I tried to kind of replicate nginx functionality using dstnat to different machines basing on tls-host (mostly to split openvpn on port 443 from https) however to my surprise this feature doesn't seem to work in dstnat chain. It works in prerouting chain though and according to:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
prerouting occurs before dstnat. Unfortunately it doesn't seem to be true because even when I use mark-packet or mark-connection action in prerouting chain it doesn't seem to be noticed by dstnat chain. Is it normal behavior?
Furthermore tls-host option is not mentioned in NAT documentation: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT so I'm a bit confused.
Re: tls-host doesn't work in dstnat chain? [SOLVED]
Okay it's pretty obvious. NAT decision is taken before 3-way handshake is finished as handshake is typically preformed by actual host and tls-host, layer-7-protocol, content and many other matchers can only be determined after handshake is finished because they base on connection packets content. So it's probably impossible to perform NAT basing on connection data as it'd require router to behave like full proxy.