Overview
The recommended and supported approach for Kerio Control deployments is to use private RFC1918 IP ranges for internal networks (LAN/VPN) and to avoid using public IP ranges internally. (Resolving IPSEC Tunnel Conflicts Due to Overlapping Subnets)
Using public IP ranges on LAN can create hard-to-diagnose outages because internal hosts may overlap with real public IP space and with public security reputation feeds. One practical example is that IPS IP blacklists can drop legitimate traffic if an internal host’s IP is present in a blacklist feed. Kerio Control explicitly documents that IP blacklists may include legitimate clients or servers. (Configuring Intrusion Prevention System)
- Always use private RFC1918 ranges on LAN
- Why public IP ranges on LAN are problematic
- Practical example: IPS blacklist drops impacting DHCP
- How to fix a LAN that uses public IP space
- Checklist after changing the LAN subnet
- FAQ
Always use private RFC1918 ranges on LAN
Use standard private IP blocks as defined by RFC 1918:
10.0.0.0 – 10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255
Reference: Resolving IPSEC Tunnel Conflicts Due to Overlapping Subnets.
Why public IP ranges on LAN are problematic
- Routing conflicts: Internal clients may be unable to reach real public services whose IPs fall inside your “internal” (but public) range.
- Security reputation feeds are built for public IPs: IPS blacklists are intended to detect and block known hostile public IPs. If your LAN uses public IP space, internal hosts can overlap with blacklist entries. Kerio Control documents that blacklists may include legitimate clients or servers. (Configuring Intrusion Prevention System)
- Outages can look like a LAN switch/port failure: If DHCP or DNS traffic is dropped, an entire site may appear “down” even though physical link lights are on.
Practical example: IPS blacklist drops impacting DHCP
Example (pattern from a real incident; IPs anonymized using documentation ranges): The LAN used a public IP range, IPS was enabled, and IP blacklist actions were set to Log and Drop. After a blacklist update, the Security log contained entries showing DHCP being dropped due to blacklist matches:
IPS: Packet drop, severity: Blacklist, Rule ID: ..., proto:UDP, ip/port:203.0.113.1:67 -> 255.255.255.255:68
The Security log documents IPS events, including blacklist drops, and the meaning of “IPS: Packet drop”. (Security Logs in Kerio Control)
In this pattern, DHCP (UDP/67 → UDP/68) is disrupted, so LAN clients cannot obtain leases and the site loses connectivity until IPS is disabled or blacklist actions are relaxed.
How to fix a LAN that uses public IP space
Permanent fix (recommended): migrate the LAN to a private RFC1918 subnet and avoid public IP ranges internally. (Resolving IPSEC Tunnel Conflicts Due to Overlapping Subnets)
Step 1: Pick a private RFC1918 subnet
Choose a private subnet that does not overlap with any existing LAN/VPN networks.
Step 2: Change the LAN interface IP
- Go to Configuration > Interfaces.
- Edit the LAN interface (for hardware appliances this may be the LAN Switch / Trusted interface).
- On the IPv4 tab, set the new private subnet (example: 192.168.10.1/24).
Reference: Configuring TCP/IP settings in Kerio Control Interfaces.
Step 3: Update DHCP scopes
- Go to Configuration > DHCP Server.
- Adjust scopes/reservations so DHCP leases are issued from the new private subnet.
Reference: Configuring DHCP server in Kerio Control.
Step 4: Re-enable IPS and restore desired blacklist actions
Once the LAN is using private addressing, re-enable IPS and restore your desired blacklist actions. (Configuring Intrusion Prevention System)
Checklist after changing the LAN subnet
- DHCP server: scopes, reservations, gateway/DNS options. (Configuring DHCP server in Kerio Control)
- Traffic rules: any rules referencing old subnets or IP address groups. (Configuring Generic Traffic Rules in Kerio Control) (Configuring IP Address Groups in Kerio Control)
- NAT / port forwarding: destination NAT (port mapping) targets and NAT-related rules. (Configuring NAT in Kerio Control)
- VPN routing: update custom routes and verify routing table entries. (Configuring Kerio VPN Server Routing) (Configuring a routing table in Kerio Control)
- Static IP devices: update servers, printers, switches, APs, and any systems with hard-coded IPs or ACLs to the new subnet.
- Client devices: renew DHCP leases (or reconnect) so they obtain an address from the new subnet.
FAQ
- Q1: Can I use public IP space on my LAN if it “works today”?
-
It is strongly discouraged. Kerio Control documentation explicitly recommends avoiding public IP ranges for internal use because it can cause unexpected routing issues. (Resolving IPSEC Tunnel Conflicts Due to Overlapping Subnets)
- Q2: Why would IPS block internal traffic?
-
Kerio Control IPS includes IP blacklists and those blacklists may include legitimate clients or servers. If an internal host IP overlaps with a blacklist entry (more likely when you use public IP space internally), IPS can drop that traffic depending on your configured action. (Configuring Intrusion Prevention System)
- Q3: Where do I see IPS blacklist drops?
-
In Webadmin, open Logs and view the Security log. IPS events include entries like “IPS: Packet drop, severity: Blacklist”. (Security Logs in Kerio Control)
- Q4: IPS is documented to work on “Internet Interfaces”. Why do I see internal IPs in IPS logs?
-
IPS is documented to work on interfaces in the Internet Interfaces group. If LAN ports or traffic are being processed on an Internet-facing interface due to interface grouping or a non-standard setup, you may see internal IPs in blacklist drops. Verify interface grouping and interpret the Security log entries to see which traffic is being dropped. (Configuring Intrusion Prevention System) (Security Logs in Kerio Control)
- Q5: Will changing the LAN subnet break port forwarding or NAT rules?
-
It can, because destination NAT (port mapping) targets private hosts. After readdressing, update any port-mapping targets and related rules. (Configuring NAT in Kerio Control)
Ciprian Nastase
Comments