A few words about NAT hairpinning
NAT hairpinning is a very useful thing if you have something service (ssh, http, etc) behind router but don't want specify local address when you are inside local network. So, usually SNAT (or masquerading in some cases) works like this:
Good article about hairpinning (and images located below too) from MikroTik wiki is here
In a nutshell, all requests comes through router and he can manipulate with client (188.8.131.52) and server (192.168.1.2) dst and src addresses. And in this case connection is established.
But when you try connect to 184.108.40.206 from 192.168.1.10:
Response from server goes directly from 192.168.1.2 to 192.168.1.10 and connection is dropped. Because initial connection was made to 220.127.116.11, not to 192.168.1.2.
And to fix this funny issue, we need just one srcnat (or masquerade, which maybe more easy to setup) rule:
All requests from local network to webserver that comes through router must be NAT-ed
(sure, in normal situations requests between two local hosts will go directly to each other using L2 OSI model)
In this case, router will send request to web-server from his local-network interface, and after he receives response - replace web-server src address (192.168.1.2) to 18.104.22.168 and dst address from 192.168.1.1 to 192.168.1.10
From MikroTik Wiki:
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 \ dst-address=192.168.1.2 protocol=tcp dst-port=80 \ out-interface=LAN action=masquerade
or if you prefer WebFig:
and as action, set it to masquerade or srcnat to router local-ip:
That's all for now :)