My aim: to be able to access a thermostat in my parents guesthouse from anywhere with internet access.
Current home network structure:
- Parents have a primary router at 192.168.0.1 that connects via wireless to their ISP's AP.
- All devices in the main house are in this 192.168.0.x range (how do I actually write that; is it the 192.168.0.0/24 subnet?).
- A separate guest house is connected through a wireless bridge and the guest house wireless receiver is then connected via cable (ether1) to a Mikrotik hAP lite router - the second router - which has the IP address of 192.168.0.8 (I assume this can be called the WAN IP?) and a local IP of 192.168.2.1.
- Connected to the second router via wifi is a thermostat at 192.168.2.2 port 4000.
I contacted my ISP and they have set up the appropriate port forwarding on their end, so the connection is now like this;
phone with app on the net -> the ISP's public address 1.1.1.1 and port 10123 (used as an example). This is then forwarded to the primary router 192.168.0.1 and port 10123, which then forwards the packets to the second router at 192.168.0.8.
What I tried: all sorts of combinations of source and destination Firewall NAT rules, but at this point I am getting confused and don't know what I am doing

I know the issue is with me not being able to set-up the firewall and/or NAT rules correctly. I turned on the log for dropped packets and the forwarding to 192.168.0.8 works (also confirmed by the packet count increasing every time I try to connect via the app) but the 192.168.0.8 -> 192.168.2.1 is where the problem is.
So, these are the questions I have;
Q: Is this a Source or Destination NAT rule issue? Or do I need both?
Q: What IPs and ports am I forwarding? The packet can originate from any IP (mobile provider's assigned IP, IP assigned by any public AP and so on) so am I trying to change the src IP?
Q: The current port of the thermostat is 4000 but the one from the ISP is different (e.g example of 10123) so is there any advantage of changing the thermostat port to be the same 10123? The thermostat allows this; port 4000 is just the default one.
Q: Do I need to play with the firewall rules as well if I configure the NAT rules correctly? [Attached screenshot of what I have now]
Side quest: Once I learn this whole firewall/nat rules, can I use the same to access the Mikrotik router at 192.168.0.8 (192.168.2.1) web config through port 80 from the main house (192.168.0.x)? Is that also a NAT thing and/or do I need to create firewall rules? Forwading or Input?