I’m only going to comment on the “hairpin nat” part of things, because that was the question - however I fully agree that securing your network and router are important, and consideration should be given to that.
Hairpin NAT is used to access “port forwarded” services from not only outside the network, but from the inside as well. Both rules have to be adequately configured for things to work.
The “port forwarding rule” has to filter by the dst ip addr and not the input interface, because when the forwarded service is accessed from the inside, then - well - the connection is coming from inside the network and not outside.
There are two options: One in to maintain an address list containing the external address of the router. I use this approach on my own routers, but it usually means scripting.
The other: use dst-address-type=local, which means that the router is addressed on any of its own addresses. (This may be slightly counter-intuitive: type local doesn’t mean “local” in the sense of “on your LAN”, but means the addresses that are “local to the router itself”, that is: the router’s own addresses.)
So the rule:
/ip/firewall/nat/add chain=dstnat action=dst-nat dst-address-type=local protocol=tcp dst-port=8080 to-addresses=192.168.88.10 to-ports=80
(This rule maps port 8080 to an internal server 192.168.88.10, and sends the connection to port 80.)
The other rule is the actual hairpin rule. I think that hairpin nat should generally be regarded as a not elegant, but sometimes very useful hack. Therefore I usually create hairpin rules to only affect traffic that absolutely needs it (and leaves other connections be). This is therefore my haripin rule corresponding to the above rule:
/ip/firewall/nat/add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.10 protocol=tcp dst-port=80
Note that when the hairpin (srcnat) rule is executed, the port forwarding (dstnat) has already been done, and the packet now matches the rule in its translated state with regard to its dst address and dst port, as shown in my example. It’s important to include the src-address criterion in the hairpin rule, otherwise all access (even from external sources) will appear as coming from the router’s local address.
Happy hacking!