My hairpin setup has always worked. Yesterday we installed a mikrotik behind a Verizon Fios modem/router and it did not work. We put the mikrotik in the dmz of the Verizon. We can VPN to it, it's just the hairpin that doesn't work. I think the Verizon is somehow affecting the hairpin. We have never had an issue before. Here is our hairpin setup:

/ip firewall filter

# FORWARD
add chain=forward comment="DST NAT - Port Foward" dst-address=192.168.1.20 \
dst-port=81 protocol=tcp

/ip firewall nat

# DST-NAT
add action=dst-nat chain=dstnat comment="Port Foward" dst-port=81 \
dst-address-type=local protocol=tcp to-addresses=192.168.1.20

# SRC-NAT
add chain=srcnat comment="Hairpin" src-address=192.168.1.0/24 \
dst-address=192.168.1.20 protocol=tcp dst-port=81 \
out-interface=ether3-lan action=masquerade

It sounds like public address is on other router. In that case, your dstnat rule can't work, because it's looking for packets destined to local address. And if public address is somewhere else, it's not local.

You'll need another dstnat rule with dst-address=<your public address> instead of dst-address-type=local. That would be problem for dynamic addresses, but it's solvable if you put your dynamic hostname in address list, let RouterOS resolve it and use dst-address-list=<list with your hostname>.

The weird thing is, it works when using another isp at another location. It seems the problem is somehow with Verizon. We did the exact same thing with time warner and it works fine.

It really can't (*), because rule with dst-address-type=local won't catch any packets for public address which is somewhere else.

(*) But it can work if hairpin NAT is performed by the other router.

You may be right! I forgot that the I used an internal ip address for the camera system so that's why it was working.

Can you help me figure out a way to make it work? A lot of times we have to put the mikrotik behind the clients router in the dmz zone because the clients router can't be bridged. We have no other option. I don't like to forward ports, but sometimes the clients request it. When we do, we need the hairpin to work.

As I already wrote, you just need to change dstnat rule: If you don't already have some dynamic hostname, you can get one using IP->Cloud on router.

Thanks. I would like to use the IP cloud from the router. What would that look like if you wrote it that way?

If you enable it, it will give you hostname in form <something>.sn.mynetname.net and you'll use address=<something>.sn.mynetname.net in address list.

I got it. Thanks. I will test it out.

Do I need to remove my current dst-nat rule in order for this new one to work?

Connections from internet (using forwarded port) will still go to 192.168.1.20. So either keep the old rule, or if you remove it, you'd have to add 192.168.1.20 to address list.