I have the same problem mentioned above, but none of the solutions seem to work.
I have two interfaces on the router - Internal and External, and there is a webserver on the internal network.
[admin@MikroTik] ip firewall nat> print
0 chain=srcnat action=masquerade out-interface=External
1 chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80
dst-address=85.254.xxx.xxx dst-port=80 protocol=tcp
But this doesn't work, if requests to webserver come from internal network.
How it works
> When a client from internal network (192.168.0.31) asks for 85.254.xxx.xxx, the webserver(192.168.0.100) receives a request from 192.168.0.31 and it replies to 192.168.0.31 but client expects reply from 85.254.xxx.xxx so nothing works in the end. Router applies only my NAT rule 1 and it keeps the source address 192.168.0.31
How it should work
> Router should first apply my NAT rule 0, as the connection actually goes through the External interface. Only then it should apply the rule 1 and webserver should receive request from 85.254.xxx.xxx, then reply to 85.254.xxx.xxx and finally NAT back to 192.168.0.31
This is also the way, all cheap routers do.
Then why doesn't it work as it should on RouterOS? I have tried to change many things, but I only get Connection Timed Out.
BTW, I use RouterOS 2.9.46