Usually, this requires two rules to be written (at least with settings generated via Quick Set). You did one thing (actually port forwarding in IP -> Firewall -> NAT). The second rule must be written in IP -> Firewall -> Filter, in the forward chain, it must allow traffic from the external interface to the server's internal IP address on the desired port, and be higher than the default rule that prohibits traffic from the external interface to internal interfaces or ip addresses.

on the server the gateway is specified?

/ip firewall nat
add action=dst-nat chain=dstnat comment="Allow any to our webserver" dst-address=1.2.3.4 dst-port=\
    80,443 in-interface=ether1 protocol=tcp to-addresses=10.4.1.1

Here's another extra. screen

We have already written above what is needed in addition to the port forwarding rule, it is necessary to register in the forward chain so that the system passes traffic that satisfies the condition:
- incoming address / port on the external interface
- destination = your server
I advise you to temporarily (!) add logging to each rule ( the log checkbox in Winbox, or the log and log-prefix parameters in the console) and add a prefix so that you can see the traffic from the log and track the execution of the rule. You can also reset traffic counters to see how specific rules work to increase this counter.

The 80th port on Mikrotik is occupied by the web interface by default, therefore:
# Change the port of the web interface and generally turn it off
/ip service set 2 port=8080 disabled=yes
# Rule allowing connection from outside

/ip firewall filter
add action=accept chain=forward comment=WEB dst-address=10.102.10.32 \
    dst-port=80,443 protocol=tcp

/ip firewall nat
add action=netmap chain=dstnat comment=WEB dst-port=80,443 \
    in-interface=ether1 protocol=tcp to-addresses=10.102.10.32