What is better? A NAT rule (dstnat) without src-address and a filter rule on forward chain with src-address or a NAT rule with src-address to limit access to a device on the LAN.
It depends. If I’d need it only for one forwarded port, I’d do it in dstnat. Why let the packet pass, only to block it moment later. If I’d need filtering for target port and connections could come from different sources at the same time (from internet using dstnat, from some other subnet, from VPN, …), I’d probably choose forward, to have it all in one place.
This is a very reasonable question coming from many other routers to the mikrotik router.
The long and short of it is that mikrotik provides much more fidelity than your normal consumer router and many soho routers.
To answer your question, note that the NAT menu item is under the FIREWALL menu, not a separate choice.
All my destination NAT rules, where I know (and can limit the source WAN address) who requires access is delineated by the SOURCE ADDRESS LIST (typically more than one user).
Also here (NAT rules) is where you differentiate if the incoming port from the user will actually go to a different server port (translation).
In addition to what @Sob wrote: I find using src-address in dst-NAT translation also useful if same port should be forwarded to different DMZ/LAN hosts depending on the remote host’s IP address. E.g.:
/ip firewall nat
add action=dst-nat chain=dstnat comment="ssh from remote1 goes to LAN1" in-interface-list=WAN dst-port=22 protocol=tcp src-address=1.2.3.4 to-addresses=192.168.1.12
add action=dst-nat chain=dstnat comment="ssh from remote2 goes to LAN2" in-interface-list=WAN dst-port=22 protocol=tcp src-address=2.3.4.5 to-addresses=10.11.12.13