Hi everyone,
I own a mikrotik hap ac, and recently started separating my network to three main networks:
1. vlan-guests (id=10)- subnet 10.10.0.0/24 where guests can login, and access only the wide internet. the config I attached shows that they are allowed to access also my home dns server, which resides in my regular bridge non-tagged subnet
2. vlan-smarthome (id=12) - subnet 10.200.0.0/24 where all my wifi connected lamps, switches, sensors...all goes to, it is completely isolated and cant access anywhere, other than my single IP of the related VM that operates everything (and resides in my regular home network)
3. regular home network - subnet 10.0.0.0/24 where my trusted devices are located, my home nas which also stores my dns server

I am not entirely sure whether I got this right or not, and whether I should have vlan-ed my regular home network as well. Im quite new to this honestly, and I am still reading the great tutorial I found here

My current most urging issue is this - how do I set my NAT rules right, now that I have introduces the vlans for guests, so that if Im logged in to the guest network, I can still access my home services IF I try to reach them over the internet? I dont see any reason why that shouldn't be working, given it is already exposed to the internet.

Right now my DNAT rules catches the internal traffic and tries to NAT them, and then my firewall rules blocks the access (bridge-guests tries to talk with bridge)
How do I make it catch only traffic that originating from the internet?

The way I have it set up at the moment, and it works fine for my regular use cases (apart from guests), is to dnat anything that goes to my external-ip, in the attached config its my nginx reverse proxy, which I also then masquerade to make it fully work (so that backend services will return answers to it, not to the router)

It seems that my setup differs from what is proposed here. I tried to follow this approach, Im not sure why I need to setup the DHCP client and use that IP, but that didn't work for me either.

Quick fix should be (put before last rule):

Thanks, I wasnt aware of that capability (connection-nat-state), packets does hit my new filter rule now, but I cant access those services still. Is there an additional configuration that should be made?

Research hairpin nat!!

Thanks guys.
Both forward dst-natted rules and hairpin NAT did the trick.