Hi all, I'm new at this mikrotik stuff so help point me in the right direction please.
I've downloaded RouterOS3.0 and installed it with a CD on a workstation computer. My workstation has two ethernet cards. Ether2 is connected to the internet and ether1 will support my client base.
Problem #1: How can i get traffic to pass from ether1 to ether2 to the internet.
Right now ether2 is obtaining a private IP from my network. I've managed to setup a dhcp server on ether1 and can obtain an address from it. ether1 is handing out public addresses but i can't get anything to pass to ether2. I'm sure this is a routing problem of some kind i'm just not sure how to fix it.

thanks in advance!
Ron

It's hard to troubleshoot this without your configuration. Post the output of "/ip address print detail", "/ip route print detail", "/ip firewall export" and "/ip dhcp-server export".

[admin@MikroTik] > ip add pr det
Flags: X - disabled, I - invalid, D - dynamic
0 D address=172.20.5.125/24 network=172.20.5.0 broadcast=172.20.5.255
interface=eth1 actual-interface=eth1

1 address=172.20.5.165/24 network=172.20.5.0 broadcast=172.20.5.255
interface=eth1 actual-interface=eth1

2 address=64.8.77.220/24 network=64.8.77.0 broadcast=64.8.77.255
interface=eth0 actual-interface=eth0

[admin@MikroTik] > ip rou pr det
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=172.20.5.6
gateway-status=172.20.5.6 reachable eth1 distance=0 scope=30
target-scope=10

1 S dst-address=0.0.0.0/0 gateway=172.20.5.6,64.8.77.1
gateway-status=172.20.5.6 reachable eth1,64.8.77.1 reachable eth0
distance=1 scope=30 target-scope=10

2 ADC dst-address=64.8.77.0/24 pref-src=64.8.77.220 gateway=eth0
gateway-status=eth0 distance=0 scope=10

3 S dst-address=64.8.77.0/24 gateway=eth1 gateway-status=eth1 reachable
distance=1 scope=30 target-scope=10

4 ADC dst-address=172.20.5.0/24 pref-src=172.20.5.125 gateway=eth1
gateway-status=eth1 distance=0 scope=10


[admin@MikroTik] > ip firewall exp
# oct/22/2009 20:00:44 by RouterOS 4.0
# software id = 1HVM-6NIQ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no



[admin@MikroTik] > ip dhcp-s exp
# oct/22/2009 20:01:19 by RouterOS 4.0
# software id = 1HVM-6NIQ
#
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=eth0 lease-time=3d name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=64.8.77.0/24 comment="" gateway=64.8.77.1

You definitely want to remove the static route marked "1" as it's nonsensical for your setup.

Also, a couple of questions:

1. Can you confirm that eth1 is your uplink, and eth0 is your LAN?
2. Can you confirm that 172.20.5.6 is supposed to be the default route for all traffic the router isn't directly connected to?
3. Why do you have both a dynamic and a static address configured on eth1?
4. Does 172.20.5.6 know that 64.8.77.220/24 is reachable via 172.20.5.165 (and 172.20.5.125, I guess)?
5. How are you determining that traffic isn't flowing between the two interfaces? You can implement a simply forward rule that allows traffic:
and see if that rule is counting packets when you ping something out in the world. If it is, traffic is forwarded between the interfaces (even if you're not receiving replies).

I have removed the static route you suggested.
1. Can you confirm that eth1 is your uplink, and eth0 is your LAN?
- Eth1 is plugged into the wall and eth0 is plugged into my laptop

2. Can you confirm that 172.20.5.6 is supposed to be the default route for all traffic the router isn't directly connected to?
- 172.20.5.6 is the gateway of my dhcp connection and my static on eth1

3. Why do you have both a dynamic and a static address configured on eth1?
- eth1 is configured for static and dhcp mainly because some of the changes i've been making to the routing table have really messed it up and i wanted a last resort in before i reset the config again. I can turn off the dhcp client, no problems.

4. Does 172.20.5.6 know that 64.8.77.220/24 is reachable via 172.20.5.165 (and 172.20.5.125, I guess)?
- I don't think so. How do you set that?

5. How are you determining that traffic isn't flowing between the two interfaces?
- I can ping the ip on eth0 (64.8.77.220) but no other IPs out from that

I tried it setup the rule but it's not showing any traffic pass when i try to ping stuff past the ip on eth0. I can however see traffic on the two different interfaces in the interface list.

it setup the rule but it's not showing any traffic pass when i try to ping stuff past the ip on eth0. I can however see traffic on the two different interfaces in the interface list.

Traffic on both interfaces might indicate things are actually being forwarded, if you're connected to the router from your laptop. How did you check if the rule is counting packets? "/ip firewall filter stats" shows 0 packets and 0 bytes for that rule?

4. Does 172.20.5.6 know that 64.8.77.220/24 is reachable via 172.20.5.165 (and 172.20.5.125, I guess)?
- I don't think so. How do you set that?

Via the routing table on that device, either populated statically or via a routing protocol running between the two routers.

I'm using a combination of Winbox v4.0 and telnet to do this stuff from my office machine connecting through eth1 (my static 172.20.5.165). I'm watching the counters for the interfaces and the firewall rule in winbox. can see the interfaces and their traffic counters there. That's how i can tell that traffic is reaching the interfaces. the counters for the firewall rule that you instructed me to set up show 0Bs and 0 packets.

Via the routing table on that device, either populated statically or via a routing protocol running between the two routers.

this is what i think will fix my issue. what would the syntax for the entry in the routing table be?

That rather heavily depends on what 172.20.5.6 is.

172.20.5.6 is the gateway for our Office Vlan that lives on the cisco catalyst 5500

I would remove your routes that arent dynamic. Under dhcp client, where u tell the ether2 device that u want to obtain your gateway address, choose "add default route"... This will make sure your current gateway is that of your ether2 assigned card, since dynamic addresses may possibly change from time to time.

Make sure you can ping your laptop and your gateway address (the one that dhcp-client assigned to ether2)

than type

/ip dns set-primary-dns=your dns addy allow-remote-requests=yes

try to ping google.com

/ip firewall nat chain=srcnat action=masquerade out-interface=ether2

your laptop should work now.

Good luck.

Also get with whoever administrates the Catalyst 5500 and make sure their routing table reflects the public space you're trying to use.

I have removed all of the routes that aren't dynamic.
I have made the changes to the dhcp client.
Logged into a telnet session from either the laptop or my desktop machine I can ping everything; the laptop connected by dhcp, google.com, the gateway of the eth1 (172.20.5.6)
I have added the firewall rule:
/ip firewall nat chain=srcnat action=masquerade out-interface=ether2

still no communication from eth0 through eth1

Also get with whoever administrates the Catalyst 5500 and make sure their routing table reflects the public space you're trying to use.

The network guy tells me that what i have for a static ip on eth0 (64.8.77.220) should be fine and the range i'm trying to hand out with dhcp (64.8.77.221-64.8.77.254) is fine. that range is already in a dhcp server ready to be handed out but is currently unused.

exchange "ether2" for "eth1", may make it work.

Maybe my concept of how this works is slightly out of focus.
I want my end result with this project to have the ability to do bandwidth management and DHCP.
Do i need an "in" and an "out" network interface? I've been reading some site that say to set everything up on one port and it works.
I was under the assumption that the traffic needs to pass through this device.
Please, correct me if i'm wrong.