1. your firewall filter rules indicate that you have some gaps in understanding how Mikrotik's firewall works. Please look
here for a supercharged introduction and modify your firewall rules so that they provide better protection. Then, I would strongly recommend to export the configuration to a file, download it outside the 'Tik, and upgrade to at least 6.40.8 (latest bugfix release) and later maybe even to 6.42.2 (latest current release).
2. you haven't added any firewall rule with
disabled=yes so it is hard to guess which one causes the conflict. But from the history, I suppose that it is this one:
/ip firewall nat
...
add action=masquerade chain=srcnat dst-address=128.10.5.50 dst-port=8086 out-interface=ether1 protocol=tcp src-address=128.10.5.0/24
The problem is that I cannot understand why this rule should have any effect at all. It cannot help access cameras' port 8086 from LAN via the public IP of the 'Tik because in your configuration,
out-interface=ether1 is never true simultaneously with
dst-address=128.10.5.50 src-address=128.10.5.0/24.
To make the hairpin NAT work, you need to make the cameras think that Mikrotik is the client, so that they would send their responses to Mikrotik rather than directly to the real client. If the real client sends the SYN packet to the WAN address of the Mikrotik but receives the SYN,ACK response from the LAN address of the camera, it doesn't recognize it as a response to the SYN. So just removing the
out-interface=ether1 from the rule should be enough to make the access to cameras work. You could replace it by
out-interface=BridgeOffice but it is not necessary as the combination of
dst-address and
src-address has the same effect.
It would also be cleaner to replace
action=masquerade by
action=src-nat to-addresses=128.10.5.254 in the rule, but it is not the essence of the trouble.