MikroTik

Hello, I have a problem with redirecting access to a second Mikrotik via a IPSEC tunnel like on the picture below (this is only a model of the real network i struggle with). The IPSEC tunnel connects the two LAN's and the traffic is flowing between them with no problem, but I need to access the second Mikrotik from a remote PC. For the testing purpose, all filter rules are disabled. I tried DST-NAT forwarding to 192.168.144.30:30096 to the second MT 192.168.0.20 but iit does not work, and I don't know what am I doing wrong.
NAT CFG of first MT:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.144.30 dst-port=30096 \
protocol=tcp to-addresses=192.168.0.30 to-ports=8291
add action=accept chain=srcnat dst-address=192.168.200.0/24 src-address=\
192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
192.168.200.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface=ether1

You have not posted enough of your Mikrotiks' configurations, but as you only describe the dst-nat part of the setup at the rightmost Mikrotik, I assume you haven't thought deep enough about the routing on the complete path.

The PC is on some external address, so when it sends a packet to the "public" IP of the rightmost Mikrotik, the dst-nat rule on that Mikrotik changes the destination address to the one of the leftmost Mikrotik. To match the packet and deliver it to the leftmost Mikrotik, the IPsec policy you use between the Mikrotiks would have to have 0.0.0.0/0 as src-address at the rightmost Mikrotik and as dst-address on the leftmost Mikrotik. If it did, all traffic of the leftmost Mikrotik would be redirected via the rightmost one, which is probably not what you have set up.

Even if the request packet made it somehow to the leftmost Mikrotik, the response packet from the leftmost Mikrotik would take the default route because no other route towards the PC's address exists on the leftmost Mikrotik, so the packet would arrive to the PC but src-nated to the public IP behind which the leftmost Mikrotik is placed, so the PC wouldn't recognize it as a response to its request.

So post both configurations so that we could suggest you a solution instead of guessing what mistakes you may have done. See a hint on anonymisation in my automatic signature below.


But as a quick shot, as your NAT rules with action=accept suggest that you use an IPsec policy just between 192.168.200.0/24 and 192.168.100.0/24, try to add the following rule right before the final action=masquerade one in chain=srcnat of /ip firewall nat:
chain=srcnat action=src-nat dst-address=192.168.200.1 connection-nat-state=dstnat protocol=tcp dst-port=8291 to-addresses=192.168.100.1

Also, change the to-addresses in the dst-nat rule from 192.168.0.30 to 192.168.200.1.