I am very much confused as to the lack of documentation surrounding the intended behaviour of setting DSTNAT and SRCNAT entries with the mangle Connection, Packet and Routing Marks that are intended for PCC and Dual WAN type set-ups.

My configuration is a single dynamic via DHCP cable modem connection with a PortableIP L2TP tunnel on top of it in which I would care to ONLY see SMTP traffic destined an SMTP server on my home LAN go through.

I am at the point where I have everything done, i.e. all Connection, Packet and Routing Marks are all configured, but my MAIL SERVER is responding back from DSTNAT traffic it receives from my RouterOS box, to the RouterOS LAN-side IP address.

What I need is for the RouterOS to actually take that traffic and MAP it back onto the L2TP tunnel.

This is the set-up. What I am doing wrong ?

add address=192.168.3.1/24 broadcast=192.168.3.255 disabled=no interface=\
BrisenetLAN network=192.168.3.0
/ip firewall filter
add action=drop chain=input disabled=no src-address-list=Blocked
add action=accept chain=input disabled=no protocol=icmp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=wan1
add action=accept chain=input connection-state=related disabled=no \
in-interface=wan1
add action=accept chain=input connection-state=established disabled=no \
in-interface=PortableIP-111.111.111.111
add action=accept chain=input connection-state=related disabled=no \
in-interface=PortableIP-111.111.111.111
add action=log chain=forward disabled=no dst-address=192.168.3.76 dst-port=25 \
log-prefix="DSTNAT in Forward Chain SMTP to ITOS:" protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=wan1
/ip firewall mangle
add action=mark-connection chain=input comment="Step 1A - In Mangle Input Chai\
n, mark inbound traffic from Portable-IP with New Connection Mark: portabl\
e-ip-connection. Passthrough = Yes = Go on processing down the list." \
disabled=no in-interface=PortableIP-111.111.111.111 new-connection-mark=\
portable-ip-connection passthrough=yes
add action=mark-connection chain=input comment="Step 1B - In Mangle Input Chai\
n, mark inbound traffic from Cable Modem with New Connection Mark: cable-m\
odem-connection. Passthrough = Yes = Go on processing down the list." \
disabled=no in-interface=wan1 new-connection-mark=cable-modem-connection \
passthrough=yes
add action=mark-packet chain=prerouting comment="Step 2A - In Mangle Preroutin\
g Chain, via inheritance of the previously assigned New Connection Mark Po\
rtable-IP-Connection in Step 1A, assign Packet Mark portable-ip-packet to \
oubound traffic to Portable-IP. Passthrough = Yes = Go on processing down \
the list." connection-mark=portable-ip-connection disabled=no \
new-packet-mark=portable-ip-packet passthrough=yes
add action=mark-packet chain=prerouting comment="Step 2B - In Mangle Preroutin\
g Chain, via inheritance of the previously assigned New Connection Mark ca\
ble-modem-connection in Step 1B, assign Packet Mark cable-modem-packet to \
oubound traffic to Portable-IP. Passthrough = Yes = Go on processing down \
the list." connection-mark=cable-modem-connection disabled=no \
new-packet-mark=cable-modem-packet passthrough=yes
add action=mark-routing chain=output comment="Step 3A - In Mangle Output Chain\
, mark oubound traffic to Portable-IP via inheritance of the previously as\
signed New Connection Mark Portable-IP-Connection in Step 1A with New Rou\
ting Mark: portable-ip-routing. Passthrough = Yes = Go on processing down \
the list." connection-mark=portable-ip-connection disabled=no \
new-routing-mark=portable-ip-routing passthrough=yes
add action=mark-routing chain=output comment="Step 3B - In Mangle Output Chain\
, mark oubound traffic to Cable Modem via inheritance of the previously as\
signed New Connection Mark cable-modem-connection in Step 1B with New Rout\
ing Mark: cable-modem-routing. Passthrough = Yes = Go on processing down t\
he list." connection-mark=cablemodem-connection disabled=no \
new-routing-mark=cable-modem-routing passthrough=no
add action=accept chain=prerouting comment="Step 4A - In Mangle Prerouting Cha\
in, avoid Routing Loop. Assign Routing Mark to oubound traffic to well kno\
wn Portable-IP default gateway via Action Accept" disabled=no \
in-interface=BrisenetLAN
add action=accept chain=prerouting comment="Step 4B - In Mangle Prerouting Cha\
in, avoid Routing Loop. Assign Routing Mark to oubound traffic to DYNAMIC \
cable-modem default gateway. Since the Cable Modem Default Gateway is Dyn\
amic it is difficult to do the same for the cable modem via Action Accept" \
disabled=no dst-address=207.96.236.0/24 in-interface=BrisenetLAN
add action=mark-routing chain=prerouting comment="Step 5A - In Mangle Prerougi\
ng Chain, assign on Packet Mark portable-ip-packets Routing Mark to ouboun\
d traffic Portable-IP via New Routing Mark portable-ip-routing. Passthroug\
h = Yes = Go on processing down the list." disabled=no new-routing-mark=\
portable-ip-routing packet-mark=portable-ip-packet passthrough=yes
add action=mark-routing chain=prerouting comment="Step 5B - In Mangle Prerougi\
ng Chain, assign on Packet Mark cable-modem-packets Routing Mark to ouboun\
d traffic to cable modem via New Routing Mark cable-modem-routing. Passthr\
ough = Yes = Go on processing down the list." disabled=no \
new-routing-mark=cable-modem-routing packet-mark=cable-modem-packet \
passthrough=yes
add action=log chain=prerouting comment=\
"Log incoming SMTP connections from Portable-IP" disabled=no dst-port=25 \
in-interface=PortableIP-111.111.111.111 log-prefix=\
"!!! Prer MTP from 111.111.111.111 :" protocol=tcp
add action=log chain=prerouting disabled=no in-interface=BrisenetLAN \
log-prefix="traffic back from 3.76:" src-address=192.168.3.76
add action=log chain=postrouting disabled=no dst-port=25 log-prefix=\
"all src nat output:" protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"dst-nat to mail server before masquarade" disabled=no dst-address=\
204.16.169.40 dst-port=25 in-interface=PortableIP-111.111.111.111 protocol=\
tcp to-addresses=192.168.3.76 to-ports=25
add action=masquerade chain=srcnat comment=\
"masquarade back to portable-ip before everything else" disabled=no \
routing-table=portable-ip-routing
add action=masquerade chain=srcnat comment="src-nat of smtp from lan" \
disabled=no dst-address=192.168.3.1 dst-port=25 protocol=tcp \
routing-mark=portable-ip-routing src-address=192.168.3.76
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=BrisenetLAN
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=wan1
add action=log chain=dstnat comment=\
"Check DST-NAT for incoming SMTP over Portable-IP" disabled=yes \
dst-address=204.16.169.40 dst-port=25 in-interface=\
PortableIP-111.111.111.111 log-prefix="SMTP DST-NAT OK:" protocol=tcp
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PortableIP-111.111.111.111 scope=10 target-scope=10
/ip route rule
add action=lookup-only-in-table disabled=yes routing-mark=out-portable-ip \
table=out-portable-ip
/ip service


F.