I deploy the hAP Lite devices at remote sites for easy and secure remote access. the hAP connects to my office via EoIP over SSTP. I have about a dozen of these guys out there, and my setup is essentially the same on all of them (save for the SSTP/EoIP tunnel numbers, ip's, etc).

The hAP graps a dhcp from the local network, connects, and my EoIP tunnel is established. I then assign a /30 for a management interface between my router (RB4011) and the hAP, that way I'm able to access the router as well as some other devices on the other end of the network.

I just deployed one of these this week that's running ros 7.6, and the dst-nat function doesn't seem to work like it does on all the other hAP's running ros 6.xx. I'm about ready to pull my hair out trying to figure this out, but nothing has seemed to work. I've looked at several working configs for other sites dozens of times over the last 3 days, and everything feels like it should be working. So, I'm asking for help.

What I'm trying to accomplish - I need to access a host on the remote side within the DHCP range 10.1.10.10/24, via my management interface of 10.10.32.6/30. I've been able to set this up with a dst-nat firewall rule, but traffic doesn't ever reach the remote range.

When I'm at my office, I need to be able to visit 10.10.32.6:80 and have that bet dst-nat'd to the remote 10.1.10.10:80 address.

Here's copies of my configs

Firewall
*These are the only 3 firewall rules - period*

Addresses


Interfaces
Packets are making it to the other side just fine, and this is one of the log entries from my log tag above. This log behavior is the exact same as all the others on my 6.x devices.

Log output

Aside from EoIP being seemingly useless, at least I don't see any reason in provided description why it's there at all, it should work. Try some more logging, see e.g. this as example: viewtopic.php?p=963756#p963756