I am somewhere on the Internet, I connect to my CCR (WAN IP: xxx.xxx.xxx.xxx) via Winbox.
I would like to create a NAT on my CCR in order to access the configuration page of the modem which receives Internet, accessible on the WAN side of the CCR at the address 192.168.100.1.
Nope, will not provide any configuration to your router that is not on VPN.
And advise you to stop what you are doing with regard to winbox until you access via VPN.
…most likely a routing / firewall input chain “issue”.
Your transfer net / client net of your pptp connection is not part of the interface list allowed for the input chain in your firewall.
As noted you have to make sure where your traffic is located./dumped on the router has access via the input chain to the router itself for managment purposes.
This still does not provide necessarily access to the modem.
How would you get access to the modem if you were on the LAN???
Regarding the dst-nat rule: it must work, but you’ll likely need a src-nat one as well, or a route on the modem, so that the modem knew where to send the response.
Regarding the VPN: PPTP provides ridiculously weak encryption and doesn’t reliably pass through NAT as it is based on GRE, which is hard to handle for NATs (won’t annoy you with details unless you ask). L2TP/IPsec is equally simple (or equally complex) to set up and provides much better encryption; it can also cause trouble together with NAT but these can be worked around. IKEv2 has no problems with NAT but it is more complex to set up.
To get a more precise advice regarding remote access to the modem, post the export of the configuration of the CCR.
