RouterOS normally does not permit dst-nat of outgoing sessions (nor src-nat of incoming sessions), but there is an ugly trick allowing both. It will cost some CPU cycles, but I assume your router model is powerful enough that the bottleneck for the btest would be the LTE throughput.
- choose any two own IPs of the router, a.a.a.a and b.b.b.b
- create two /interface ipip, forming a tunnel between these two local IPs:
name=A2B local-address=a.a.a.a remote-address=b.b.b.b mtu=1500
name=B2A local-address=b.b.b.b remote-address=a.a.a.a mtu=1500
- attach an IP address c.c.c.1/32, not conflicting with any of the subnets you use, to interface A2B
- create an /ip firewal nat rule:
chain=srcnat out-interface=A2B action=src-nat to-addresses=c.c.c.2/32
(c.c.c.2 must also not interfere with any subnet you use)
- create a default route with the same gateway like the existing one but with routing-mark=aux
- create an /ip route rule row:
interface=B2A action=lookup-only-in-table table=aux
- create an /ip firewal nat rule:
chain=dstnat in-interface=B2A protocol=tcp dst-port=2000 action=dst-nat to-ports=22222
(or whatever port you'll be redirecting to 2000 at the remote btest server)
- create two /ip route rows:
dst-address=s.s.s.s gateway=A2B
(where s.s.s.s is the address of the btest server)
dst-address=c.c.c.2 gateway=B2A
- make sure that a src-nat or masquerade rule exists, matching on out-interface=LTE or out-interface-list=WAN
This way, btest will send the connection establishing packet to s.s.s.s using A2B as the output interface; the connection will get src-nated to c.c.c.2. Once the packet passes through the tunnel, it will emerge from B2A and hit the dst-nat rule; in order that it wouldn't loop to A2B again, the routing rule will mark it with
routing-mark=aux, so the default route with the same
routing-mark will send it via the regular WAN (LTE) interface to the destination; before actually leaving, it will get src-nated (masqueraded) again.
The response packet from s.s.s.s will arrive on the WAN interface and get un-src-nated to c.c.c.2; as c.c.c.2 is not one of router's own addresses, it will be routed via B2A (that's the reason why we needed to src-nat the initial request from c.c.c.1 to c.c.c.2) and un-dst-nated on the way; once it passes through the tunnel and emerges from A2B, it will get un-src-nated again and land on c.c.c.1 from s.s.s.s:2000.