Hello,
The issue is caused by the firewall - more specifically due to missing (disabled) "MASQUERADE" option. Please enable "MASQUERADING" option in the WebUI, at Network > Firewall > General Settings [default tab] > [Enable MASQUERADING on 'Mobile_WAN' & 'WAN' zone] > Save & Apply settings .
It might be necessary to restart firewall service (via CLI, use command "/etc/init.d/firewall restart" or "fw3 restart" for that) or to simply reboot the router after enabling this option so that it takes effect as soon as possible. I'm also leaving an explanation below regarding why this MASQ option should be enabled and what needs to be done when we choose not to enable it.
All packets, which leave the router via <any gateway/interface> that falls under <zone with MASQUERADE enabled> will have its source IP address translated to <egress interface> IP address. For example, in your case, the following should be happenning:
- Laptop generates packet with source IP address of 192.168.111.11 to destination IP address of 10.41.37.10
- Laptop notices that this destination IP address is not on the same broadcast domain - it forwards the packet to the router [to assist with routing of the packet]
- The router checks its routing table [RIB] - there is no specific route to such destination, therefore the packet should be routed via its mobile interface to a further gateway
Here's where MASQUERADING (SNAT) becomes relevant
- With MASQUERADING is enabled, the router will "translate" source IP of the laptop packet from 192.168.111.11 to 10.41.37.10. This means that a packet, that was generated by the laptop, would end up with source IP address of 10.41.37.10 instead of the initial IP address of the laptop. Destination IP address is not changed at this point.
- The packet is then routed all the way to the Synology device and eventually it comes back to the router. Router "remembers" that it translated a packet for a specific destination and forwards that packet back to the initial host (laptop).
If we do not use MASQUERADING (SNAT), then the source IP address of the packet doesn't change. This can also work, but additional [static or dynamic] routes must be configured on all devices in the path of that packet so that it can be routed TO the destination and then BACK to the original sender. When we route to the internet, SNAT is mandatory, because private IPs [RFC1918] shall not be routed on the internet.
This explains both things - why your router was able to reach the Synology device (it was using its mobile interface to reach Synology device) and why your laptop cannot reach it (no SNAT applied to the laptop packet).