Ok, here's the said solution:
Solution for port forwarding for both WAN-to-LAN as well LAN-to-LAN (incl. inside same LAN):
On my router (hAP ac^2 with RouterOS 7.0beta8) with no NAT (ie. as 2nd router) now the following solution works:
IP of WAN interface (ether1): 192.168.254.253/24
IP of ether2 (ie. the gateway IP for LAN): 192.168.127.254/17
IP of host attached to router ether2: 192.168.20.1/17 (can add more hosts into that LAN by attaching a dumb switch to ether2).
WAN port 8458 is forwarded to LAN IP 192.168.20.1:8459. There an iperf server is running for testing.
All connections to 192.168.254.253:8458 (ie. the WAN interface) are correctly redirected,
even connections from inside the LAN !
So, the culprit is the bridge as with bridge this solution doesn't function.
I first tried the following step-by-step guide (with some good explanations) that says it works,
but I couldn't get it working here (as said WAN-to-LAN works, but not from inside the LAN):
https://serverfault.com/questions/97034 ... tik-router
Then I removed the bridge, and voila it works! And performance is ok (Gigabit speed, s.b.).
[admin@AP1] /ip/firewall/nat> export
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.254.253 dst-port=8458 in-interface=all-ethernet log=yes protocol=tcp to-addresses=192.168.20.1 to-ports=8459
add action=src-nat chain=srcnat dst-address=192.168.20.1 dst-port=8459 log=yes protocol=tcp src-address=192.168.0.0/17 to-addresses=192.168.127.254
[admin@AP1] /ip/firewall/filter> export
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
...
host:
# ifconfig
eth0 Link encap:Ethernet HWaddr XXXXXXXXX
inet addr:192.168.20.1 Bcast:192.168.127.255 Mask:255.255.128.0
# iperf server running on host:
$ iperf -e -s -p 8459
# iperf client from anywhere:
$ iperf -e -c 192.168.254.253 -p 8458 -t 5
------------------------------------------------------------
Client connecting to 192.168.254.253, TCP port 8458 with pid 18513
Write buffer size: 128 KByte
TCP window size: 468 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.20.1 port 12146 connected with 192.168.254.253 port 8458 (ct=0.93 ms)
[ ID] Interval Transfer Bandwidth Write/Err Rtry Cwnd/RTT NetPwr
[ 3] 0.00-5.01 sec 552 MBytes 925 Mbits/sec 4417/0 0 -1K/816 us 141735.83
Btw, without the above filter rules the performance is only about half:
[ 3] 0.00-5.02 sec 314 MBytes 525 Mbits/sec 2511/0 0 -1K/695 us 94425.95
So, the "fasttrack" and the "established,related" rules should be present in the firewall to get wire-speed performance.
P.S.: of course the log=yes in the firewall rules should be removed after testing.