now we have WAN2 and DAISY. So any connection that comes in on DAISY goes back out on WAN2.
So you actually don't need a rule to keep what came in via WAN2 on WAN2 but a rule to keep what came in via DAISY on DAISY. So go step by step now:
- open two command line windows
- run /tool sniffer quick interface=DAISY ip-protocol=icmp ip-address=126.96.36.199 in one of them
- run ping 188.8.131.52 routing-table=to_DAISY in the other one
If you can see the ping requests and responses in the sniffer window while pinging in the other one, the route with routing-mark=to_DAISY
If it doesn't work, show me the output of /ip route print
If it works, remove the routing-mark=to_DAISY
from the row in /ip route rule
, and make sure that the src-address
on that row is a single address (/32), not the whole subnet attached to the interface. Then, run /tool sniffer quick interface=DAISY ip-protocol=udp port=500,4500
and try to connect using L2TP over IPsec from outside (i. e. not
from LAN) to that address. You should see the connection attempts coming, and if it works, also the responses; if it doesn't work, the client should give up after a while.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.