Helmholz WALL IE / WALL IE PLUS
Industrial NAT Gateway/Firewall Quick Start Guide
Order Numbers: WALL IE (700-860-WAL01), WALL IE PLUS (700-862-WAL01)
Version: 15 en
Date: 25.08.2022
1 Safety Instructions
[CAUTION] This description is only intended for trained personnel qualified in control and automation engineering who are familiar with the applicable national standards. For installation, commissioning, and operation of the components, compliance with the instructions and explanations in this operating manual is essential. The specialist personnel is to ensure that the application or the use of the products described fulfills all safety requirements, including all applicable laws, regulations, provisions, and standards.
[WARNING] The device has a protection rating of IP 20 (open type) and must be installed in an electrical operating room or a control box/cabinet in order to protect it against environmental influences. To prevent unauthorized operation, the doors of control boxes/cabinets must be closed and possibly locked during operation. The consequences of improper use may include personal injury to the user or third parties, as well as property damage to the control system, the product, or the environment. Use the device only as intended!
[ATTENTION] Successful and safe operation of the device requires proper transport, storage, setup, assembly, installation, commissioning, operation, and maintenance. Operate the device only in flawless condition. The permissible operating conditions and performance limits (technical data) must be adhered to. Retrofits, changes, or modifications to the device are strictly forbidden.
[ATTENTION] The device is a network infrastructure component and therefore an important element in the security consideration of a plant. When using the device, therefore, observe the relevant recommendations to prevent unauthorized access to installations and systems. Further information on this can be found in the device manual.
2 Introduction
The WALL IE, the Industrial NAT Gateway and Firewall, integrates machine networks into the high-level production or company network using network segmentation, packet and MAC address filtering. Currently, the product range consists of two variants: WALL IE (700-860-WAL01) and WALL IE PLUS (700-862-WAL01). Unless otherwise noted, this document describes functions that support both devices equally.
The NAT operating mode serves the forwarding of data traffic between various IPv4 networks, enabling address translation via NAT and using packet filters for access limitation to the automation network. In the Bridge operating mode, the WALL IE acts as a network bridge in an IPv4 subnetwork, allowing packet filtering for access restriction without needing different networks.
This document explains the initial commissioning of the WALL IE using "NAT" and "Bridge" application examples, covering only the most important settings.
[NOTE] For a detailed description of all functions and important safety instructions, please refer to the WALL IE manual. This can be found at www.helmholz.de.
3 Connecting the WALL IE
The WALL IE must be supplied with DC 24 V at the wide range input (18-30 V DC) via the supplied connector plug. The connection (FE) is for the functional earth; connect it properly to the reference potential. The WALL IE is designed exclusively for operation with safety extra-low voltage (SELV/PELV).
Device Ports:
- WALL IE (700-860-WAL01): RJ45 socket "P1 WAN" for external network connection. RJ45 sockets "P2 LAN-P4 LAN" for internal network connection.
- WALL IE PLUS (700-862-WAL01): RJ45 sockets "X1 P1" to "X1 P8" can be assigned to WAN or LAN. Factory setting: P1 for WAN, P2-P8 for LAN. LEDs next to ports indicate assignment (orange for WAN, green for LAN). Port assignment is configurable via the web interface.
The inputs IN1 and IN2 currently have no function but will be available for external switching of firewall rules in a future firmware version.
[NOTE] The housing of the WALL IE is not grounded. Please connect the functional earth connection (FE) of the WALL IE properly to the reference potential.
[WARNING] The device may only be operated with power supplies that meet the specifications of EN/IEC 60950-1 for power sources of limited capacity. Otherwise, the device must be operated in an enclosure that meets the requirements of a fire protection enclosure according to EN/IEC 60950-1.
4 Initial Access to the Web Interface
The WALL IE is delivered with the IP address 192.168.0.100 and subnet mask 255.255.255.0 on the LAN side. Access to the web interface is possible via the WALL IE's LAN ports (P2-P4 for WALL IE, P2-P8 for WALL IE PLUS, or all green-lit ports in factory state).
Steps:
- Set your network adapter's IP address to match the WALL IE's subnet (e.g., 192.168.0.x). Navigate: Start → Settings → Network and Internet → Change Adapter settings → Properties → Internet protocol version 4.
- Connect a patch cable from your PC's LAN port to one of the WALL IE's LAN ports (e.g., P2-P4).
- Access the web interface by entering the URL "https://192.168.0.100" in your browser.
For security, the web interface uses HTTPS. You may need to confirm a browser exception rule. A certificate can be stored in the "Device/HTTPS" menu.
Upon first login, you will be prompted to set a password for the "admin" user. The password must be at least 8 characters long and can contain special characters and numbers. Click "Continue" to save the password and proceed to the "Overview" page.
The primary user is "admin". "it-user" and "machine-user" are also available with limited rights, configurable in the "Device/Password" menu.
[NOTE] Please memorize the password carefully! For security reasons, there is no way to reset the password without resetting the device to factory settings.
5 Main View
The "Overview" website opens after login, displaying key settings and information. The top menu provides access to configuration functions.
[NOTE] Please check the WALL IE website for newer firmware versions. Firmware updates are described on page 19. Firmware link: http://www.helmholz.de/goto/700-860-WAL01#tab-software
6 Choosing the Operating Mode
The operating mode must be defined at the beginning based on the application. The WALL IE supports two basic modes: NAT and Bridge.
6.1 The NAT Operating Mode
The NAT operating mode is used to integrate an automation cell with preset IP addresses into a company network with different IP addresses. WALL IE enables communication by leaving machine IP addresses unchanged and using NAT for address translation. It forwards data traffic between IPv4 networks (Layer 3) and exchanges IP addresses. Packet and MAC address filters can control permitted data transfer. Broadcast traffic is generally filtered, preventing impairment of the machine network's time behavior.
Basic NAT (also known as "1:1 NAT" or "Static NAT") translates individual IP addresses or ranges. Port Forwarding allows forwarding specific TCP/UDP ports to participants in the machine network (LAN). This mode integrates multiple automation cells with identical IP address ranges into the same company network.
If "NAT" is your planned application, continue reading on page 9.
6.2 The Bridge Operating Mode
In Bridge mode, the WALL IE functions as a Layer 2 switch between the machine network and the company network. Both networks share the same IP address space. Access between network areas can be limited or secured using packet and MAC address filters, allowing network segmentation without different network addresses.
If "bridge" is your planned application, continue reading on page 16.
7 Application "NAT"
To activate NAT mode, select "Operating Mode" in the "Device" menu and set it to "NAT".
7.1 Adjustment of the IP Addresses in the NAT Operating Mode
Navigate to the "Network" menu, then "Interface". Here you can define the WALL IE's WAN IP, LAN IP, and their respective subnet masks. A DNS server and default gateway can also be specified, which is necessary for LAN devices to access the Internet via the WALL IE. If these are not set (e.g., "0.0.0.0"), Internet communication from the LAN is prevented. A DNS server is also required for the SNTP service.
Optionally, WAN IP settings, DNS server, and default gateway can be obtained via DHCP.
Click "Submit" to save and activate the IP settings. "Decline" rejects the current entry.
[NOTE] If you change the LAN IP address, you may need to reopen the WALL IE web page in your browser using the new IP address and log in again.
7.2 Setting up "Basic NAT" Rules
To use Basic NAT, ensure the operating mode is set to "NAT". Navigate to the "NAT" menu and then "Basic NAT". Enter the first rule and save it using the [Add Rule] button.
The "External IP" is a free IP address from the WAN range, not assigned to any other Ethernet station. The "Internal IP" is the existing IP address of the network node in the machine (LAN). "Comment" is for text description. This configuration enables address conversion ("natting") to the specified LAN IP.
Status Indicators:
- ⚪ Rule is active. Clicking the lamp symbol changes the status to inactive.
- ⚫ Rule is inactive. Clicking the lamp symbol changes the status to active.
Possible actions: [Edit Rule], [Delete Rule], [Copy Rule]
[ATTENTION] For "Basic NAT" rules, all ports for "WAN to LAN" data transfer are initially blocked for security. To enable access, create packet filter rules or set the default action for packet filters to "Accept". "LAN to WAN" data transfer is enabled by default but can be restricted by packet filters.
7.3 Packet Filter "WAN to LAN"
Packet filters restrict access between the company network (WAN) and the machine network (LAN). You can configure which subscribers from the company network can exchange data with specific subscribers in the automation cell. Filter criteria include IPv4 addresses, protocol (TCP/UDP/ICMP), and ports.
Navigate to "Packet Filter" → "WAN to LAN". The "Default Option" determines if all frames are allowed ("Accept" - Blacklisting) or prohibited ("Reject" / "Drop" - Whitelisting). If no initial filtering is desired, set the default action to "Accept". To limit access, set the default action to "Reject" or "Drop". "Reject" sends an error message; "Drop" silently discards the frame.
Example: A PC in the company network (WAN) with IP 10.10.1.11 needs to access a CPU with IP 192.168.10.1 in the LAN via TCP port 102.
Enter the rule and save it using the [Add Rule] button.
Rule Configuration:
- Source IP: IP address of the active device in the company network (WAN).
- Destination IP: Addressed device in the machine network (LAN).
- Protocol: "TCP", "UDP", or "ICMP".
- Destination Ports: Ports to which the filter rules apply. Can be single ports, comma-separated lists, or port ranges (e.g., "80,443", "4000:5000", "1:65535").
IP addresses can be specified as single values, ranges (e.g., "10.10.1.10-10.10.1.20"), lists, or CIDR notation (e.g., "10.10.1.10/24").
Action: "Accept" (allow), "Reject" (allow with error message), or "Drop" (silently reject). Choose "Accept" for whitelisting when the default action is "Reject" or "Drop". Choose "Reject" or "Drop" for blacklisting when the default action is "Accept".
7.4 Packet Filter "LAN to WAN"
By default, data traffic from the machine network (LAN) to the company network (WAN) is permitted without limitations ("Default Action": "Accept"). This can be changed to "Reject" or "Drop". Filtering can be further customized with specific packet filter rules.
The entry of filter rules corresponds to "WAN to LAN" filters, but the source IP is from the LAN, and the destination IP is in the WAN.
7.5 SNAT
SNAT (Source NAT) transparently forwards incoming WAN traffic to the LAN. It replaces the source IP address of packets forwarded on the LAN side with the WALL IE's LAN IP address. This eliminates the need for LAN participants to use the WALL IE's LAN IP as their gateway, which is advantageous for integrating into existing network structures without parameter changes.
7.6 NAPT
NAPT (Network Address Port Translation) for "LAN to WAN traffic" replaces the sender addresses of queries from the LAN with the WALL IE's WAN IP address. Activating "NAPT: Active" enables communication from LAN devices to WAN devices, with the WALL IE acting as a gateway to manage IP address implementation and response assignment.
[NOTE] For LAN to WAN communication with NAPT enabled, the WALL IE LAN IP address must be entered as the gateway in all LAN devices.
If NAPT is deactivated, LAN query packets are forwarded to the WAN with their original sender IP and port.
7.7 Portforwarding
Port forwarding ("Port forwarding for WAN to LAN traffic") allows packets arriving at a specific TCP/UDP port on the WALL IE (WAN) to be forwarded to a participant in the LAN (e.g., forwarding 10.10.1.1:81 to 192.168.10.5:80).
Example: Accessing the website (Port 80) of a CPU with IP 192.168.10.5 via WAN by accessing the WALL IE's own IP address 10.10.1.1 on Port 81.
Rule Configuration:
- Protocol: "TCP" or "UDP".
- External Port: Port number for accessing the device on the LAN side.
- Internal IP: IP address of the device connected to the LAN.
- Internal Port: Port used to access the device connected to the LAN.
- Comment: Freely definable comment.
[NOTE] "Portforwarding" and "Basic NAT" can be used simultaneously in NAT mode. If the default action for "WAN to LAN" packet filters is "Reject" or "Drop", corresponding filter rules must be created for each port forwarding entry.
8 Application "Bridge"
To activate Bridge mode, select "Operating Mode" in the "Device" menu and set it to "Bridge".
8.1 Adjustment of the IP Addresses in the Bridge Operating Mode
Navigate to "Network" → "Interface". Define the WALL IE's "LAN IP" and "LAN netmask". A DNS server and default gateway can also be indicated for LAN devices to reach the Internet. If not set, Internet communication from the LAN is prevented.
Click "Submit" to save and activate settings. "Decline" rejects the entry.
[NOTE] If you change the LAN IP address, you may need to reopen the WALL IE web page in your browser using the new IP address and log in again.
In Bridge mode, all ports are initially blocked for "WAN-to-LAN" traffic for security. Packet filter rules must be created or the "Default Action" set to "Accept" to allow access.
LAN to WAN traffic is enabled by default but can be restricted by packet filters. A DHCP client or server is not available in Bridge mode.
8.2 Packet Filter "WAN to LAN"
Packet filters limit access between the company network (WAN) and the machine network (LAN). You can configure which participants from the company network can exchange data with defined participants in the automation cell. Filter criteria include IPv4 addresses, protocol (TCP/UDP/ICMP), and ports.
Navigate to "Packet Filter" → "WAN to LAN". The "Default Option" determines if all frames are allowed ("Accept" - Blacklisting) or prohibited ("Reject" / "Drop" - Whitelisting). If no initial filtering is desired, set the default action to "Accept". To limit access, set the default action to "Reject" or "Drop". "Reject" sends an error message; "Drop" silently discards the frame.
Example: A PC in the company network (WAN) with IP 10.10.1.11 needs to access a CPU with IP 10.10.1.30 in the LAN via TCP port 102.
Enter the rule and save it using the [Add Rule] button.
Rule Configuration:
- Source IP: IP address of the active device in the company network (WAN).
- Destination IP: Addressed device in the machine network (LAN).
- Protocol: "TCP", "UDP", or "ICMP".
- Destination Ports: Ports to which the filter rules apply.
IP addresses can be specified as single values, ranges, lists, or CIDR notation.
Action: "Accept", "Reject", or "Drop".
8.3 Packet Filter "LAN to WAN"
By default, data traffic from the machine network (LAN) to the company network (WAN) is permitted without limitations ("Default Action": "Accept"). This can be changed to "Reject" or "Drop". Filtering can be further customized with specific packet filter rules.
9 Firmware Update
Firmware can be updated via the website. Download the firmware update file (".HUF" extension) in advance from Helmholz website.
Save the file on your PC and navigate to "Device" → "Firmware Upgrade" → "Browse" to select the file. The transfer takes up to 1 minute. The firmware is decrypted and checked; if correct, it is transferred to program memory, followed by an automatic restart.
[ATTENTION] During the update process, the WALL IE operation is interrupted. Do not switch off the device during the update process.
[NOTE] Configuration is generally retained during upgrades. Downgrades may cause errors; a factory reset is recommended after a downgrade. Clear browser cache after a firmware update to ensure correct display of website elements.
10 LEDs Status Information
10.1.1 WALL IE (700-860-WAL01)
| LED | Status | Description |
|---|---|---|
| PWR | Off | No power supply or device defective |
| PWR | On | Device is correctly supplied with voltage |
| RDY | On | Device is ready to operate |
| ACT | Flashing or on | Permitted data transfer between WAN and LAN |
| USR | Flashing light | Reset to factory settings activated |
| RJ45 LEDs (Green) | Link | Connected |
| RJ45 LEDs (Orange) | Act | Data transfer at the port |
10.1.2 WALL IE PLUS (700-862-WAL01)
| LED | Status | Description |
|---|---|---|
| PWR | Off | No power supply or device defective |
| PWR | On | Device is correctly supplied with voltage |
| RDY | On | Device is ready to operate |
| ACT | Flashing or on | Permitted data transfer between WAN and LAN |
| USR | Flashing | Reset to factory settings activated |
| RJ45 Ports (Orange) | Port is assigned to the WAN network | |
| RJ45 Ports (Green) | Port is assigned to the LAN network | |
| RJ45 LEDs (Green) | Link flashing | Connected with 100 Mbps |
| RJ45 LEDs (Green) | Link on | Connected with 1000 Mbps |
| RJ45 LEDs (Orange) | Act | Data transfer at the port |
12 Technical Data
WALL IE (700-860-WAL01)
| Order no. | 700-860-WAL01 |
|---|---|
| Name | WALL IE |
| Dimensions (D x W x H) | 32,5 x 58,5 x 76,5 mm |
| Weight | approx. 130 g |
| WAN Interface Number | 1 |
| WAN Interface Type | 10Base-T/100Base-Tx |
| WAN Interface Connection | RJ45 socket |
| WAN Interface Transmission rate | 10/100 Mbps |
| LAN Interface Number | 3, switched |
| LAN Interface Type | 10 Base-T/100 Base-TX |
| LAN Interface Connection | RJ45 socket |
| LAN Interface Transmission rate | 10/100 Mbps |
| Operating modes | Bridge, NAT (Basic NAT, NAPT) |
| Packet filter | IPv4 addresses, protocol (TCP/UDP), ports ("WAN to LAN" and "LAN to WAN" separate), MAC addresses (black & whitelisting) |
| Status indicator | 4 LEDs function status, 8 LEDs Ethernet status |
| Voltage supply | 24 V DC, 18-30 V DC |
| Current draw | Max. 250 mA at 24 V DC |
| Power dissipation | Max. 2,4 W |
| Ambient conditions Installation position | Any |
| Ambient conditions Ambient temperature | -40 °C ... +75 °C |
| Ambient conditions Transport and storage temperature | -40 °C ... +85 °C |
| Ambient conditions Relative air humidity | 95 % rH without condensation |
| Ambient conditions Pollution degree | 2 |
| Protection rating | IP20 |
| Certification | CE, UL |
| Certification UL | UL 61010-1/UL61010-2-201 |
| Voltage supply (for UL) | DC 24 V (18 ... 30 V DC, SELV and limited energy circuit) |
| Pollution degree (for UL) | 2 |
| Altitude | Up to 2000m |
| Temperature cable rating | 87 °C |
| RoHS | Yes |
| REACH | Yes |
WALL IE PLUS (700-862-WAL01)
| Order no. | 700-862-WAL01 |
|---|---|
| Name | WALL IE PLUS, Industrial NAT Gateway/Firewall |
| Dimensions (D x W x H) | 34,5 x 101,5 x 75,5 mm |
| Weight | approx. 230 g |
| WAN/LAN Interface Number | 8, switched |
| WAN/LAN Interface Type | 100Base-Tx/1000Base-T |
| WAN/LAN Interface Connection | RJ45 socket |
| WAN/LAN Interface Transmission rate | 100/1000 Mbps |
| Operating modes | Bridge, NAT (Basic NAT, NAPT) |
| Packet filter | IPv4 addresses, protocol (TCP/UDP), ports ("WAN to LAN" and "LAN to WAN" separate), MAC addresses (black & whitelisting) |
| Status indicator | 4 LEDs function status, 8 LEDs Ethernet status |
| Voltage supply | 24 V DC, 18-30 V DC |
| Current draw | max. 275 mA at 24 V DC |
| Power dissipation | max. 6,7 W |
| Ambient conditions Installation position | Any |
| Ambient conditions Ambient temperature | 0 °C ... +60 °C |
| Ambient conditions Transport and storage temperature | -40 °C ... +85 °C |
| Ambient conditions Relative air humidity | 95 % rH without condensation |
| Ambient conditions Pollution degree | 2 |
| Protection rating | IP20 |
| Certification | CE |
| RoHS | Yes |
| REACH | Yes |
Additional Information
The contents of this Quick Start Guide have been checked to ensure they match the described hardware and software. However, no liability is assumed for any existing differences.
This guide is updated regularly. Always use the latest version available from www.helmholz.de.
Our products may contain open source software subject to relevant license conditions. License texts are available on the Helmholz website. Source text for open source software can be provided on DVD for a fee.
Suggestions for improvement are welcome. For questions regarding product use, contact Helmholz Support via phone or email at support@helmholz.de.
All trademarks are the property of their respective owners. This document is for explanatory purposes only.
Helmholz – Compatible with you | Automatisierungstechnik
