Quick Start Guide WALL IE

Version

13 en
as of FW 1.08

www.helmholz.com
Contents
1. Introduction  3
2. Connection 4
3. Initial access to the web interface 4
4. Overview 5
5. Choosing the operating mode 6
6. Application case “NAT” 7
7. Bridge mode 16
8. MAC address filtering 21
9. Firmware update 22
10. Resetting to factory settings 23
11. LED status information 23
12. Button functions 23
13. Technical data 24

Note:
Our products contain open source software, among others. This software is subject to the respectively relevant license conditions. The corresponding licensing conditions, including
a copy of the complete license text, will be sent to you with the product. They are also provided in our download area of the respective products under www.helmholz.com. We also
offer to send you the complete corresponding source text of the respective open source software for an at-cost fee of 10 Euro as a DVD to you or a third parts at your request. This offer
is valid for a period of three years, starting from the date of product delivery.

2 Quick Start Guide WALL IE

1. Introduction
This document explains the initial commissioning of the WALL IE using the application SCAN
examples “NAT” and “Bridge”. Only the most important settings will be explained. QR CODE WALL IE
Industrial NAT
You can find a detailed description of all functionalities as well as the safety information TO GET
MANUAL Gateway / Firewall
in the WALL IE manual. You can download this manual from www.helmholz.com or by
scanning this QR code. Documentation

P1: WAN port

FCN: Function button

P2–P4: LAN ports

RST: Reset button

Voltage supply Operation LEDs (see page 23)

Quick Start Guide WALL IE 3

2. Connection
The WALL IE must be supplied with 24 V DC at the wide range input 18–30 V DC via
the provided connector. Connection FE is for the functional ground. Connect this
correctly with the reference potential.
The RJ45 “P1 WAN” socket is for the connection of the external network. The RJ45
“P2 LAN –P4 LAN” sockets are switched and are for the connection of the internal
network.

3. Initial access to the web interface

The WALL IE is set on the LAN-side at the factory with the IP address 192.168.0.100
and the subnet mask 255.255.255.0. Access to the web interface is only possible via
the LAN connections P2–P4.
The IP address of your network adapter must first be set in accordance with the IP
subnet of the WALL IE.

Now connect a patch cable with the LAN connection of your PC and one of the
LAN ports P2–P4 of the WALL IE. The web interface can be reached in the delivery
condition by calling up https://192.168.0.100 in the browser page.
Note: For security reasons, the web interface can only be reached through a secured
HTTPS connection. In order to reach the website, an exception must be confirmed once
in the browser.
An own certificate for the connection backup can be stored in the “Device/HTTPS”
menu as needed.

4 Quick Start Guide WALL IE

With the first login you will be requested to set a password for the “admin” user.
The password must have at least 8 characters and may have a maximum of 128
characters. It may contain special characters and numbers. With the “Continue”
button, the password is stored in the device and you will be forwarded to the
“Overview” page of the WALL IE.
The main user is always “admin”.
In addition to the main user, the “it-user” and “machine-user” can also be used
with limited rights. The users can be activated and the affiliated passwords set in
the “Device/Password” menu.

Note: Please note the password well! For security reasons, there is no possibility to
reset the password without setting the device to the factory settings.

4. Overview
The “Overview” website of the WALL IE always opens after the login.
This contains a menu bar in the upper section and an overview of the status,
the system information, and the basic settings of the WALL IE beneath them.

Note: Please check at the website of the WALL IE under www.helmholz.com for a
newer firmware version. The firmware update is described on page 22.

Quick Start Guide WALL IE 5

5. Choosing the operating mode Company network 10.10.1.0/24
Depending upon the application case for the WALL IE, the operating mode must 10.10.1.10 10.10.1.20
first be defined. WALL IE supports two principal operating modes: External IP Internal IP
NAT and Bridge. 10.10.1.11 192.168.10.1
10.10.1.12 192.168.10.2
10.10.1.13 192.168.10.5
10.10.1.14 192.168.10.50
10.10.1.15 192.168.10.100
5.1. The NAT operating mode

P1 WAN
When an automation cell with preset IP addresses is to be incorporated into a External (WAN)

P2 LAN
production network with other IP addresses, the IP addresses of the machine must SN:
000000000

P3 LAN
normally all be set again. FCN PWR

RST
RDY
192.168.10.5
Internal (LAN)

P4 LAN
ACT

Ext. V DC USR
18 ... 30 V
– + FE IN1 IN2

When using Network Address Translation (NAT), WALL IE offers the possibility to
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

leave the IP addresses of the machine as they are, but to enable communication with
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

the machine network with own IP addresses from the production network.
In the NAT operating mode, WALL IE forwards the data transfer between various IPv4
networks (Layer 3) and implements the IP addresses with the help of NAT.
0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

0 0 0 0
1 1 1 1
2 2 2 2
3 3

Packet filters and MAC address filters can be used to limit the permitted data trans-
3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

192.168.10.1 192.168.10.2 192.168.10.50 192.168.10.100

mission.
Machine network 192.168.10.0/24
Broadcast traffic is generally filtered at the WALL IE, which means that the time be-
havior of the machine network is not impaired by the production network.
Basic NAT, also known as “1:1 NAT” or “Static NAT”, is the translation of individual
IP addresses or of complete IP address ranges. Company network 10.10.1.0/24
With the help of port forwarding, it is possible as an alternative to configure that
packets be forwarded to a particular TCP/UDP port of the WALL IE to a certain partici-
pant in the machine network (LAN).
The NAT operating mode thus also allows the integration of several automation cells
that use an identical IP address range into the same production network.
External External External
Each automation cell can be assigned various, free IP addresses from the production

P1 WAN
P1 WAN
P1 WAN
network.

P2 LAN
P2 LAN
P2 LAN
SN: SN: SN:
000000000 000000000 000000000

P3 LAN
P3 LAN
P3 LAN
PWR FCN PWR FCN PWR
FCN

RDY RDY RDY

RST RST RST

P4 LAN
P4 LAN
If “NAT” is your planned application case, please continue reading on page 7.

P4 LAN
ACT ACT ACT

Ext. V DC Ext. V DC USR Ext. V DC USR

USR
18 ... 30 V 18 ... 30 V 18 ... 30 V
– + FE IN1 IN2 – + FE IN1 IN2 – + FE IN1 IN2

Internal Internal Internal

Machine 1 Machine 2 Machine X

0 0 0 0 0
0 0 0 0
1 1 1 1 1
1 1 1 1
2 2 2 2 2
2 2 2 2
3 3 3 3 3
3 3 3 3
4 4 4 4 4
4 4 4 4
5 5 5 5 5
5 5 5 5
6 6 6 6 6
6 6 6 6
7 7 7 7 7
7 7 7 7

0 0 0
0 0 0
1 1 1
1 1 1
2 2 2
2 2 2
3 3 3
3 3 3
4 4 4
4 4 4
5 5 5
5 5 5
6 6 6
6 6 6
7 7 7
7 7 7

192.168.10.0/24 192.168.10.0/24 192.168.10.0/24

6 Quick Start Guide WALL IE

5.2. The Bridge operating mode Company network 10.10.1.0/24
In the bridge operating mode, WALL IE behaves like a layer 2 switch between the 10.10.1.10 10.10.1.20
machine network (automation cell) and the production network. The IP addresses in
the production network are in this case in the same IP address space (subnet mask)
as the addresses in the machine network.
Access between the two network areas can be limited or secured with packet filters
and MAC address filters.

P1 WAN
This enables the separation of a part of the production network without the use of External (WAN)

P2 LAN
different network addresses. SN:
000000000

P3 LAN
PWR

If “Bridge” is your planned application case, please continue reading on page 16.
FCN

RST
RDY

10.10.1.32

P4 LAN
Internal (LAN)
ACT

Ext. V DC USR
18 ... 30 V
– + FE IN1 IN2
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

0 0 0 0
1 1 1 1
2 2 2 2
3 3 3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

10.10.1.30 10.10.1.31 10.10.1.50 10.10.1.100

Machine network 10.10.1.0/24

6. Application case “NAT”

To activate the NAT operating mode, select the “Operating Mode” menu point in the
“Device” menu and set this to “NAT”.

Quick Start Guide WALL IE 7

6.1. Adjustment of the IP addresses in the NAT operating mode
Click on the “Network” menu and select the sub-menu “Interface”. The IP addresses
of the WALL IE in the WAN and in the LAN (“WAN IP”/”LAN IP”), as well as the affili-
ated subnet masks (“WAN netmask”/LAN netmask”) can be defined here.
A DNS server and a default gateway can also be indicated.
This is necessary when devices from the LAN should reach the Internet via the
WALL IE. If these are not indicated, then communication of devices in the LAN with
the Internet is prevented.
Optionally, the WAN-IP settings, the DNS server, and the standard gateway can also
be acquired per DHCP.
The entry is saved with the “Submit” button and the IP settings are then activated
immediately.

Note: When you change the LAN IP address, you may need to reopen the website of the
WALL IE in the browser under the new IP address and log in again.

6.2. Setting up “Basic NAT” rules

In order that the entry of “Basic NAT” rules is possible, WALL IE must be in the operating mode “NAT”.
Then select the “NAT” menu and the sub-menu “Basic NAT”. Enter the first rule and save it with the button.

8 Quick Start Guide WALL IE

The “External IP” is the IP address under which the network participant of the machine becomes visible in the production network (WAN). The “Internal IP” is the IP address of
the network participant in the machine (LAN). Any text can be entered as a comment.
Each entry is confirmed with the message “Rule added successfully”.

Status Rule active (a click on the lamp changes the status). Action Add a rule Edit a rule
Rule active (a click on the lamp changes the status). Delete a rule Copy a rule

Important: In the case of a “Basic NAT” rule, all ports for “WAN to LAN” data transfer
are initially blocked for this rule for security reasons!
In order to enable access, packet filter rules must be created or the “Default Action” for
the packet filters be set to “Accept”. See the following chapter.

Quick Start Guide WALL IE 9

6.3. Packet filter “WAN to LAN”
The packet filters enable the limitation of access between the production network
(WAN) and the machine network (LAN).
It can, for example, be configured that only certain participants from the production
network may exchange data with defined participants from the automation cell.
The following filter criteria on layers 3 and 4 are available: IPv4 addresses, protocol
(TCP/UDP), and ports.

Note: The packet filters are always also available in the direction “LAN to WAN”,
see page 13.

Select the “WAN to LAN” menu point in the “Packet Filter” menu.
Company network 10.10.1.0/24
With the “Default Option”, you can set whether all frames are generally allowed
10.10.1.10 10.10.1.20
(“Accept”) and only special packets are filtered (“Blacklisting”), or whether all frames External IP Internal IP
are generally prohibited (“Reject” / “Drop”) and only those frames are allowed to 10.10.1.11 192.168.10.1
pass through that correspond with the filter rules (“Whitelisting”). 10.10.1.12 192.168.10.2
10.10.1.13 192.168.10.5
10.10.1.14 192.168.10.50
10.10.1.15 192.168.10.100
If you initially don’t wish to filter, set the default action to “Accept”.

P1 WAN
External (WAN)

P2 LAN
SN:
000000000

P3 LAN
FCN PWR

RST
RDY
192.168.10.5
Internal (LAN)

P4 LAN
ACT

Ext. V DC USR
18 ... 30 V
– + FE IN1 IN2
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

In order to limit access to the machine network to certain participants in the WAN,
set the default action to “Reject” or “Drop”. In the case of prohibited frames from the
WAN, “Reject” sends an error message in response, while “Drop” rejects the frame
0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

without sending an error message.

0 0 0 0
1 1 1 1
2 2 2 2
3 3 3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

192.168.10.1 192.168.10.2 192.168.10.50 192.168.10.100

Machine network 192.168.10.0/24

Example: A PC in the production network (WAN) has the IP address 10.10.1.11

(e.g. a visualization). This PC should be able to access the CPU with the IP address
192.168.10.1 within the LAN via the port 102 with the help of the TCP protocol.

10 Quick Start Guide WALL IE

Now enter the following rule and save it with the button.

Source IP indicates the IP address of the active device in the production network (WAN). Destination IP the addressed device in the machine network (LAN).
The filter rules can be defined for one protocol type with protocol “TCP” or “UPD”.
Destination Ports indicates the ports to which the filter rules apply.
If a filter rule applies to several or even all ports, this can be simply defined in the “Destination Ports” field. A list of ports is indicated separated by commas: “80,443,1194”.
A port range can be indicated with a colon: “4000:5000” or “1:65535” for all ports. Combinations of this are also possible: “80,443,4000:5000”.

Quick Start Guide WALL IE 11

It is also possible to configure the access of several participants with one another. An IP range can be defined with a dash: “10.10.1.10-10.10.1.20“.
A list of IP addresses is indicated with commas: “10.10.1.10,10.10.1.15,10.10.1.20”.

Action defines whether this rule allows communication (“Accept”), rejects with error message (“Reject”), or simply rejects (“Drop”). The appropriate method here should
always be chosen in interaction with the “Default Action”. If the Default Action is, for example, “Reject” or “Drop”, the filter rules should all be set to “Accept” (Whitelisting).
If the Default Action is “Accept”, a block can be defined in the filter rules with “Reject” or “Drop” for certain devices (Blacklisting).

With the “ICMP Traffic” option, you can generally allow (“Accept”) the directing
of ICMP packets, for example, a “Ping”, (“Accept”) or prohibit them dependent
upon the packet filters (“Default Action”). If, for example, the packet filters “Default
Action” are set to “Reject” or “Drop”, and ICMP Traffic to “Default Action”, then no
ICMP frames of any kind are allowed through.

12 Quick Start Guide WALL IE

6.4. Packet filter “LAN to WAN”
In the basic state, data traffic is permitted for devices from the machine network (LAN) to the production network (WAN) without limitations (“Default Action”: “Accept”).

In the “LAN to WAN” packet filter, the communication of devices in LAN with devices Note: The MAC address filtering is also available in the NAT operating mode; see page 21.
in the production network (WAN) or into the Internet is completely prohibited or is
blocked or allowed for particular devices.
The entry of the filter rules corresponds to the packet filters “WAN to LAN”, except that
the source IP is now the LAN IP and the destination IP addresses a device in the WAN.

Quick Start Guide WALL IE 13

6.5. SNAT
Company network 10.10.1.0/24
The function “SNAT (Source NAT)” transparently forwards incoming traffic from the
10.10.1.10 10.10.1.20
WAN side to the LAN network. All data packets sent to the LAN are sent to the IP address External Port Internal IP & Port
of the WALL IE. 10.10.1.1:80 192.168.10.1:80
10.10.1.1:102 192.168.10.2:102
Therefore, none of the LAN participants needs the WALLIE LAN-IP as „gateway“. This is 10.10.1.1:81 192.168.10.5:80
a considerable advantage when integrating into existing network structures, since the
parameters no longer have to be changed here. 10.10.1.1

P1 WAN
External (WAN)

P2 LAN
SN:
000000000

P3 LAN
FCN PWR

RST
RDY
192.168.10.5
Internal (LAN)

P4 LAN
ACT

Ext. V DC USR
18 ... 30 V
– + FE IN1 IN2
0 0

192.168.10.200
0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

0 0 0 0
1 1 1 1
2 2 2 2
3 3 3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

192.168.10.1 192.168.10.2 192.168.10.50 192.168.10.100

Machine network 192.168.10.0/24

6.6. NAPT
Company network 10.10.1.0/24
“NAPT for LAN to WAN traffic” replaces the sender addresses of queries from the
10.10.1.10 10.10.1.20
automation cell (LAN) with the address of the WALL IE (“Source NAT”) in the WAN. External Port Internal IP & Port
If the option is deactivated, the query packets are forwarded to the WAN with their 10.10.1.1:80 192.168.10.1:80
10.10.1.1:102 192.168.10.2:102
original sender IPs. 10.10.1.1:81 192.168.10.5:80

10.10.1.1

P1 WAN
External (WAN)

P2 LAN
SN:
000000000

P3 LAN
FCN PWR

RST
RDY
192.168.10.5
Internal (LAN)

P4 LAN
ACT

Ext. V DC USR
18 ... 30 V
– + FE IN1 IN2
0 0

192.168.10.200
0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

0 0 0 0
1 1 1 1
2 2 2 2
3 3 3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

192.168.10.1 192.168.10.2 192.168.10.50 192.168.10.100

Machine network 192.168.10.0/24

14 Quick Start Guide WALL IE

6.7. Port forwarding
Company network 10.10.1.0/24
With the help of port forwarding (“Port forwarding for WAN to LAN traffic”), it can
10.10.1.10 10.10.1.20
be configured that packets at a certain TCP/UDP port of the WALL IE (WAN) can External Port Internal IP & Port
be forwarded to a participant in the automation cell (LAN) (e.g. 10.10.1.1:81 to 10.10.1.1:80 192.168.10.1:80
192.168.10.5:80). 10.10.1.1:102
10.10.1.1:81
192.168.10.2:102
192.168.10.5:80

Important: If with the packet filters “WAN to LAN” the default action is set to “Reject” 10.10.1.1

P1 WAN
or “Drop”, the corresponding filter rules for access must also be created for each port External (WAN)

P2 LAN
forwarding entry.
SN:
000000000

P3 LAN
FCN PWR

RST
RDY
192.168.10.5
Internal (LAN)

P4 LAN
ACT

Ext. V DC USR
18 ... 30 V
– + FE IN1 IN2
0 0

192.168.10.200
0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

0 0 0 0
1 1 1 1
2 2 2 2
3 3 3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

192.168.10.1 192.168.10.2 192.168.10.50 192.168.10.100

Machine network 192.168.10.0/24

Protocol TCP/UDP Comment Freely definable comment

External port The port under which the frames in the WAN under the ad- Status Rule is active (a click on the lamp symbol changes the rule
dress of the WALL IE are received. status to inactive)
Internal IP The IP address to be addressed in the machine network (LAN). Rule is inactive (a click on the lamp symbol changes the
Internal port The port of the device to be addressed in the machine net- rule status to active)
work (LAN). Action Delete a rule
Add a rule
Note: “Port forwarding” and “Basic NAT” can be used simultaneously in the NAT
operating mode.

The MAC address filtering is also available in the NAT operating mode; see page 21.

Quick Start Guide WALL IE 15

7. Bridge mode
To activate the Bridge operating mode, select the “Operating Mode” menu point in
the “Device” menu and set this to “Bridge”.

7. Adjustment of the IP addresses in the bridge operating mode

Click on the “Network” menu and select the sub-menu “Interface”. The IP addresses
of the WALL IE (“LAN IP”) and affiliated subnet masks (“LAN netmask”) can be
defined here.
Note: In the bridge operating mode, the defined interface settings are also equally valid
at the WAN port of the WALL IE.
A DNS server and a default gateway can also be indicated.
This is necessary when devices from the LAN should reach the Internet via the WALL IE.
If these are not indicated, then communication of devices in the LAN with the Internet
is prevented.
The entry is saved with the “Submit” button.

Important: In the bridge mode, all ports are initially blocked for “WAN-to-LAN” data
transfer for security reasons!
In order to enable access, packet filter rules must be created or the “Default Action” for
the packet filters be set to “Accept”. See the following chapter.

16 Quick Start Guide WALL IE

7.2. Packet filter “WAN to LAN”
The packet filters enable the limitation of access between the production network
(WAN) and the machine network (LAN).
For example, it can be configured that only certain participants from the production
network may exchange data with defined participants from the automation cell.
The following filter criteria on layers 3 and 4 are available: IPv4 addresses, protocol
(TCP/UDP), and ports.

Note: The packet filters are always also available in the direction “LAN to WAN”,
see page 20.

Select the “WAN to LAN” menu point in the “Packet Filter” menu.
With the “Default Option”, you can set whether all frames are generally allowed Company network 10.10.1.0/24
(“Accept”) and only special packets are filtered (“Blacklisting”), or whether all frames 10.10.1.10 10.10.1.20
are generally prohibited (“Reject” / “Drop”) and only those frames are allowed to
pass through that correspond with the filter rules (“Whitelisting”).
If you initially don’t wish to filter, set the default action to “Accept”.

P1 WAN
External (WAN)

P2 LAN
SN:
000000000

P3 LAN
FCN PWR

RST
RDY

10.10.1.32

P4 LAN
Internal (LAN)
ACT

Ext. V DC USR

In order to limit access to the machine network to certain participants in the WAN,
18 ... 30 V
– + FE IN1 IN2
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7

set the default action to “Reject” or “Drop”. In the case of prohibited frames from the
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7

WAN, “Reject” sends an error message in response, while “Drop” rejects the frame
without sending an error message.
0 0 0 0 0 0
1 1 1 1 1 1
2 2 2 2 2 2
3 3 3 3 3 3
4 4 4 4 4 4
5 5 5 5 5 5
6 6 6 6 6 6
7 7 7 7 7 7

Example: A PC in the production network (WAN) has the IP address 10.10.1.10

0 0 0 0
1 1 1 1
2 2 2 2
3 3 3 3
4 4 4 4
5 5 5 5
6 6 6 6
7 7 7 7

(e.g. a visualization). This PC should be able to access the CPU with the IP address 10.10.1.30 10.10.1.31 10.10.1.50 10.10.1.100
10.10.1.30 within the LAN via the port 102 with the help of the TCP protocol. Machine network 10.10.1.0/24

Quick Start Guide WALL IE 17

Now enter the following rule and save it with the button.

Source IP indicates the IP address of the active device in the production network (WAN).
Destination IP the addressed device in the machine network (LAN).
The filter rules can be defined for one protocol type with protocol “TCP” or “UPD”.
Destination Ports indicates the ports to which the filter rules apply.

If a filter rule applies to several or even all ports, this can be simply defined in the “Destination Ports” field. A list of ports is indicated separated by commas: “80,443,1194”.
A port range can be indicated with a colon: “4000:5000” or “1:65535” for all ports. Combinations of this are also possible: “80,443,4000:5000”.

18 Quick Start Guide WALL IE

It is also possible to configure the access of several participants with one another. An IP range can be defined with a dash: “10.10.1.10-10.10.1.20“.
A list of IP addresses is indicated with commas: “10.10.1.10,10.10.1.15,10.10.1.20”.

Action defines whether this rule allows communication (“Accept”), rejects with error message (“Reject”), or simply rejects (“Drop”). The appropriate method here should
always be chosen in interaction with the “Default Action”. If the Default Action is, for example, “Reject” or “Drop”, the filter rules should all be set to “Accept” (Whitelisting).
If the Default Action is “Accept”, a block can be defined in the filter rules with “Reject” or “Drop” for certain devices (Blacklisting).

With the “ICMP Traffic” option, you can generally allow (“Accept”) the directing
of ICMP packets, for example, a “Ping”, (“Accept”) or prohibit them dependent
upon the packet filters (“Default Action”). If, for example, the packet filters “Default
Action” are set to “Reject” or “Drop”, and ICMP Traffic to “Default Action”, then no
ICMP frames of any kind are allowed through.

Quick Start Guide WALL IE 19

7.3. Packet filter “LAN to WAN”
In the basic state, data transfer is permitted for devices from the machine network (LAN) to the production network (WAN) without limitations (“Default Action”: “Accept”).

In the “LAN to WAN” packet filter, the communication of devices in LAN with devices Important: In the event that devices in the LAN should communicate with devices in
in the production network (WAN) can be completely prohibited or be blocked or the production network, the LAN IP address of the WALL IE must also be entered for the
allowed for particular devices. devices in the LAN as a gateway.

Note: The MAC address filtering is also available in the Bridge operating mode;
see page 21.

20 Quick Start Guide WALL IE

8. MAC address filtering
With the function “MAC Filtering;” communication via the WALL IE can be limited to devices with certain MAC addresses (“Whitelisting”) or devices with certain MAC
addresses can be denied access (“Blacklisting”).
Filtering for each MAC address can be activated separately on the WAN, on the LAN, or on both sides (“ANY”).

MAC addresses must always be entered in the format “AA:BB:CC:DD:EE:FF”, whereby If MAC filtering is used in the “Whitelist” mode, the MAC addresses of all permitted
numbers are to be indicated with hexadecimals. devices are indicated.
If no MAC filter rule has been entered or activated, the “MAC Filtering” is completely
Important: MAC Filtering has the highest priority of all filters in the WALL IE. As soon as deactivated, irrespective of the “Default MAC Policy”.
the first MAC address has been entered in the MAC filter mode “Whitelist”, only frames MAC filtering can be used both in the NAT and in the Bridge operating mode.
from this MAC address are allowed to pass through, irrespective of all other packet filter
rules.
Note: In the NAT mode, the MAC filtering is only carried out WHEN the MAC address is
also indicated in the IP header of the packet. Layer 2 frames are not forwarded in the
NAT mode. The MAC filtering takes place on layer 2 in the bridge mode.

Quick Start Guide WALL IE 21

9. Firmware update
The firmware of the WALL IE can be very simply updated via the website.
Please download the firmware update from www.helmholz.com or scan
the QR code.

SCAN
QR CODE WALL IE
Industrial NAT
TO GET
FIRMWARE Gateway / Firewall
Firmware

The firmware file has the file ending “HUF” (Helmholz Update File) and is encoded
to protect it from being changed.
File the firmware file on your PC and select the storage location with “Browse”.
The firmware file is then transferred to the WALL IE. This can take up to 1 minute,
depending upon the network connection.
The firmware file is decoded and checked in the WALL IE. If the content is correct,
the firmware is burned into the program memory and a restart of the WALL IE
takes place.

Important: Operation of the WALL IE is interrupted during the update procedure.

Do not shut off the device during the update procedure.
Note: The configuration of the WALL IE is retained at a higher version following an
update, to the extent that this is technically possible. However, a “downgrade” to an
older firmware version can result in configuration errors. Carrying out a factory reset
is recommended following a downgrade.
Note: Following a firmware update, it may be necessary to delete the browser cache
once in order to update obsolete JavaScript elements of the WALL IE website.

22 Quick Start Guide WALL IE

10. Resetting to factory settings
In order to reset WALL IE to the delivery status, the “FCN” button must be activated
while the device is restarted. A restart can be carried out with Power OFF/ON, by
activating the “RST” button or with the “Device reboot” function at the website.
The successful resetting of the parameters and settings is acknowledged during the
boot process by the lit “USR” LED.

11. LED status information

PWR Off No power supply or device defective.
On Device is correctly supplied with voltage.

RDY On Device is ready to operate.

ACT Flashing or on Data transfer permitted between WAN and LAN.

USR On Factory settings reset active.

RJ45 LEDs Green (Link) Connected.

Orange (Act) Data transfer at the port.

12. Button functions

FCN The WALL IE can be reset to factory settings with the “FCN” button.
To this purpose, the “FCN” button must be kept pressed during the
run-up phase of the WALL IE.
The successful resetting of the parameters and settings is acknow-
ledged during the boot process by the lit “USR” LED.
The “FCN” button can then be released.

RST The “RST” button triggers an immediate restart of the WALL IE,
in the course of which all saved settings are retained.

Quick Start Guide WALL IE 23

13. Technical data
WALL IE, Industrial Ethernet Bridge and Firewall 700-860-WAL01)

Dimensions (DxWxH) 32,5 x 58,5 x 76,5 mm DC 24 V (18 ... 30 V DC, SELV and limited
- Voltage supply
Weight Approx. 130 g energy circuit)

Number of inputs 2 | DC 24 V, as per DIN EN 61131-2 Type 2 - Pollution degree 2

WAN interface 1x - Altitude Up to 2,000 m

- Type 10 Base-T/100 Base-T - Temperature cable rating 87 °C

- Connection RJ45 socket

- Transmission rate 10/100 Mbps
LAN interface 3x
- Type 10 Base-T/100 Base-T
- Connection RJ45 socket
- Transmission rate 10/100 Mbps
Operating modes Bridge, NAT (Basic NAT, NAPT)
IPV4 addresses, protocol (TCP/UDP), ports:
Packet filter “WAN to LAN” and “LAN to WAN” separated,
MAC addresses (black & whitelisting)
4 LEDs, function status
Status indicator
8 LEDs, Ethernet status
Voltage supply 24 V DC, 18–30 V DC
Current draw Max. 250 mA at 24 V DC
Power dissipation Max. 2.4 W
Ambient conditions Note:
- Ambient temperature -40 °C ... +75°C The contents of this Quick Start Guide have been checked by us so as to ensure that
they match the hardware and software described. However, as deviations cannot be
- Transport and storage tem-
-40 to +85°C excluded, we can accept no responsibility for complete agreement.
perature
The information in this Quick Start Guide is, however, updated on a regular basis.
- Relative air humidity 95 % r H without condensation
- Pollution degree 2
When using your purchased products, please make sure to use the latest version
- Protection rating IP20 of this Quick Start Guide, which can be viewed and downloaded on the Internet from
Certifications CE, UL www.helmholz.com. Our customers are at the center of everything we do.
We welcome all ideas and suggestions.
UL UL 61010-1/ UL 61010-2-201

Helmholz GmbH & Co. KG | Hannberger Weg 2 | 91091 Großenseebach | Germany | Phone +49 9135 7380-0 | Fax +49 9135 7380-110 | info@helmholz.de | www.helmholz.com