I have a 411AH access point behind a 450G and I need to be able to access both devices through winbox based on their public IP addresses. I have no problems accessing the 450G through it's public IP, but I can't get the NAT to forward to the 411AH no matter what I try. I'm still fairly new to networking, but everything seems to be set right based on what I could find online. The 411AH is relaying DHCP from the 450G and has a static IP of 192.168.0.2. Wireless connections pull DHCP and access the internet with no problem.

450G and 411AH - both running 5.0rc10
Internet comes into ether1 on 450G
411AH is plugged into ether2 (2-5 are bridged)

450G settings

/interface bridge
Flags: X - disabled, R - running
0 R name="Client-Net" mtu=1500 l2mtu=1524 arp=enabled
mac-address=00:0C:42:AC:58:6D protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m

/ip address
# ADDRESS NETWORK INTERFACE
0 192.168.0.1/24 192.168.0.0 Client-Net
1 74.202.xxx.244/29 74.202.xxx.240 ether1 Public IP for 450G
2 74.202.xxx.245/32 74.202.xxx.240 ether1 Public IP for 411AH, not sure if this is right

/ip route
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 74.202.xxx.241 1
1 ADC 74.202.xxx.240/29 74.202.xxx.244 ether1 0
2 ADC 192.168.0.0/24 192.168.0.1 Client-Net 0

/ip firewall nat
0 chain=dstnat action=dst-nat to-addresses=192.168.0.2
dst-address=74.202.xxx.245
1 chain=srcnat action=src-nat to-addresses=74.202.xxx.245
src-address=192.168.0.2
2 ;;; Default Src NAT for client net.
chain=srcnat action=masquerade out-interface=ether1

Delete that and put it back in as a /29 as well. Both IPs should have a /29 netmask.
Delete that and add interface references: If that still isn't working post the output of "/ip firewall export"

Thanks for the quick response. Winbox and the web interface are still connecting to the 450G instead of the 411AH. Here's the firewall export. Am I right in having both public IP's set to ether1?

/ip firewall export
# mar/02/2011 15:53:46 by RouterOS 5.0rc10
# software id = Y0R2-KFRD
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=accept chain=dst-nat disabled=no dst-address=74.202.xxx.245 \
in-interface=ether1
add action=accept chain=src-nat disabled=no out-interface=ether1 src-address=\
192.168.0.2
add action=masquerade chain=srcnat comment="Default Src NAT for client net." \
disabled=no out-interface=ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Those aren't right. Look at the action of 'accept' rather than what I posted:

Am I right in having both public IP's set to ether1?

If you're referring to the interface set for the IPs under "/ip address" then yes, that is correct.

That was strange. I fixed it, but I'm still getting the 450G with either IP address. Is there a way to trace connections to the .245 IP so I can see if it hits the NAT rule at all? I've got a masquerade rule, but it's after the dst-nat/src-nat. Here is the current /ip firewall nat.
0 chain=dst-nat action=dst-nat to-addresses=192.168.0.2
dst-address=74.202.xxx.245 in-interface=ether1

1 chain=src-nat action=src-nat to-addresses=74.202.xxx.245
src-address=192.168.0.2 out-interface=ether1

2 ;;; Default Src NAT for client net.
chain=srcnat action=masquerade out-interface=ether1

Not sure if this helps in the troubleshooting, but I can't ping anything on the 192.168.0.xxx network from ether1 on the 450G. I think that is part of why my NAT isn't working, but I'm not sure.

Problem resolved. I was missing a static route on the 411AH back to the 450G.