Hello.

I have 2 devices in LAN and Wi-Fi as WAN interface. LAN configured with DHCP.
I need both LAN devices access internet through NAT (it works now), but with source MAC addresses replacement/substitution with MikroTik's MAC.
How to do it?

Explain better, MAC is not used on Internet, only the Public IP.

If MT device is used as router between LAN and (wireless) WAN, then upstream will always see MT's MAC ... regardless if MT performs NAT or not. If MT device is used as bridge between wireless and wired, then it all depends (but depenting on settings most probably upstream will see MT's MAC as well).

Indeed a confusing question. Mikrotik WAN MAC address will always be used when routed, as @mkx says. In case of NAT even the Mikrotik IP address is used.
But OP may have mysterious other things in mind.

Other case where traffic from the client devices is bridged (not routed) and still will take on the WLAN Mikrotik MAC address (with the client IPv4 address) is when the WLAN is set to "Station pseudo-bridge")

There needs to be traffic initiated from the client, to built the IPv4-to-client forward table in the pseudo bridge!
ARP in WAN will show the WLAN MAC , DHCP lease from WAN will show the client MAC. MT DHCP server usually fails to properly bind a DHCP lease over a station-pseudo-bridge.
DHCP lease results vary with setups and DHCP servers brands, for pseudo-bridge.

Are you sure guys you understand what are you talking about?
My provider has MAC authorization and I want to auth from MT and use PC without auth.
Right now I switched on SOCKS proxy on MT, auth from PC-browser to allow MT use internet, than use another browser to auth my PC.
I managed to set MT's MAC on my PC, so don't need to auth twice, but would prefer to run auth on MT only.

Are you sure guys you understand what are you talking about?
My provider has MAC authorization and I want to auth from MT and use PC without auth.

Extraordinary claims need extraordinary evidence.

What exactly do you mean by MAC authorization? Is it encapsulating the MAC address inside the IP payload?

Why the people here think you don't understand what you are talking about: Networking Fundamentals

Sounds almost as if the mikrotik is in the bridge mode otherwise, the ISP wouldn't require two separate MAC authorizations.

@OP: you will need to provide more info, ideally including your router's config. Your situation is bit unusual which confuses other people who would like to help. if my guess is correct, config with NAT instead of bridge would fix your issue because all LAN MACs (as well as IPs) will be hidden behind mikrotik's and ISP won't have a chance to recognize your separate devices.

My provider has MAC authorization and I want to auth from MT and use PC without auth.

MAC authentication, OK, can happen. Mostly it is because the ISP supports only one DHCP lease on the connection, and it it is one with a long lease time (e.g. 2 hours). This makes swapping devices unpractical by design, because no new IP lease is granted, until the first one is released. Same trick is used by the ISP to limit the number of client devices that can connect. (e.g. a 4 device only subscription)

The classic trick here is to give the (router) WLAN interface the MAC address of the PC, a MAC which is already in the list for ISP DHCP, or was used to authenticate.

If the MT router is using routing (with NAT to be practical), then the ISP will not see the fact that the PC has been replaced with the MT router. ALL devices behind the MT router will look exactly the same to the ISP: same MAC, same IP address, just as the PC.

It is the same story as if you share your wifi from your (Windows) PC, what is a well known and easy setup. A web proxy is not needed for this.
I known no setting for the ISP to prevent you from sharing your PC wifi connection, done with the autenticated PC.
The same is true for a MT router. Even if the ISP authentication is with RADIUS or on MAC address, the MT router can handle this without even having to start up the PC.
(The MT router does not have ALL the authentication methods of the PC, but mostly the MT can do the trick with the correctly setup security profile)