Post the output of "/ip firewall export", "/ip address print" and "/ip route print" as well as a network diagram.
[admin@MikroTik] > /ip firewall export
# sep/08/2010 22:14:50 by RouterOS 4.10
# software id = QTDA-ABI5
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=80,443 new-routing-mark="Tunnel traffic" passthrough=\
no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.1.126/24 192.168.1.0 192.168.1.255 ether2-local-master
1 192.168.170.1/24 192.168.170.0 192.168.170.255 ipip1
2 D 222.154.xxx.15/24 222.154.xxx.0 222.154.xxx.255 ether1-gateway
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 ipip1 1
1 ADS 0.0.0.0/0 222.154.238.254 0
2 ADC 192.168.1.0/24 192.168.1.126 ether2-local-ma... 0
3 ADC 192.168.170.0/24 192.168.170.1 ipip1 0
4 ADC 222.154.xxx.0/24 222.154.xxx.15 ether1-gateway 0
I don't have my network diag software on this machine if you need I can get it at the weekend.
I want traffic on port 80 and 443 to be tunneled to another router, then access the webhost (it is working up till here).
The webhost needs to know to send the requested page to the source router (222.154.xxx.15) and the source router needs to recognize and accept this on it's firewall.
Mikrotek 222.154.xxx.15 -> IPIP tunnel 192.168.170.1 for ports 80 and 443 -> Cisco 6500 with tunnel interface 192.168.170.2 and public IP 202.89.xxx.245 -> Webhost -> 222.154.xxx.15