I don’t know what the problem is, but your pinhole rule is not applicable. Traffic from 192.168.1.8 to 192.168.1.9 doesn’t go through the router’s NAT, since they are in the same subnet. However, many newer combo wired/wireless routers set up WiFi/LAN isolation by default. That allows “guests” in a household to access the internet, but not interfere with anything else in the house. Look for such a feature in the router’s firmware.
You almost certainly don’t want a NAT pinhole, especially without SSL.
It is the common name for a firewall rule that performs Destination Network Address Translation (DNAT) inwards from a WAN to a LAN. An external client connection to the router public address and a specific port has its destination address munged to the private address of the rule target as the packets travel into the LAN.
Generic NAT is more properly known as Source Network Address Translation, outwards from LAN to WAN. An internal client connection to an address on the WAN side has the LAN source address munged to the routers WAN address on the way out so replies are routeable. This requires the router to maintain a state table so replies can be forwarded to the correct internal client.
Source NAT outbound is generally not port-specific (though it can be)–any port numbers may be used–so is conceptually a “wide-open window” view out to the world. Destination NAT inbound is almost always port-specific (though there are 1:1 NAT applications), so is conceptually a “tiny pinhole” view into the local network.