(To be honest, it is the fifth time, I start to write this question, as I noticed so many unpredictable behaviors around NAT, but could not reproduce most of them. They have mainly gone after playing a lot with different settings, but there is one I cannot solve, but can reproduce.)
I set-up a NAT rule:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=Home dst-port=8081 protocol=\
tcp to-addresses=192.168.64.64 to-ports=8081,
where Home is my fixed IP (actually I tried it even without this, but to make sure that any outbound communication to port 8081 can get through, it was safer to set it).
I also added a firewall filter to accept this traffic:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat log=yes
On 192.168.64.64:8081 I have a webserver.
What happens: When I load http://192.168.64.64:8081 from within the network, it works. When I load http://myownip.com:8081 from outside the LAN it also works. But when I try http://myownip.com:8081 from within the network, the request never reaches the server. I monitor the traffic (tx/rx volumes) on the NAT and I see the 60 byte packets all right. I also put a log on the filter rule, and I can see that the dst-nat happens and it reaches the firewall filter as well, where it is accepted. What I see in the log is:
forward: in:ether1 out:vlan1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), externalip:3198->192.168.64.64:8081, NAT externalip:3198->(myownip:8081->192.168.64.64:8081), len 60, when used from outside and
forward: in:vlan1 out:vlan1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.64.96:40268->192.168.64.64:8081, NAT 192.168.64.96:40268->(myownip:8081->192.168.64.64:8081), len 60, when used from inside.
So in both cases it seems OK, but the first one works, the second does not.
I would appreciate any though, what can be wrong.
(As mentioned above, i had some other NAT rules, that also worked in strange ways. My feeling was that it is some sort of timing issue, or address pollution, conflict, or something like that, but could not figure it out.)