Last updated:99.05.12


Background

In order to connect a businesses LAN (Local Area Network) or intranet to the Internet, a TCP/IP router is required. Hardware routers such as those with the Tribe label are common. But routing can also be accomplished using a software router such as the Vicom Internet Gateway (VIG). The VIG is bundled with AppleShare IP 5.0, but will slow LAN TCP/IP traffic to the coresident server processes to impractical speeds, unless installed a particular way, as outlined here.

Vicomsoft have recently advised us that the routing of coresident servers through the mirror port has been revised in version 5 so that it is not as slow as previously. We will be re-evaluating at our earliest opportunity.

Problem
The Vicom Internet Gateway installed on the same Mac as the AppleShare IP server will slow down TCP/IP traffic to the server considerably. In fact the VIG installed on the same Mac as any TCP/IP service (eg email server) will grind LAN traffic to that service to a near halt.

In order to provide access for the LAN to coresident IP services, the Vicom Internet Gateway sets up a "mirror" port which routes IP traffic to the local TCP/IP address. This creates another port: TCP/IP (Mirror). The typical configuration for VIG including an Ethernet and an Internet port is as below. The mirror port reroutes LAN to server traffic through the Vicom software, thus slowing it down.

Here is a typical config with a mirror port:



The TCP/IP control panel is set to connect via Vicom TCP/IP, as per diagram below.



With the above VIG and TCP/IP control panel settings, any TCP/IP processes, such as an AppleShare IP or email server, running on the same machine, can be seen by the LAN. But LAN traffic is forced through the VIG, as depicted in the routing diagram below.



This would all be fine, except that all traffic from an Ethernet workstation to the server goes through the gateway, even though both machines are on Ethernet. The performance hit is huge. If the LAN clients switch to AppleTalk, rather than TCP/IP connection to AppleShare, all is well.

Running the Vicom Gateway on the same Mac as the AppleShare server, the slight CPU overhead incurred dishing out packets to Internet clients at 33.6 kbps is minor. But it seems outrageous that the Vicom Gateway will only serve coresident services to Ethernet clients by forcing the traffic through the software router, imposing a prohibitive local bottleneck.


Solution
But there is a solution! You can avoid this by installing a second Ethernet card.

With an extra Ethernet port installed in the server, the VIG uses one Ethernet port, whilst OpenTransport, via the TCP/IP control panel settings, used by coresident services (such as ASIP) uses the other Ethernet port. Each port has its own address. In this example, we've used the built in Ethernet port for OpenTransport TCP/IP and the new Ethernet card for the VIG.

LAN TCP/IP traffic is now not forced through VIG. The VIG does not require a mirror port.



The TCP/IP control panel can be set with a different IP address to that of the VIG. Note that the router address for all machines on the LAN, including that within the TCP/IP settings of the server, should be set to the Ethernet port of the VIG.



Set up this way, the LAN clients can communicate directly with the server processes as if the VIG was not running. Each LAN machine and the server connect via their own Ethernet port and cable to the Ethernet hub or backbone. The VIG connects independently via its own Ethernet port and cable to the hub or backbone.

Inbound mapping has to be configured on the VIG to route the particular Internet client requests (eg port 548 for AppleShare IP) to the IP address of the server.



The LAN clients and the server processes only route those packets through the VIG which are destined for Internet clients or server, as it should be.

You buy an Ethernet card for between $40 and $200 instead of another Mac or router box for a few thousand.


Other Advantages
The primary reason for using the extra Ethernet port with the VIG is to prevent the bottleneck of LAN to server traffic. However, this implementation alleviates other problems or annoyances compared to the mirror port method.

VIG can Quit
Because the VIG is no longer required to route internal traffic, you can quit, launch and disable the VIG at whim, without killing access from your LAN clients to your server. For instance, you can reconfigure the ports which requires halting the gateway.

Simpler Address Identification
Since the server processes use the address configured in the TCP/IP control panel in the usual way, configuring the IP address of the processes is straightforward. No need to set the TCP/IP control panel to configure via VICOM, then set up the VIG, choose a mirror port etc.

Server Processes Secure
By default, the VIG makes any TCP/IP services on the mirror port available to Internet clients. So you have to remember to disable access to any processes which you wish to keep private, such as Timbuktu or a FileMaker database.

However, when using the extra Ethernet card procedure, only ports which you explicitly configure via Inbound Mapping will have requests routed to the second Ethernet port where the server processes reside.

Side Effects
We still view this "solution" as a work around, and hope that Vicom will allow future versions of the VIG to route only Internet traffic whilst not forcing LAN to server packets through the gateway.

Repetitive Port Processing
With the current two ports for one Mac solution, traffic from Internet to server process in going through three ports on the one Mac (see diagram above), with the associated CPU time. This seems very inefficient. We suspect that if a future version enabled the straightforward route from modem port through the VIG to server process, then the server as a whole should speed up significantly. It's fairly absurd at present to visualise each Internet client request shuffling through three external ports on the same machine.

IP Address Discrepancies
The two Ethernet port solution publishes server processes at one address for LAN users and another address for Internet clients. However, this problem is similar for any router which uses IP Masquerading, also known as NAT (Network Address Translation), such as a WebRamp hardware box.

Because the DNS can only return one result for a query on a host name (eg www.tandb.com.au), the internal LAN and external users have to use different DNS methods to point to the same server.

This issue of special DNS configuration for a NAT router is explained in more detail.

Later Versions
We have upgraded and tested VIG version 3.9, and 5.0.1. Initially, they appeared to only support the bottleneck mirror port method. It seems to explicitly prohibit the use of separate Ethernet interfaces for the VIG and OpenTransport.

However, it can be used with an extra card by:

    1. Launch the new VIG.
    2. In the Edit menu, choose Preferences, then Mirror Port. Turn off Automatically Configure TCP/IP.
    3. Quit.
    4. Launch VIG.
    5. If an alert appears that VIG has altered OpenTransport, click Quit and then relaunch VIG.
    6. It's probably a good idea to restart the machine after all this.

Vicomsoft now also have an alternative cheaper product called SoftRouter Plus. It has the same features as the Vicomsoft Internet Gateway, but without the CyberNot filtering of undesireable sites.

Contact
If you are interested in an intranet or Internet solution for your business or have any questions, please email solutions@tandb.com.au.

Vicom have their own FAQ (frequently asked questions) web page, covering issues such as this, at:
http://www.vicomsoft.com/support/faq/asip.faq.html. You can also email them for support at support@vicomsoft.com. We wish to especially thank Paul Conibere (from Vicom) for his contribution.

If you wish to be alerted via email of significant changes to this web page, use this email link to be notified.

Return to Solutions

Return to Home Page