My hairpin setup has always worked. Yesterday we installed a mikrotik behind a Verizon Fios modem/router and it did not work. We put the mikrotik in the dmz of the Verizon. We can VPN to it, it's just the hairpin that doesn't work. I think the Verizon is somehow affecting the hairpin. We have never had an issue before. Here is our hairpin setup:
/ip firewall filter
# FORWARD
add chain=forward comment="DST NAT - Port Foward" dst-address=192.168.1.20 \
dst-port=81 protocol=tcp
/ip firewall nat
# DST-NAT
add action=dst-nat chain=dstnat comment="Port Foward" dst-port=81 \
dst-address-type=local protocol=tcp to-addresses=192.168.1.20
# SRC-NAT
add chain=srcnat comment="Hairpin" src-address=192.168.1.0/24 \
dst-address=192.168.1.20 protocol=tcp dst-port=81 \
out-interface=ether3-lan action=masquerade