Tunnel IPv6 over IPv4 doesnt works when crosses a Mikrotik

Attached is a diagram of the topology.

I have a mail server with a tunnel IPv6 to Hurricane Electric HE that worked perfectly until I have changed the router, from a TP-Link with DMZ to a Mikrotik. In the config I have redirect all ports except 2 ( for ssh and winbox) to the IP of the mail server as before.
Do you know if you have to configure something so that the IPv6 protocol (41) goes through the mikrotik and reaches the mail server in input and output?



X chain=dstnat action=dst-nat to-addresses=192.168.6.2 protocol=ipv6-encap in-interface=pppoe-out1 log=no log-prefix=“”

1 chain=dstnat action=dst-nat to-addresses=192.168.5.2 protocol=ipv6-encap in-interface=vlan20_MASMOVIL log=no log-prefix=“”

2 ;;; to ECONECTIA por Radio
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=“”

3 ;;; to MASMOVIL
chain=srcnat action=masquerade out-interface=vlan20_MASMOVIL log=no log-prefix=“”

4 ;;; to ECONECTIA por GRE
chain=srcnat action=src-nat to-addresses=5.183.187.203 out-interface=gre-tunnel-CAB1-ECONECTIA log=no log-prefix=“”

5 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=0-9144 protocol=tcp in-interface=gre-tunnel-CAB1-ECONECTIA dst-port=0-9144 log=no log-prefix=“”

6 chain=dstnat action=dst-nat to-addresses=192.168.5.2 to-ports=0-9144 protocol=tcp in-interface=vlan20_MASMOVIL dst-port=0-9144 log=no log-prefix=“”

7 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=0-9144 protocol=tcp in-interface=pppoe-out1 dst-port=0-9144 log=no log-prefix=“”

8 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=0-9144 protocol=udp in-interface=gre-tunnel-CAB1-ECONECTIA dst-port=0-9144 log=no log-prefix=“”

9 chain=dstnat action=dst-nat to-addresses=192.168.5.2 to-ports=0-9144 protocol=udp in-interface=vlan20_MASMOVIL dst-port=0-9144 log=no log-prefix=“”

10 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=0-9144 protocol=udp in-interface=pppoe-out1 dst-port=0-9144 log=no log-prefix=“”

11 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=9147-65535 protocol=tcp in-interface=gre-tunnel-CAB1-ECONECTIA dst-port=9147-65535 log=no log-prefix=“”

12 chain=dstnat action=dst-nat to-addresses=192.168.5.2 to-ports=9147-65535 protocol=tcp in-interface=vlan20_MASMOVIL dst-port=9147-65535 log=no log-prefix=“”

13 chain=dstnat action=dst-nat to-addresses=192.168.56.2 to-ports=9147-65535 protocol=tcp in-interface=pppoe-out1 dst-port=9147-65535 log=no log-prefix=“”

14 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=9147-65535 protocol=udp in-interface=gre-tunnel-CAB1-ECONECTIA dst-port=9147-65535 log=no log-prefix=“”

15 chain=dstnat action=dst-nat to-addresses=192.168.5.2 to-ports=9147-65535 protocol=udp in-interface=vlan20_MASMOVIL dst-port=9147-65535 log=no log-prefix=“”

16 chain=dstnat action=dst-nat to-addresses=192.168.6.2 to-ports=9147-65535 protocol=udp in-interface=pppoe-out1 dst-port=9147-65535 log=no log-prefix=“”

Regards.

Three points to think about:

• The rules in srcnat and dstnat chains are only used to handle the initial packet of each tracked connection; the result is stored in that connection’s context and all subsequent packets belonging to the same connection get the same treatment. So if the first ever ipv6-encap packet comes in via one of your two “real” WAN interfaces, the action=dst-nat rule determines the handling of the whole HE tunnel connection; if the first ever ipv6-encap packet arrives from the mailserver, the action=src-nat or action=masquerade rule determines the handling of that connection.
• If the first ever ipv6-encap packet arrives via the GRE tunnel, which is actually a third WAN interface, there is no dst-nat rule for it.
• The policy routing may result in something else than what you expect, i.e. the ipv6-encap packets from the server may use a different WAN than the one through which the ipv6-encap packets from HE arrive, getting dropped somewhere en route due to wrong source address.