Q. Why do I lose connection to the VPN or have disconnection issues when I make changes to tunnels or gateways?
- When you make a change to your gateway (add/remove/update tunnels) these changes will need to be replicated on the gateway, as such, whenever you perform one of the actions above, your gateway will need to momentarily restart the service and any active connections will be severed until the service fully restarts.
- You and your users will be momentarily disconnected after a change or update but this will only be as long as it takes for the tunnel to commit the changes.
- We recommend any maintenance on tunnels or gateways be performed after business hours to avoid any service disruptions in order to minimize downtime.
Q. What private IP space will my Perimeter 81 network be a part of?
- The workspace Admin decides this when creating the network.
- A single network will be a subnet on any private IP range (10.0-255.0.0/8, 172.16-31.0.0/12, 192.168.0.0/16) varying from /22 to /12 depending on the number of gateways the network be able to support.
- Every gateway will have 1024 IP addresses reserved, hence our highest mask (/22) will only allow for the creation of a single gateway. The lowest mask (/12) will allow for the creation of up to 1024 Gateways.
- Our default subnet with mask is 10.255.0.0/16.
10.0-255.0.0/8 range should have a minimum /22 and a maximum of /12 - a /22 bit mask allows a single Perimeter 81 Gateway, and /12 allows up to 1024 Gateways.
172.16-31.0.0/12 range should have a minimum /22 and maximum /12 - a /22 bit mask allows a single Perimeter 81 Gateway, and /12 allows up to 1024 Gateways.
192.168.0.0/16 range should have a minimum /22 and maximum /16 - a /22 bit mask allows a single Perimeter 81 Gateway, and /16 allows up to 64 Gateways.
You can see below how the corresponding CIDR range will effect the planning of your Perimeter81 network. Be sure not to set your range too high if you plan on adding gateways later for scalability, or else you will have to delete network to adjust the range.
|CIDR Range||Number of Gateways|
Q. How can I ensure my users are connected to the VPN?
Here is a list of features the workspace Admin can activate within The user's VPN client configuration to ensure the users are connected to the VPN when the Admin need them to:
- Automatic Wi-Fi Security - This feature checks if the user is connected to an "Unsecured" Wi-Fi network, if the Perimeter 81 Client is on and an unsecured network is detected, they are automatically connected to the VPN.
- Trusted Wi-Fi Networks - This is a list of exceptions to the "Automatic Wi-Fi Security" feature. Enter an SSID of an "Unsecured" network to not trigger an automatic connection to the VPN.
- Trusted Wired Networks - This is a list of exceptions to the "Always On" feature. Enter the name of a local network and the MAC address of its' router to not trigger an automatic connection to the VPN.
- Always-ON - This feature does not let the user disconnect from the VPN, it disables the "Disconnect" button and requires a special code to exit the VPN.
- Kill Switch - This feature is turned ON by default if Always-ON is turned on:
To avoid data leaks, if any disconnection is detected with the VPN (even one caused by the local internet connection, like a slight disconnection to the Wi-Fi) the computer's internet connection is turned off, and the user is no longer able to use the internet.
We recommend turning Kill Switch feature off, unless specifically required.
Q. How can I improve the File Sharing Speed I get using Microsoft Windows?
Due to known limitations with SMB protocol (this is the protocol used by Microsoft Windows for sharing files) there might be latency issues when downloading files or accessing a Shared remote Windows resource.
- Internet connections are stable and have decent speed.
- Other file transfers like FTP are fine.
- File transfers using Windows file shares (i.e., SMB or CIFS) is slow
- Ping test shows normal connection speed
- iPerf on SMB ports to the affected resource show slow responses
In order to improve SMB speeds over VPN, there are a few steps we can recommend:
Moving away from a Wireguard Site-to-Site connection on a standalone machine in the network which depends on NAT rules (Wireguard Connector) to reach the internal LAN, to a Traditional IPsec Site-to-Site Tunnel which is connected to the actual Router has been shown to improve SMB connection speed.
Fine tuning the SMB Server
- Review MTU sizes of all the interfaces on the way (the Maximum Transmission Unit size indicates how long the packet allowed on the interface is) and make sure they all match:
- To check MTU size via Powershell:
netsh interface ipv4 show subinterface
- To Change MTU size on Interface "Local Area Connection" (might be named differently on your system) to 1420, via Powershell:
netsh interface ipv4 set subinterface “Local Area Connection” mtu=1420 store=persistent
Q. What IP will be displayed in the agent when the split tunneling is enabled?
The agent will display your local ISP's public IP.
When split tunneling is enabled, the agent adds a route that directs traffic to subnets that are listed under the split tunneling settings.
The rest of the traffic is routed through a local ISP.
Q. After activating SMS Multi-Factor Authentication I get the below error when trying to access the platform, how can I resolve this error?
You may occasionally run into the error when trying to log in to Perimeter 81: "We could not send the SMS. Please try the recovery code."
This error may occur when you reach the 10 SMS per hour limitation. We use active brute force protection, users that attempt to log in multiple times or failed to enter the correct code multiple times may encounter this error.
In order to resolve it, you can either use your recovery code or wait 1 hour until the limit resets.