Why don’t we exclude the router’s own address from the main masquerading rule?
/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address-type=!local
If nothing fancy is going on, then routing decission will result in selecting correct src-address for appropriate egress interface and thus SRC-NAT is indeed not needed. Packet flow diagram shows that packet still passes src-nat function (which is part of postrouting chain), but I guess it’s safe to assume that src-nat notices that there’s nothing to be done and simply passes packet unaltered (hence additional selector to the src-nat rule is not needed).
If router process explicitly sets src-address to one of router’s own addresses but which is not “native to egress interface” (but still qualifies as local src-address-type), then src-nat has to be performed or else two-way connection would likely fail. So in this case adding the additional selector to src-nat rule would break connectivity (and router would leak LAN address(es) through WAN interface).
Note that the discussion above doesn’t apply for forwarded traffic where src-address is not local anyways.
That is right. Using src-address-type=!local is likely too broad. But of course you could use src-address=!(the address of the external interface).