求解，这个问题想不通

简单说下，飞塔防火墙和routes通过外网交换机连接可以互通，routeos和防火墙公网出口通过交换机连接可以互通，然后routeos做ip tunnel和香港的ecs互通，内网主机某个网段访问互联网通过routeos走隧道到香港

现在现象：
我从内网主机ping不通8.8.8.8

从routeos可以ping通8.8.8.8

从防火墙也可以ping通

我在ecs上看了下包过去了
从内网主机ping8.8.8.8有回应包
[root@dev]# tcpdump -nnvve -i tun1 host 172.16.64.38
tcpdump: listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
17:06:40.672185 ip: (tos 0x0, ttl 125, id 25319, offset 0, flags [none], proto ICMP (1), length 60)
172.16.64.38 > 8.8.8.8: ICMP echo request, id 1, seq 1376, length 40
17:06:40.674825 ip: (tos 0x64, ttl 117, id 0, offset 0, flags [none], proto ICMP (1), length 60)
8.8.8.8 > 172.16.64.38: ICMP echo reply, id 1, seq 1376, length 40
17:06:40.717234 ip: (tos 0x64, ttl 116, id 0, offset 0, flags [none], proto ICMP (1), length 60)
8.8.8.8 > 172.16.64.38: ICMP echo reply, id 1, seq 1376, length 40
17:06:45.551302 ip: (tos 0x0, ttl 125, id 25320, offset 0, flags [none], proto ICMP (1), length 60)
172.16.64.38 > 8.8.8.8: ICMP echo request, id 1, seq 1377, length 40
17:06:45.553932 ip: (tos 0x64, ttl 117, id 0, offset 0, flags [none], proto ICMP (1), length 60)
8.8.8.8 > 172.16.64.38: ICMP echo reply, id 1, seq 1377, length 40
防火墙上也有
FG防火墙上debug flow 可以看到172.16.64.38主机访问8.8.8.8，已近匹配了策略路由和防火墙策略

id=20085 trace_id=19 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 172.16.64.38:1->8.8.8.8:2048) from port16. type=8, code=0, id=1, seq=1121."
id=20085 trace_id=19 func=init_ip_session_common line=5913 msg="allocate a new session-207bc82e"
id=20085 trace_id=19 func=vf_ip_route_input_common line=2595 msg="Match policy routing id=25: to 8.8.8.8 via ifindex-18"
id=20085 trace_id=19 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-172.16.254.34 via port7"
id=20085 trace_id=19 func=fw_forward_handler line=799 msg="Allowed by Policy-71:"
id=20085 trace_id=19 func=ipd_post_route_handler line=490 msg="out port7 vwl_zone_id 0, state2 0x300, quality 0.

该试的都试过了，没法了，对了routeos上有srcnat出接口是外网口

如何让内网主机通过香港节点访问外网