Force traffic over specific NIC on Server with 2 NICS on same subnets

I have a Win2000 Advanced server that has 2 NICs.  I want the first NIC to respond to WWW traffic and the 2nd NIC to send/receive traffic through our firewall to our database server.  The 2 IP address are on the same subnet but I want to only open one hole in the firewall and that will be for the database NIC.  

It appears that my configuration works if the Database NIC gets enabled first (ie Disable then enable the WWW NIC).  However, if I reboot the server the NICs get enabled in random order and the databse traffic will sometimes default to the WWW NIC.  If I manually disable/enable the WWW NIC the database traffic will switch to the DB NIC and things are fine.  I want a reboot to be configured automaticaly 100% of the time.  Things I have tried are:

1. Physically move the NICs on the motherboard hoping one always gets enabled first. (doesn't happen)
2. Add a static persistent route to the database IP using the "Interface" option.  The static route works, but after a reboot, but the "Interface" part of the static route command does not.
3. Add a service that runs a batch file that in turn runs the route command.  I hold promise for this, but it didn't work the first time I tried it.  
4. Changed the binding order and made the Database NIC the first NIC listed. (didn't seem to make a difference)

Any other suggestions would be greatly appreciated.
Who is Participating?
CetusMODConnect With a Mentor Commented:
Closed, 125 points refunded.
Community Support Moderator
On the Public IP NIC go to the properties for the adapter and under the Advanced Tab of the TCP/IP uncheck the Automatic Metric and assign it a number 2.  Then do the same to the Internal NIC assigning it a 1.  This will give the Databse NIC first assignment.

If not already static you should make them static
Putting two NICs on the same network, IF IT WORKS AT ALL, tells everybody that you *don't care* which one handles the traffic.  (It's not guaranteed to work at all....)

If you want to route traffic differently over two NICs, their addressing has to reflect that difference.  If the second NIC is for a private back channel to the database server, put it on a private subnet and address the database server via an address that takes that route.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

>If the second NIC is for a private back channel to the database server, put it on a private subnet and address the database
>server via an address that takes that route

I concur.

spillaneppAuthor Commented:
I really thought that acsservice's suggestion was going to work, but it actually didn't, so I went with the static route option and had it run with the autoexnt service at bootup.  Once I added the AutoExNT service I had to make sure that it was dependent on TCP/IP by modifying the registry and adding the DependOnService value.  At least it is working now.
I object - I think PennGwyn's solution was much cleaner, and the "right" way to accomplish the solution - IMO, the author has implemented some bizarrre workaround because s/he is afraid to adjust the networking config in some small way (other than local static routes).

I'm also hoping the author can clarify this:

>so I went with the static route option and had it run with the autoexnt service at bootup

I'd be interested to know how a static route solved this, and why it apparently works now, when the author listed it as number 3 in a list of things that *didn't* work.

I'm also not convinced this solution will work outside a narrow set of conditions, while PennGywn's solution will work on *any* OS that supports IP.

EE Networking PE

spillaneppAuthor Commented:
While I agree that PennGywn's solution would work, it was not an option for me because of security concerns.  If I use the private subnet that the database server is on for one of the NICs then I have a server with a private and a public IP address that would be bypassing the firewall completely.  Personally I believe this comprimises security which I was not willing to do.  Reconfiguring the network with an additional subnet is really not an option because I was looking for a server based solution that didn't include making changes to the network infrastructure.  

I will also say that manually adding a static route always worked as stated in #2 of my question.  The problem I initally had was how to get the static route to run as a service.  Getting this to work solved my problem.  The reason it didn't work at the time of my first writing was because I  needed to manually add the DependOnService value to the HKLM\System\CurrentControlSet\ServicesAutoExNT registry key and then add TCPIP as a multi-string.  This forces TCPIP to start before running the route command.  Ideally I could have just added a persistent route, but in Windows 2000 the interface information is not retained in the registry.

To clarify how I got the route command to run I used the Technet article:
and put the following command into the autoexnt.bat file
Route add <database ip> mask <gateway ip> IF 0x1000003

I will also agree with you Jon that it may not work outside of the scope of this scenario (i.e. another OS), but I can tell you that it works on the two Windows 2000 servers that I tried it on (different hardware).  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.