The solution is to rewrite the port forwarding to rule to not to use in-interface=ether1-gateway, but dst-address-type=local:
/ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=8844 \ action=dst-nat to-address=192.168.111.2 to-port=8844
Then add the hairpin NAT as specified in the original post:
/ip firewall nat add chain=srcnat src-address=192.168.111.0/24 \ dst-address=192.168.111.2 protocol=tcp dst-port=8844 \ out-interface=bridge-local action=masquerade