I've had this kind of issue with other routers too, which cased lots of issues with hosting Warcraft III games on our local PvPGN server. Eventually I've written a patch for the PvPGN server where the people hosting the game can set their LAN IP address so that no masquerading have to be done when players from the same LAN joins. Ofcourse the patch only worked if the players used the same WAN interface to connect to the server.
Here's my version of pragmat's hairpin NAT solution, with a few added advantages:
/ip firewall mangle
0 ;;; Mark new hairpin connections
chain=prerouting action=mark-connection new-connection-mark=hairpin
passthrough=no connection-state=new src-address=192.168.10.0/24
dst-address=!192.168.10.0/24 dst-address-type=local
/ip firewall nat
0 ;;; NAT - WAN 1
chain=srcnat action=masquerade src-address=192.168.10.0/24
out-interface=WAN-1
1 ;;; NAT - WAN 2
chain=srcnat action=masquerade src-address=192.168.10.0/24
out-interface=WAN-2
2 ;;; NAT - Hairpin
chain=srcnat action=masquerade connection-mark=hairpin
3 ;;; Jump to Port-forward chain with incoming connections from WAN 1
chain=dstnat action=jump jump-target=Port-forward
in-interface=WAN-1
4 ;;; Jump to Port-forward chain with incoming connections from WAN 2
chain=dstnat action=jump jump-target=Port-forward
in-interface=WAN-2
5 ;;; Jump to Port-forward chain with hairpin connections
chain=dstnat action=jump jump-target=Port-forward
connection-mark=hairpin
6 ;;; Port Forward - FTP, HTTP & HTTPS Server
chain=Port-forward action=dst-nat to-addresses=192.168.10.10
protocol=tcp dst-port=21,80,443
7 ;;; Port Forward - PvPGN Server
chain=Port-forward action=dst-nat to-addresses=192.168.10.11
protocol=tcp dst-port=6112
The major differences between mine and pragmat's solution are:
1) Mine won't NAT local to local traffic, unless the destination address wasn't a local address
2) Mine requires only 1 port forward entry, and not 1 for the hairpin port forwarding and 1 for the WAN -> internal network port forwarding
3) I've added 2 WAN interfaces, and both port forward using common dst-nat entries.
* Notes:
1) I'm not sure if my connection marking would work for UDP connections too. I would appreciate it if someone could tell me if it would work or not!
2) Like fewi mentioned earlier: masquerading local IP addresses to a local server could mess up your tracking of local users.
The preferred solution is to use DNS, where your internal DNS server replies to local clients with the local IP address, but in some cases (like above, with the PvPGN server) where it's not working with DNS entries then you have to use a hairpin NAT solution OR patch the application.
----
@TheMG, could you perhaps say why you want to restrict the port forward to a specific WAN port? Also, are you talking about restricting the hairpin port forward to a specific WAN port or port forwarding from the Internet to a specific WAN port?
If you simply want to restrict the port forwarding to 1 WAN port from the Internet and you're using my solution, then simply remove rule #3 or #4 in my example
It would be quite complicated to restrict hairpin port forwarding to a certain WAN interface if the WAN interface has a dynamic IP! Then you'll probably have to write a script to update the rules, like the scripts used for updating DynDNS.