A. You are doing DAT which means that packet with header SOURCEIP:SOURCEPORT::ROUTERPUBLICIP:5900 is translated to SOURCEIP:SOURCEPORT:192.168.150.2:22.
B. Router sends this packet to LAN
C. Server @ 192.168.150.2 receives packet with some “public” IP in source field. Public in your LAN.
D. Server has to know where it’s gateway is as it is reponding to device at “public” SOURCEIP:SOURCEPORT
E. If server has no access to outside world than the response to the originator “dies” and there is no communication.
F. if your server has no access to WAN side then you need the second rule, the SAT one, which replaces SOURCEIP to router’s IP
G. If (F) is done then server receives ROUTERIP:SOURCEPORT:192.168.150.2:22 and sends the response to router as it thinks that router is the originator.
H. If (G) the router matches “translation tables” and translates source IP in the header ROUTERIP back to the SOURCEIP and sends it to WAN.
I. Remember that DAT is done before SAT so SAT rules should operate on IPs and ports already “DATed to”
This examples makes SAT for all packets incoming not from LAN and with 22 destination port so only these with IPs not from LAN pool are translated by router - assuming that router is 192.168.150.1
/ip firewall nat add chain=dstnat in-interface=ether12 protocol=tcp dst-port=5900 action=dst-nat to-addresses=192.168.150.2 to-ports=22
/ip firewall nat add chain=srcnat src-address=!192.168.150.0/24 action=src-nat to-addresses=192.168.150.1 dst-address=192.168.150.2 dst-port=22 protocol=tcp