Masquerading doesn't work in your case. Add an explicit SNAT rule for such packets.
In general, everything looks something like this.
1. LAN client -> Mikrotik, 192.168.0.100:4555 -> 1.2.3.4:87 (on the router, this packet will have in-interface ether2, since the packet actually arrived from the local network) - if the rule specifies matching the packet by incoming interface for dst-nat (it is more logical to assume that you have it specified as ether1), then there will be no redirection. Either create two rules, or do not check the incoming interface for forwarded packets, but only the destination address, protocol and port. We move on.
2. Mikrotik -> LAN server, 192.168.0.100:4555 -> 192.168.0.2:87 (output-interface ether2) - Redirection won and packets now successfully fly to LAN after changing the destination address (that's the point of dst-nat ). But what will happen next? The local server receives the packet redirected through the router and responds to it directly, bypassing the router.
3. LAN server -> LAN client, 192.168.0.2:87 -> 192.168.0.100:4555 - This is a response packet from the server. But the client expects packets with source address 1.2.3.4, not these, and discards them. Either silently or explicitly by sending an ICMP message.
That's it. Hence the decision. Nat rules on Mikrotik.
1. Rule for port forwarding from the Internet:

chain = nat/prerouting,
  input-interface = ether1, 
  dst-ip = 1.2.3.4, 
  protocol = tcp, 
  dst-port = 87, 
  action = dst-nat, 
  dst-nat-address = 192.168.0.2, 
  dst-nat-port = 87.

2. Rule for port forwarding from LAN:

chain = nat/prerouting
  input-interface = ether2, 
  dst-ip 1.2.3.4, 
  src-ip = 192.168.0.0/24, 
  protocol = tcp, 
  dst-port = 87, 
  action = dst-nat, 
  dst-nat-address = 192.168.0.2, 
  dst-nat-port = 87.

3. Rule for source-nat so that server response packets also go through the router:

chain = nat/postrouting,
  output-interface = ether2, 
  dst-ip = 192.168.0.2, 
  src-ip = 192.168.0.0/24, 
  protocol = tcp, 
  dst-port = 87, 
  action = src-nat, 
  src-nat-address = 192.168.0.1

Something like that. By the way, you can mark packages from local to local in the FORWARD chain and make src-nat based on the label.

1. In Action: you need to register dst-nat
2. Update the firmware to 6.7. They fixed a bug with hairpin nat
www.mikrotik.com/download/CHANGELOG_6

And I’ll add that if 1.2.3.4 is really static, then instead of a masquerade, it’s better to make src-nat to the address we know.

Much respect for the author of the answer. There is such a problem.
there are two mikrotik CRS125-24G-1S-IN routers and a server 192.168.0.110. (conditionally router A and router B)
The network is built as follows.
1) Port 1 - the Internet comes with a static address (1.2.3.4 (let's say)). 2-24 ports are combined into a switch with a master port 2. DHPC (192.168.0.1/24) is raised with dns from the provider.
# Default masquerading
Chain: src-nat
Out-interface: ether1
Action: masquerade
2) Forwarded port series 9292 , 9090 and so on.
1) reset all settings to zero. all ports are combined in a switch. I didn't create any more rules.
In general, I have a centralized network for 40 machines on the 192.168.0.1 network.
1) Like the author of this question, it is possible to reach the server from outside. from inside zero to ground. I did all three of your suggestions. For some reason it didn't help me. deaf as in a tank. I replaced 192.168.0.2 with 192.168.0.110 (on the server) and still didn't help
2) why Google Facebook sites are blocked and so on. Although I have rb750gl configured at home and all sites stomp normally. For me this is nonsense. I checked the provider. I connected a regular tplink, it easily skips packets. connected a router to it And also normally packets run from under the router. And as soon as I start up the main Internet directly into A router. Google immediately falls off with Facebook, A number of bank sites, etc.
Found that it is necessary to change MTU on the van port. did not help. Moreover, I want to indicate that the sites are pinged from the router. help me please

Hello.
Please tell me how to set up port forwarding.
Available: MikroTik RB951G-2HnD
In MikroTik, refrigeration equipment with the same IP is connected to ports 4 and 5 (1 refrigerator 10.100.1.199, 2 refrigerator 10.100.1.199). The local IP network (192.168.0.2/24) is connected to the 1st port.
Refrigerators are controlled via a web interface on port 80.
Tell me how to set up port forwarding from the local network to refrigerators, for example, at this address (1 refrigerator 192.168.0.2:8000, the second 192.168.0.2:8001)
Thank you in advance for your answer.
PS Reconfiguration of ip refrigerators is not possible

Good day! There is a head office, it has a Mikrotik with a VPN server (PPTP) and a static (white) IP. there are branches and just users who connect via VPN to the head office (at branches we use Mikrotik with a VPN client). There is a task to start up a certain type of traffic inside the VPN without using the static address of the head office, on which this VPN actually rises. Let's say the white IP of the head office is 1.1.1.1, the local is 192.168.0.0/24, the remote office is 192.168.2.0/24. The head office has a server with the address 192.168.0.10 (PBX) and port 4545, so the connection at the branch office needs to work in both directions, not one (you can hear me if you call from the head office, but the subscriber does not).
Sincerely!

I found a mini article for you, I think it will answer your question https://mikrotiklab.ru/nastrojka/probros-portov-mi...