a rule WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... - Page 28 The “LAN to WAN” data transfer is initially always enabled but can also be limited by packet filters rules or the default action. A maximum of 128 basic NAT entries can be defined. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
-
Page 29: Packet Filter "Wan To Lan
LAN via the port 102 with the help of the TCP protocol. Now enter the following rule and save it with the button. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... - Page 30 "10.10.1.10/24". In the event that the source IP address is not known at commissioning, e.g. if WALL IE obtains its WAN IP via DHCP, then the entire WAN IP range can also be enabled. For this you have to enter "0.0.0.0-255.255.255.255"...
-
Page 31: Icmp Traffic "Wan To Lan
Action”, then no ICMP frames are rejected or dropped. In addition to general ICMP rule, you can further customize your firewall by adding specific packet filter rules for ICMP protocol. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 32: Packet Filter "Lan To Wan
ICMP frames are rejected or dropped. In addition to general ICMP rule, you can further customize your firewall by adding specific packet filter rules for ICMP protocol. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 33: Snat
6.8 SNAT The function “SNAT (Source NAT)” transparently forwards incoming traffic from the WAN side to the LAN network. To all packets, forwarded on LAN side by WALL IE, source IP address is replaced with WALL IE LAN IP address. -
Page 34: Napt
WAN network and looks after the assignment of the response. In order for the communication from LAN to WAN to work when NAPT is activated, the WALL IE LAN IP address must be entered as gateway in all devices on the LAN! If the NAPT option is deactivated, the query packets from the LAN are forwarded from the LAN to the WAN with their original sender IP and sender port. -
Page 35: Port Forwarding
With the help of port forwarding (“Port forwarding for WAN to LAN traffic”), it can be configured that packets at a certain TCP/UDP port of the WALL IE (WAN) can be forwarded to a participant in the LAN (e.g. 10.10.1.1:81 to 192.168.10.5:80). - Page 36 It is not possible to use the reserved ports 443 and 80 when WALL IE has activated its own websites on the WAN (Web Interface Access = “WAN and LAN”, see chapter 11.6).
-
Page 37: Application "Bridge
The current entry is rejected without acceptance with “Decline”. When you change the LAN IP address, you may need to reopen the website of the WALL IE in the browser using the new IP address and log in again. -
Page 38: Packet Filter "Wan To Lan
“Reject” or “Drop”. In the case of prohibited frames from the WAN, “Reject” sends an error message in response, while “Drop” rejects the frame without sending an error message. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... - Page 39 (“Reject”), or simply rejects (“Drop”). The appropriate method here should always be chosen in interaction with the “Default Action”. If the Default Action is, for example, “Reject” or “Drop”, the WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
-
Page 40: Icmp Traffic "Wan To Lan
ICMP frames are rejected or dropped. In addition to general ICMP rule, you can further customize your firewall by adding specific packet filter rules for ICMP protocol. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 41: Packet Filter "Lan To Wan
ICMP frames are rejected or dropped. In addition to general ICMP rule, you can further customize your firewall by adding specific packet filter rules for ICMP protocol. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 42: Ftp Helper For Active Ftp
21. Since it is not possible to know the port when setting up WALL IE, it is not possible to set a fixed port rule. In order not to have to always open all ports for this use case WALL IE supports the function "FTP-Helper". -
Page 43: Mac Address Filtering
Layer 2 frames are not forwarded in the NAT mode. The MAC filtering takes place on layer 2 in the bridge mode. A maximum of 128 MAC filter rules can be defined. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 44: Static Routes
WALL IE responsible for this (“Next Hop” or “Gateway”) must be configured. In order to enable the return route of the answer, a route for the IP address of the WALL IE of machine 1 must also be set up in the remote gateway (Machine 2)! -
Page 45: Use With Simatic Step 7 / Tia Portal
10 Use with Simatic Step 7 / TIA portal Problem: If Simatic CPUs in the LAN behind a WALL IE are to be addressed or planned with an engineering station in the WAN, the problem is that the Step 7 or TIA portal uses the IP address from the project for access to the CPU. -
Page 46: Application With Step 7
In order to be able to redirect the responses from the CPU back to the engineering station in the WAN via the WALL IE, either the SNAT function must be activated in WALL IE under "Basic NAT" or the WALL IE must be entered as the router for the CPU in the project. -
Page 47: Use In The Tia Portal
“Connect expanded online”. Click on "Access Address" and enter the WAN IP address specified for the device (CPU) in the WALL IE in Basic NAT. Confirm the entry by clicking on the window. An attempt is now made to establish a connection using the entered IP address. - Page 48 This solution can only be used in Basic NAT operating mode. In the case of using WALL IE with NAPT and port forwarding, only one CPU can be reached, as the Simatic Manager/TIA portal always accesses the CPU with the non-adjustable port 102.
-
Page 49: Other Functions
11 Other functions 11.1 DHCP server for LAN A DHCP server can be activated for the LAN network of the WALL IE in order to enable dynamic IP address assignment in the LAN. Primary/Secondary DNS: Specifies the IP address of a DNS server that is available to a DHCP client. -
Page 50: Dns-Server For Lan
"Filter win2k" filters periodic DNS queries that do not receive meaningful responses from the public DNS. These queries can cause problems by triggering dial-on-demand connections. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 51: Host Name (Wan)
“DHCP Option 12”. Whenever a new device name is defined with this function, the DHCP lease is approved and a new one requested. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 52: Syslog Server
11.4 Syslog server The Syslog server installed in the WALL IE logs all user and system events with time of day and date. User events are changes to the configuration or the user login. The system events originate from the operating system or the running application. -
Page 53: Change Password / User Management
In the “Password” menu, the password of the administrator, “admin”, can be changed, the additional users activated, and passwords defined or changed. In addition to the “admin” user, which has unlimited access rights, WALL IE supports two more users with limited access rights: “it-user” and “machine-user”... - Page 54 • Changing the Static Routing rules • Change password of the “machine-user” • Restart device • Export WALL IE configuration • All other settings are “ReadOnly” WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
-
Page 55: File Certificate (Https)
If the web interface should also be accessible via WAN network, this can be set in the “Web Interface Access” menu “WAN and LAN”. WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 56: Time Settings (Time)
For “SNTP”, the default gateway and the DNS server must be configured in the interface settings in order that the SNTP service can reach the NTP server in the Internet WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 57: Export/Import Of Configuration
= “0.0.0.0”; port = 514; time : sntp = false; zone = “Europe/Berlin”; sntp-host = “0.pool.ntp.org”; poll-interval = 3600; retry-interval = 5; … WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... -
Page 58: Firmware Update
Operation of the WALL IE is interrupted during the update procedure. Do not turn off the device during the update procedure! The configuration of the WALL IE is retained at a higher version following an update, to the extent that this is technically possible. However, a “downgrade” to an older firmware version can result in configuration errors. -
Page 59: Resetting To Factory Settings
13 Resetting to factory settings The resetting of the WALL IE to factory settings can be initiated both via the website and without access to the device with the “FCN” button. When resetting the WALL IE, the configuration is irretrievably deleted and the IP settings are set to the delivery status. -
Page 60: Faq
No, PROFINET RT frames are blocked by the WALL IE. What must I take into consideration when I wish to work with a CPU in the LAN via the WALL IE with the Simatic Manager or the TIA Portal (WAN)? In the NAT operating mode, the LAN address of the WALL IE must be entered in the CPU as a router in order that the answers of the CPU find their way back to the PC in the WAN. -
Page 61: Technical Data
DC 24 V (18 ... 30 V DC, SELV and limited energy circuit) Pollution degree Altitude Up to 2000m Temperature cable rating 87°C RoHS REACH WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22... - Page 62 Transport and storage temperature -40 °C ... +85°C Relative air humidity 95 % r H without condensation Pollution degree Protection rating IP20 Certifications RoHS REACH WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
-
Page 63: Dimension Drawing Wall Ie (700-860-Wal01)
15.1 Dimension drawing WALL IE (700-860-WAL01) 15.2 Dimension drawing WALL IE PLUS (700-862-WAL01) WALL IE / WALL IE PLUS - Industrial NAT Gateway and Firewall | Version 10 | 26.08.22...
Need help?
Do you have a question about the WALL IE and is the answer not in the manual?
Questions and answers