so.... i know there is plenty of Q and also A out there about this particular setting, but I'm confused.
it's commonly known/advised that one should specify destination and interface and what's not or even avoid masquerading at all, but i don't see a reason why i should not do it like this for my soho: above beauty does the following:
- masks my websurfing activity, so i can reach e.g. this forum, as i'm supposed to
- does the hairpin nat thingy, so i can reach my server from in and outside my home network by its domain name (which resolves to my public address)
- leaves ipsec traffic be

so... where's the catch for not using this simple rule? does it pose security risk? creates loops? what should i pay attention to if using this rule? single rule is 100% simpler than having two rules and only increases cpu load for a few % comparing to have a dst-nat and ip address, so... ?

- does the hairpin nat thingy, so i can reach my server from in and outside my home network by its domain name (which resolves to my public address)

And have you checked your server's log, from where all the visitors seem to be coming from? With this beauty, every single one of them, even those from internet, will have source address equal to your router's LAN address. If you don't mind that, then the rule is probably ok.

yes, that was the drawback

Btw, I wouldn't worry about two rules instead of one. NAT rules are processed only once for each connection, right at the beginning. For all further packets it's connection tracking that handles things, and it happens in any case.

i'm not worried about cpu, just readability and the fact, that there is many mis-info, including some on wiki, outside about how to setup mt router.

If you have only one LAN subnet and one WAN connection, and your network configuration/routing table aren't changing a lot, there aren't a lot of downsides to masquerade. For any NAT translation, the firewall/router needs to know the IP address to use...and masquerade does a lookup of the outgoing interface IP address to find it (and cache it). So, if your WAN connection gets it's IP address via DHCP, masquerade action in a src-nat is your only option. The Mikrotik default configuration take this approach since they also enable DHCP client on WAN interface in most case, so you're in good company.

The reason you see discussion/cautions about using masquerade is that while it appears simple, it can increase CPU load since it has to search all cached connections to update them if interfaces or IP address change. So if WAN connection is using a static public IP address, you can replace "masquerade" with "src-nat" action along with the public IP address of the WAN connection, which is "more clean" if you really do have a static IP on WAN, and never have to worry about CPU usage. Again, it likely doesn't matter in your configuration if you have a simple LAN and WAN, but if that's true you'd be better starting with one of MIkrotik default configuration and try to understand what it's doing since it's actually a reasonable base for things like Firewall Filters and has other "best practice" defaults you might want to consider.

Finally, you might want to just specify the interface you want the NAT applied too...seem like you figured that out based on post above, but both src-nat and masquerade should only be applied to an interface (or interface list) that need them. In the top example here, the NAT configuration is getting applied to ALL traffic that hits the router, which may be why your server works. But you'd be better of using additional dst-nat if you want the server exposed on the internet.