Force traffic over specific NIC on Server with 2 NICS on same subnets

Posted on 2004-08-24
Last Modified: 2008-01-16
I have a Win2000 Advanced server that has 2 NICs.  I want the first NIC to respond to WWW traffic and the 2nd NIC to send/receive traffic through our firewall to our database server.  The 2 IP address are on the same subnet but I want to only open one hole in the firewall and that will be for the database NIC.  

It appears that my configuration works if the Database NIC gets enabled first (ie Disable then enable the WWW NIC).  However, if I reboot the server the NICs get enabled in random order and the databse traffic will sometimes default to the WWW NIC.  If I manually disable/enable the WWW NIC the database traffic will switch to the DB NIC and things are fine.  I want a reboot to be configured automaticaly 100% of the time.  Things I have tried are:

1. Physically move the NICs on the motherboard hoping one always gets enabled first. (doesn't happen)
2. Add a static persistent route to the database IP using the "Interface" option.  The static route works, but after a reboot, but the "Interface" part of the static route command does not.
3. Add a service that runs a batch file that in turn runs the route command.  I hold promise for this, but it didn't work the first time I tried it.  
4. Changed the binding order and made the Database NIC the first NIC listed. (didn't seem to make a difference)

Any other suggestions would be greatly appreciated.
Question by:spillanepp

Expert Comment

ID: 11887349
On the Public IP NIC go to the properties for the adapter and under the Advanced Tab of the TCP/IP uncheck the Automatic Metric and assign it a number 2.  Then do the same to the Internal NIC assigning it a 1.  This will give the Databse NIC first assignment.

If not already static you should make them static
LVL 11

Expert Comment

ID: 11888326
Putting two NICs on the same network, IF IT WORKS AT ALL, tells everybody that you *don't care* which one handles the traffic.  (It's not guaranteed to work at all....)

If you want to route traffic differently over two NICs, their addressing has to reflect that difference.  If the second NIC is for a private back channel to the database server, put it on a private subnet and address the database server via an address that takes that route.

LVL 16

Expert Comment

ID: 11889053
>If the second NIC is for a private back channel to the database server, put it on a private subnet and address the database
>server via an address that takes that route

I concur.

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.


Author Comment

ID: 11917475
I really thought that acsservice's suggestion was going to work, but it actually didn't, so I went with the static route option and had it run with the autoexnt service at bootup.  Once I added the AutoExNT service I had to make sure that it was dependent on TCP/IP by modifying the registry and adding the DependOnService value.  At least it is working now.
LVL 16

Expert Comment

ID: 11924743
I object - I think PennGwyn's solution was much cleaner, and the "right" way to accomplish the solution - IMO, the author has implemented some bizarrre workaround because s/he is afraid to adjust the networking config in some small way (other than local static routes).

I'm also hoping the author can clarify this:

>so I went with the static route option and had it run with the autoexnt service at bootup

I'd be interested to know how a static route solved this, and why it apparently works now, when the author listed it as number 3 in a list of things that *didn't* work.

I'm also not convinced this solution will work outside a narrow set of conditions, while PennGywn's solution will work on *any* OS that supports IP.

EE Networking PE


Author Comment

ID: 11962854
While I agree that PennGywn's solution would work, it was not an option for me because of security concerns.  If I use the private subnet that the database server is on for one of the NICs then I have a server with a private and a public IP address that would be bypassing the firewall completely.  Personally I believe this comprimises security which I was not willing to do.  Reconfiguring the network with an additional subnet is really not an option because I was looking for a server based solution that didn't include making changes to the network infrastructure.  

I will also say that manually adding a static route always worked as stated in #2 of my question.  The problem I initally had was how to get the static route to run as a service.  Getting this to work solved my problem.  The reason it didn't work at the time of my first writing was because I  needed to manually add the DependOnService value to the HKLM\System\CurrentControlSet\ServicesAutoExNT registry key and then add TCPIP as a multi-string.  This forces TCPIP to start before running the route command.  Ideally I could have just added a persistent route, but in Windows 2000 the interface information is not retained in the registry.

To clarify how I got the route command to run I used the Technet article:
and put the following command into the autoexnt.bat file
Route add <database ip> mask <gateway ip> IF 0x1000003

I will also agree with you Jon that it may not work outside of the scope of this scenario (i.e. another OS), but I can tell you that it works on the two Windows 2000 servers that I tried it on (different hardware).  

Accepted Solution

CetusMOD earned 0 total points
ID: 11983500
Closed, 125 points refunded.
Community Support Moderator

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now