Not specific to this router from what I can tell.

I cannot seem to make a port forward (WAN->LAN) work for an IP at the far end of an L2TP/IPsec tunnel at all.  I cannot use a reverse proxy on my NAS to reach an IP at the end of that tunnel either, unless I add a static route on the NAS to that IP by way of the tunnel endpoint (which can change if the tunnel bounces, and so is not a reliable approach).

Ideally the default gateway for the VLAN, would be smart enough to know about the remote subnet, and forward any packet destined for it via the tunnel, but this is not the case.  I believe that is why the port-forwarding across the TPlink router also does not work.

To illustrate, public IP (router) LAN subnet (tunnel) remote subnet

50.50.50.50 (ER605) 10.10.10.0/24 (L2TP VPN) 20.20.20.0/24

I cannot forward 50.50.50.50:80 to 20.20.20.20:80

If I run a reverse proxy on 10.10.10.10, then I CAN proxy 50.50.50.50:443 to 10.10.10.100:443 (by forwarding first to 10.10.10.10 and then proxying to 10.10.10.100) but I cannot proxy 50.50.50.50:8080 via 10.10.10.10 to 20.20.20.20:80.  If my VPN tunnel is configured to use 30.30.30.0/24, then the initial local tunnel endpoint IP is usually 30.30.30.1.  If I add a static route on 10.10.10.10, saying the route 20.20.20.0/24 is via 30.30.30.1 then my previously configured proxy to 20.20.20.20:80 starts working.  Problem is if the remote end reboots for whatever reason, I often see the tunnel endpoint change to 30.30.30.2 etc.

Do I need a feature request, or am I just being stupid?  Is there a better way?