Communication in LAN over public IP

RouterOS Beginner Basics
1

have CCR router on IGW (connected to my provider) and two FreeBSD servers. BSD1 is directly connected to port in CCR. BSD2 is remote webhosting (and next services) server in LAN with IP 10.0.254.78 (2 hops far).

Some public IP addresses are set on WAN interface of CCR. One of them is redirected into BSD2 in LAN (dst-nat):

0    chain=dstnat action=dst-nat to-addresses=10.0.254.78 dst-address={PUBLIC_IP} in-interface=bridge_wan log=no log-prefix="" 
1    chain=srcnat action=src-nat to-addresses={PUBLIC_IP} src-address=10.0.254.78 out-interface=bridge_wan log=no log-prefix=""

This works - access to BSD2 from internet over public IP and access from LAN over private IP 10.0.254.78.
I wanted to adjust the settings to work BSD2 access from the LAN directed to a public IP.
I found on internet this recommended rules:

2    chain=dstnat action=dst-nat to-addresses=10.0.254.78 dst-address={PUBLIC_IP} dst-address-type=local log=no log-prefix="" 
3    chain=srcnat action=masquerade dst-address=10.0.254.78 log=no log-prefix=""

This works, I can contact server from LAN (10.0.0.0/8) over PUBLIC_IP, but one problem here (masquerade).
On BSD2, I use NFS, ACL etc. Problem is source IP of communication from LAN to BSD2 PUBLIC_IP. It is outgoing IP of CCR. This is problem for me.
Does exist any solution for my idea with preserving source IP? Thank you.

2

You can’t preserve source IP. Well, you can, but then it won’t work. Because it’s exactly what needs fixing when you connect from LAN to public address and it gets forwarded back to same LAN. If source IP is preserved, server will send reply directly from its local address and client will refuse it, because it tried to talk to public address, which is different.

To solve the basic problem, standard hairpin NAT masquerades the source as router’s internal address. If you say it’s public one in your case, then it does not come from your newly added masquerade rule, but from some other srcnat rule. It does not really matter, because it can be any address, even fake one. And instead of using one common address, it’s possible to map real source network (e.g. 192.168.0.0/24) into fake network (e.g. 192.168.100.0/24):

/ip firewall nat
add action=netmap chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24 \
    src-address-type=!local to-addresses=192.168.100.0/24

And it will work, each client will have own different address. It’s not perfect, because it means setting ACLs for another network. But it does allow to tell one client from another. Sometimes you can’t have everything. One more little problem in your case, if you really have /8 network, you won’t have another big enough for fake network.