Yes, but it also applies to other srcnat rules. What I'm saying is that your current srcnat rules make no sense to me and you shouldn't need any of them. I mean, is this regular router, does it have the public 1xx.1xx.1xx.1xx assigned to some WAN interface, LAN 192.168.1.x/24 to another, etc? Or is it part of some larger and strangely complex network?
The part that confuses me, if it's regular router, how can internet work, when you don't have any srcnat for outgoing traffic? All your srcnat rules have dst-address=192.168.1.x, so they apply to traffic
to LAN but not
from LAN. Did you omit some rules from what you posted?
Next, what you do is really strange, e.g.:
add action=dst-nat chain=dstnat comment=SVN dst-address=1xx.1xx.1xx.1xx dst-port=8443 protocol=tcp to-addresses=192.168.1.21 to-ports=8443
Dstnat rule is fine, outside clients connect to 1xx.1xx.1xx.1xx:8443 and it gets forwarded to internal 192.168.1.21:8443. But then you have this:
add action=src-nat chain=srcnat dst-address=192.168.1.21 protocol=tcp to-addresses=1xx.1xx.1xx to-ports=8443
It takes those connections (and not only them, any tcp connection to 192.168.1.21 to any port) and makes them look as if they came
from 1xx.1xx.1xx.1xx:8443. But why? What's the idea behind that?
All you should need is two srcnat rules:
1) Main NAT for working internet:
/ip firewall nat
add chain=srcnat out-interface=<WAN> action=src-nat to-addresses=1xx.1xx.1xx.1xx
2)
Hairpin NAT rule, if you want to connect to services on 1xx.1xx.1xx.1xx from same LAN 192.168.1.0/24 (optional, you can skip this rule, if you don't need to do this):
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.0/24 action=masquerade