port forwarding to VPN

Hi all,

I have site-to-site VPN to secondary location. If I add following rule, I see packet increased if I try to access https on my public IP (first location), but it is not forwarded to the device, that is in second location.

Any idea what I’m missing?

...
/interface pppoe-client
add add-default-route=yes allow=chap,mschap1,mschap2 disabled=no interface=bridgeINET max-mtu=1480 name=pppoe-out2 use-peer-dns=yes user=4C:5E:0C:41:4D:89

...

/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface pptp-server server
set default-profile=default

...

/ip firewall filter
add action=accept chain=input comment=VPN port=1701,500,4500 protocol=udp
add action=accept chain=input comment=IPSEC protocol=ipsec-esp
add action=drop chain=input comment="winbox - rogue login attempts from \"jarko\"" dst-port=8291 protocol=tcp src-address=93.99.229.101 src-port=""
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp src-port=""
add action=accept chain=input comment=http/htttps dst-port=80,443 protocol=tcp src-port=""
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=bridgeINET src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established
add action=accept chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=input comment="Drop everything else"

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<my public IP> dst-port=443 protocol=tcp to-addresses=192.168.2.11 to-ports=443
add action=src-nat chain=srcnat out-interface=pppoe-out2 src-address=192.168.1.0/24 to-addresses=<my public IP>

/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=172.16.1.2

/ppp secret
add local-address=172.16.1.1 name=<my site 2 username> profile=default-encryption remote-address=172.16.1.2

...

Solved.

It also needs srcnat rule on the primary location router

add action=src-nat chain=srcnat dst-address=<IP of device to publish> dst-port=443 protocol=tcp to-addresses=<IP of router on primary site>