Overview

This article explains two practical ways to temporarily share a single ISP Ethernet handoff between two neighboring businesses while maintaining isolation, when Business B must use its own router and should appear on the Internet as a dedicated public IPv4 address.

Kerio Control supports VLANs as interfaces that you configure with IPv4/IPv6 parameters, and Kerio Control supports NAT via the Translation settings in Traffic Rules.

Because VLANs in Kerio Control are configured as interfaces (with IP parameters), this article focuses on (a) bypassing Kerio Control for Business B at Layer 2, or (b) keeping Kerio Control inline and using DNAT/SNAT to dedicate a public IP to Business B.

Solution

Decision point: Do you require Business B to fully bypass Kerio Control (true L2 split at the ISP handoff), or is it acceptable for Kerio Control to stay inline and use 1:1-style NAT (DNAT+SNAT) so Business B uses a dedicated public IP?

Option 1 — True passthrough (Business B bypasses Kerio Control)

• Connect the ISP handoff to an L2 switch, then connect one switch port to Kerio Control WAN (Business A) and another switch port to Business B’s router WAN.
• This requires the ISP circuit to allow more than one device/MAC address on the handoff segment (otherwise only one device will work).
• Configure the dedicated public IP directly on Business B’s router WAN.

Impact: Kerio Control does not filter/log/protect Business B in this option.

Option 2 — Kerio Control stays inline (dedicated VLAN + transit /30 + DNAT/SNAT)

1. Add the dedicated public IP to the WAN interface (prerequisite for using that IP in NAT/traffic rules).^[2]
   • In Kerio Control Administration: Configuration > Interfaces, edit your Internet interface, then use Define Additional IP Addresses to add the extra public IPs provided by the ISP.
2. Create a dedicated VLAN interface for Business B on the trunk (switch-facing) Ethernet interface.^[1]
   • In Configuration > Interfaces, edit the Ethernet interface connected to your VLAN-aware switch trunk.
   • On the VLAN tab, use Add or Remove VLANs and enable Create VLAN subinterfaces, then add your VLAN ID(s).
   • Edit the newly created VLAN interface and assign it a small transit subnet (example: 192.168.250.1/30). Do not enable DHCP on this VLAN if Business B has its own router.
   • Important: pick a transit subnet that does not overlap any existing LAN subnet.
3. Configure switching so the VLAN reaches Business B’s router WAN port.
   • Kerio-facing switch port: trunk allowing the Business B VLAN.
   • Inter-switch uplinks: trunk allowing the Business B VLAN.
   • Business B router port: access/untagged in that VLAN (unless the router uses 802.1Q tagging on its WAN).
4. Configure Business B router WAN on the transit subnet.
   • Example: router WAN 192.168.250.2/30, gateway 192.168.250.1.
5. Create dedicated NAT rules for Business B and place them above any general allow/NAT rules (Kerio Control processes traffic rules top-down).^[3][4]
   • Where:Configuration > Traffic Rules.
   • Inbound rule (DNAT):
     • Source: Internet (or Any)
     • Destination: <dedicated_public_ip>
     • Service: Any (or restrict to what Business B will publish)
     • Action: Allow
     • Translation: enable destination NAT and set the destination host to 192.168.250.2
   • Outbound rule (SNAT to specific IP):
     • Source: 192.168.250.2 (or 192.168.250.0/30)
     • Destination: Internet Interfaces
     • Service: Any
     • Action: Allow
     • Translation: enable source NAT and select Use specific IP address = <dedicated_public_ip>
   • Optional (full 1:1 behavior): If Business B should receive all inbound ports on the dedicated public IP, keep Service = Any in the inbound rule and let Business B handle port-forwarding/firewalling on its own router.
6. Enforce isolation with explicit deny rules in both directions (Business A LAN subnets ↔ Business B transit subnet), placed above broad allow rules.^[4]
   • Deny Business B → Business A: Source = 192.168.250.0/30, Destination = Business A LAN subnet(s), Service = Any, Action = Deny.
   • Deny Business A → Business B: Source = Business A LAN subnet(s), Destination = 192.168.250.0/30, Service = Any, Action = Deny.

Validation (Option 2)

• Outbound: From behind Business B’s router, confirm the observed public IP is the dedicated public IP.
• Inbound: Temporarily publish a test port behind Business B and confirm traffic to the dedicated public IP reaches Business B (DNAT).
• Isolation: Confirm there is no reachability between Business A LAN subnets and the Business B transit subnet in either direction.

FAQ

Do I have to add the dedicated public IP to the WAN interface before I can use it in NAT?

Yes. Add the extra public IP address(es) to the Internet/WAN interface using Define Additional IP Addresses before selecting that IP in Traffic Rules translation.^[2]

Where do I create the VLAN interface for Business B?

In Kerio Control Administration, go to Configuration > Interfaces, edit the trunk Ethernet interface, open the VLAN tab, and use Add or Remove VLANs with Create VLAN subinterfaces enabled. Then edit the newly created VLAN interface and assign IPv4 parameters.^[1]

Why do the dedicated NAT and deny rules need to be above the general rules?

Kerio Control evaluates Traffic Rules from the top down, and the first matching rule is applied. Place the dedicated DNAT/SNAT and isolation deny rules above broader allow/NAT rules so they match first.^[4]

How do I force Business B outbound traffic to use one specific public IP?

In the outbound rule’s Translation settings, enable source NAT and select Use specific IP address, then choose the dedicated public IP (it must be an IP of one of the firewall’s Internet interfaces).^[3]

If inbound DNAT to Business B is inconsistent, what should I check?

First, confirm the DNAT rule is above broader rules and that the dedicated public IP is added on the WAN interface.^[2][4] If it is still inconsistent, collect a Support Information file from Webadmin > Status > System Health > Support Information and review it (or attach it when contacting Support).^[5] In the Support Information file, you may see log lines similar to Service "DNS UDP" started, bound to address X.X.X.X / Service "VPN" started, bound to address X.X.X.X. If those lines reference the same dedicated public IP you are trying to DNAT, select a different public IP for Business B or contact Support for guidance on service exposure/binding.

References

1. Managing VLAN Interfaces in Kerio Control
2. Configuring Multiple IPs with Native WAN
3. Configuring NAT in Kerio Control
4. Configuring Generic Traffic Rules in Kerio Control
5. Support Information File