AWS subnet is 10.10.80.0/24 with CHR have got 10.10.80.1.
Your LTE devices connect by SSTP to CHR and they have got 10.10.80.100-101.
Your PC have got 192.168.1.100 and your local router=gateway is 192.168.1.1
In this scenario
* Your PC WinBox must have routing to 10.10.80.0/24 via his SSTP e.g. 10.10.80.102/
Then your WinBox should connect to CHR at his 10.10.80.1 - this is work for you?
* CHR must have firewall rule in chain=forward to allow that traffic after accepting established&related and before rule two have action like drop/deny/tarpit
ip firewall filter add chain=forward src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"
* at LTE you have got accept in Input chain after accepting established&related but before action like drop/deny/tarpit
ip firewall filter add chain=input src-address=192.168.1.100 dst-address=10.10.80.0/24 protocol=tcp dst-port=8291 action=accept comment="WinBox Allow"
and in IP>Service the WinBox service must be active and the IP must be 0.0.0.0/0 or/and your specific
and in System > Users your user not must restricion from logon from not your IP
Of course classic testing like
* ping 10.10.80.101
* tools traceroute 10.10.80.101
* ip firewall connections (=connection tracking, conntrack) and filter traffic to 10.10.80.101 show you what is blocked in firewall, one dirrection like Tx works but no Rx etc...
* tools torch show similar to conntrack
I hope I give you hint in this way.
This is like that easy that should just work out-of-box.
And If your LTE devices receive other IP like 10.20.30.100-101 then just change the 10.10.80.0/24 to 10.20.30.0/24 in firewall rules.