The easiest way, and probably the correct one - on Mikrotik, in DNS, register domain.name -> internal ip.
Then all clients will receive an internal ip from the tick and there is no need to torture the piece of iron.
Of course, if all your users do not sit on static AND Google dns :)

And I wanted to share my experience.
The task was probably banal: it was necessary to forward ports on Mikrotik to internal network resources, but in such a way that these internal network resources could be accessed using the Mikrotik Internet domain name both from the Internet and within the network. Normal port forwarding "on the forehead" works only for requests from the Internet. When accessing within the local network by an external domain name, we get a bummer. There were 2 solutions on the Internet: one - to register Mikrotik's DNS "Static DNS" domain.name -> Internal_IP_address_of_resource, and then all calls to the domain name within the network will be directed to this internal resource. But this is not suitable when there are several internal resources, and not one, because we can write "Static DNS" for only one resource. Second solution - Hairpin NAT described in Wiki wiki.mikrotik.com/wiki/Hairpin_NAT . However, it also has problems if the external IP address is dynamic and changes frequently (with a domain name from dyndns, for example). In Hairpin NAT, as described in the Wiki, the NAT rules must specify the external IP, which is unacceptable when it changes frequently. On reflection, I came up with the following "ideal" solution, combining both methods into one:
/ip dns static
add address=192.168.88.1 name=myname.dyndns.org
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade " out-interface=ether1-gateway (this is a standard masquerading, usually present in the default configuration)
add action=dst-nat chain=dstnat comment=RDP dst-address-type=local dst-port=3389 protocol=tcp to-addresses =192.168.88.2
add action=masquerade chain=srcnat dst-address=192.168.88.2 dst-port=3389 out-interface=bridge-local protocol=tcp src-address=192.168.88.0/24
(2 such lines for each port forwarding)
T .e. we register in the static DNS the mapping to the domain name of the internal IP address of the router (and not the internal resource!). Any client within the network will get to the router by domain name.
We write 2 rules for each forwarding - one for mapping, the second for masquerading. Thus, we get rid of the need to necessarily specify the external IP address in the NAT rules, which often changes with us.
This approach has been tested and works successfully on my network. It is more versatile than those described earlier, so I decided to share my experience, maybe it will come in handy for someone.

внутри сети нельзя подключаться по RDP к серверу по доменному имени (по внешнему IP тоже),

Насколько я понимаю, нужно копать в сторону NAT,

Если в пределах локальной сети недоступен по имени какой-либо ресурс, значит у Вас, скорее всего, некорректно настроен DNS.
Потому что, если даже сервер смотрит в сеть, и есть A-запись, то при резолве в локалке сначала должен выбрасываться локальный адрес, а потом уже внешка.