Helmholz WALL IE 700-860-WAL01, Manual

Page 1: ...2 91091 Großenseebach Germany Phone 49 9135 7380 0 Fax 49 9135 7380 110 info helmholz de www helmholz com WALL IE Industrial Ethernet Bridge and Firewall Manual Version 1 5 15 2017 as of firmware V 1 04 Manual order number 900 860 WAL01 ...

Page 2: ...pectively relevant license conditions We can send you the corresponding license conditions including a copy of the complete license text together with the product They are also provided in our download area of the respective products under www helmholz de We also offer to send you or any third party the complete corresponding source text of the respective open source software for an at cost fee of...

Page 3: ...rotection 8 1 6 5 EMC protection 8 1 6 6 Operation 8 1 6 7 Liability 9 1 6 8 Disclaimer of liability 9 1 6 9 Warranty 9 2 Overview 10 2 1 Setup 10 2 2 Connection of the power supply 11 2 3 LEDs status information 11 3 Initial access to the web interface 12 3 1 Initial Login 13 3 2 Main view 14 3 2 1 Menu overview 14 3 2 2 Responsive design 15 3 3 Adjustment of the IP addresses Network interface 16...

Page 4: ...ctions 33 10 1 Syslog server 33 10 1 1 Syslog local 33 10 1 2 Syslog remote 33 10 2 Change password Password 34 10 3 File certificate HTTPS 34 10 4 Allow web interface access to WAN Web Interface Access 34 10 5 Firmware update 35 10 6 Time settings Time 36 10 7 Export import of configuration 37 11 Resetting to factory settings 38 11 1 Resetting to factory settings via the website 38 11 2 Resetting...

Page 5: ...ing manual is essential Configuration execution and operating errors can interfere with the proper operation of the PN CAN gateways and result in personal injury as well as material or environmental damage Only suitably qualified personnel may operate the devices Qualified personnel must ensure that the application and use of the products described meet all the safety requirements including all re...

Page 6: ...fe and health of people from electrical voltage If the hazard warning is ignored there is a probable danger to life and health of people from electrical voltage If the hazard warning is ignored people can be injured or harmed Draws attention to sources of error that can damage equipment or the environment Gives an indication for better understanding or preventing errors ...

Page 7: ... hazardous situations on machinery and systems Successful and safe operation of the device requires proper transport storage setup assembly installation commissioning operation and maintenance The ambient conditions provided in the technical specifications must be adhered to The device has a protection rating of IP 20 and must be installed in an electrical operating room or a control box cabinet i...

Page 8: ... the grounded housing to discharge static electricity Only work with discharged tools Do not touch components and assemblies on contacts 1 6 4 Overcurrent protection Overcurrent protection isn t necessary as the device transports no load current The power supply of the device electronics is to be secured externally with a fuse of maximum 1 A slow blowing 1 6 5 EMC protection To ensure electromagne...

Page 9: ...umes no liability for any printing errors or other inaccuracies that may appear in the operating manual unless there are serious errors of which Helmholz GmbH Co KG was already demonstrably aware Beyond the instructions contained in the operating manual the applicable national and international standards and regulations must also be observed in any case Helmholz GmbH Co KG is not liable for damage...

Page 10: ...cket filtering is also possible in this operating mode This means that the restriction of access to individual areas of your network can be achieved without having to use different networks for this purpose WALL IE features Bridge functionality for identical IP address ranges NAT Basic NAT NAPT and port forwarding Access restriction through packet filters IPv4 addresses protocol TCP UDP ports MAC ...

Page 11: ...e inputs IN1 and IN2 do not yet have a function in the current firmware version but will be available in a later firmware version for the external switching of firewall rules 2 3 LEDs status information PWR Off No power supply or device defective On Device is correctly supplied with voltage RDY On Device is ready to operate ACT Flashing light or ON Data transfer permitted between WAN and LAN USR O...

Page 12: ...via the LAN connections P2 P4 The IP address of your network adapter must first be set in accordance with the IP subnet of the WALL IE Start control panel Network and sharing settings Adapter settings LAN connection properties Internet Protocol Version 4 Now connect a patch cable with the LAN connection of your PC and one of the LAN ports P2 P4 of the WALL IE The web interface can be reached in th...

Page 13: ...ou will be prompted to set a password at the initial Login The password must have at least 8 characters and may have a maximum of 128 characters It may contain special characters and numbers With the Continue button the password is stored in the device and you will be forwarded to the Overview page of the WALL IE The main user is always admin Additional user management hasn t been implemented yet ...

Page 14: ...rewall Version 1 15 05 2017 14 3 2 Main view The Overview main view contains an overview of the most important settings and information of the WALL IE The topmost line contains the menu with the functions for configuration 3 2 1 Menu overview ...

Page 15: ...nsive design The web interface is also suitable for use on tablets and smartphones Responsive design Please note that web access to the WALL IE is equipped with inactivity monitoring for security reasons When the website isn t used for several minutes an automatic log out takes place ...

Page 16: ...r networks via WAN If this is not permitted or is not desired 0 0 0 0 is to be entered A DNS server can also be indicated where necessary It is necessary to indicate a DNS server for the SNTP service see ch 10 6 The entry is saved with the Save button and the IP addresses are activated immediately The current entry is rejected without acceptance with Decline When you change the LAN IP address you ...

Page 17: ...the two areas This enables the separation of a part of the production network without using different network addresses 4 1 Activate bridge mode Switch the WALL IE to the bridge mode via Device Operating Mode Bridge In the bridge mode the IP address of the WAN interface is identical to the IP address of the LAN interface It is thus transparent When setting the IP addresses of the WALL IE under Net...

Page 18: ...s are blocked for WAN to LAN data transfer as a default In order to enable access packet filter rules must be created or the default action for the packet filters be set to Accept The LAN to WAN data transfer is initially always allowed but can also be limited by packet filters or the default action ...

Page 19: ... direction LAN to WAN 5 1 Creation of rules in the packet filter In the Packet Filter menu select WAN to LAN or LAN to WAN depending upon which communication direction you wish to restrict With the Default Action option you can set how the standard action of the packet filter should work In the Accept setting all frames are generally permitted and only special packets are filtered In the Reject or...

Page 20: ...inates Destination IP IP address of the device in the internal network LAN on which access is allowed by this rule Protocol Selection of the permitted protocol TCP or UDP Destination port The device port to be reached in the internal network Action Packages from the external network WAN can be accepted Accept or rejected Reject Drop Drop rejects a packet mutely and Reject provides an ICMP error me...

Page 21: ...he addresses in the entire network are not unambiguous Using Network Address Translation NAT WALL IE makes it possible to incorporate several automation cells into the production network In the NAT operating mode WALL IE forwards the data transfer between various IPv4 networks Layer 3 and exchanges the IP addresses with the help of NAT The packet filters and MAC addresses white blacklisting can al...

Page 22: ...at is assigned to the External IP in the WAN Translation takes place at the IP level and all ports can be addressed Access can be limited to certain ports by entering packet filter rules When defining a Basic NAT rule all ports for WAN to LAN data transfer are initially blocked for data transfer In order to enable access packet filter rules must be created or the default action for the packet filt...

Page 23: ...AT The option NAPT Active thus enables communication of devices from the LAN with devices in the WAN WALL IE thereby acts as a gateway to manage the exchange of the IP addresses of the WAN network and also looks after the assignment of the response In order that the communication with activated NAPT from the LAN to WAN functions the LAN address of the WALL IE must be entered into the devices in th...

Page 24: ...ration however no answer frame can be sent back from the WAN to the LAN 6 3 Port forwarding With the help of port forwarding Port forwarding for WAN to LAN traffic it can be configured that packets at a certain TCP UDP port of the WALL IE WAN can be forwarded to a participant in the LAN In the following example the website Port 80 of the CPU can be reached with the IP 192 168 10 2 via WAN through ...

Page 25: ...to LAN the default action is set to Reject or Drop the corresponding filter rules for access must also be created for each port forwarding entry It is not possible to use the reserved ports 443 and 80 when WALL IE has activated its own websites on the WAN Web Interface Access WAN and LAN see chapter 10 4 ...

Page 26: ...dress can be activated on the WAN on the LAN or on both sides MAC addresses must always be entered in the format AA BB CC DD EE FF whereby numbers are to be indicated with hexadecimals If no MAC filter rule has been entered the MAC Filtering is deactivated irrespective of the Default Policy In the NAT mode the MAC filtering is only carried out if the MAC address is also indicated in the IP header ...

Page 27: ...r communication with other automation cells To this purpose the network and the address of the router or WALL IE responsible for this Next Hop or Gateway must be configured In order to enable the return route of the answer a route for the IP address of the WALL IE of machine 1 must be set up in the second gateway ...

Page 28: ...station in the WAN the problem is that the Step 7 or TIA portal uses the IP address from the project for access to the CPU In the case of access via a WALL IE which is configured in the operating mode Basic NAT another IP address must be used for access to the CPU in the Step 7 or TIA portal The solutions described in the following can also function in an adapted form for other applications 192 16...

Page 29: ...as the router for the CPU in the project In order to be able to reach a CPU via an alternative IP address this can be entered in the menu PLC in the dialog Access address This address remains active until it is deleted in the same dialog through Reset This solution can only be used in the Basic NAT operating mode In the case of NAPT with port forwarding only one CPU can be reached as the Simatic M...

Page 30: ...Here you use the function Extended download to device in the menu under Online or where necessary Extended go online Click on Access address and enter the corresponding IP address Confirm the entry by clicking on the window An attempt is now made to establish a connection with the entered IP address ...

Page 31: ...e used in the Basic NAT operating mode In the case of NAPT with port forwarding only one CPU can be reached as the Simatic Manager TIA portal always accesses the CPU with the non adjustable port 102 The search via the Siemens function Accessible nodes doesn t function through the WALL IE firewall ...

Page 32: ...10 10 1 11 metric 1 This command temporarily saves the route until the PC restart Use the following for permanent saving of the entered routes route add p Display all routes route print Delete a route route delete 192 168 10 1 However in order that the responses from the CPU can also be redirected back to the PC via the WALL IE the WALL IE must be entered as the router for the CPU in the project T...

Page 33: ...riginate from the operating system or the running application In order that the Syslog server displays the correct time this must be set in the Time menu see Ch 10 5 10 1 1 Syslog local The local Syslog display lists the recorded events The Syslog memory can be deleted with Clear 10 1 2 Syslog remote The Syslog messages can also be sent by the WALL IE to a PC through the network on which a program...

Page 34: ...mpany certificate can be filed for the website of the WALL IE This ensures that the calling of the WALL IE configuration website in addition to the HTTPS encoding is also trustworthy 10 4 Allow web interface access to WAN Web Interface Access For security reasons the web interface can only be reached via the LAN as a default If the web interface should also be accessible in the WAN this can be set...

Page 35: ...en transferred to the WALL IE This can take up to 1 minute depending upon the network connection The firmware file is decoded and checked in the WALL IE If the content is correct the firmware is burned into the program memory and a restart of the WALL IE takes place Operation of the WALL IE is interrupted during the update procedure Do not shut off the device during the update procedure The config...

Page 36: ...ired for the Syslog records The time of day can be set either manually or be derived automatically from a SNTP server Simple Network Time Protocol The manually set time of day is not saved in the event of a power failure SNTP should be used for a constantly available time indication The default gateway and the DNS server must be configured in the Interface settings see ch 3 3 for SNTP ...

Page 37: ...nd to copy an existing configuration for a new WALL IE with a similar application The configuration files have the file ending CFG Example of a WALL IE configuration file general router mode true web wan access false intip 192 168 0 100 intip netmask 255 255 255 0 extip 10 10 1 99 extip netmask 255 255 255 0 dnsip 0 0 0 0 gatewayip 0 0 0 0 rsyslog active false host 0 0 0 0 port 514 time sntp false...

Page 38: ... current status in the process 11 1 Resetting to factory settings via the website Select the menu point Factory Reset in the Device menu Press the Factory Reset button and confirm with the confirmation prompt 11 2 Resetting to factory settings with button In order to reset WALL IE to the delivery status the FCN button must be held pressed while the device is restarted The successful resetting of t...

Page 39: ...tage supply DC 24 V 18 30 V DC SELV and limited energy circuit Current draw Max 250 mA with DC 24 V Dimensions D x W x H 35 mm x 59 mm x 75 mm Weight Approx 160 g Certifications CE UL Noise immunity DIN EN 61000 6 2 EMC Immunity Interference emission DIN EN 61000 6 4 EMC Emission Vibration and shock resistance DIN EN 60068 2 8 2008 Vibration DIN EN 60068 27 2010 Shock Protection rating IP 20 Relat...