diff --git a/Agap-Installation.md b/Agap-Installation.md
index 9a01360..aa6dcef 100644
--- a/Agap-Installation.md
+++ b/Agap-Installation.md
@@ -19,6 +19,15 @@ Required mount points:
 
 See [[Network]] for full setup: Netplan bridge, Caddy reverse proxy, Pi-hole DNS, and port forwarding requirements.
 
+### Hairpin NAT workaround
+
+The router does not support hairpin NAT. Add local `/etc/hosts` entries for self-hosted domains so the host can reach them without going through the public IP:
+
+```bash
+echo "127.0.0.1 docs.alogins.net" | sudo tee -a /etc/hosts
+echo "127.0.0.1 vw.alogins.net"   | sudo tee -a /etc/hosts
+```
+
 ## 3. GPU & Docker
 
 ```bash
diff --git a/Network.md b/Network.md
index cc90f33..7007e5e 100644
--- a/Network.md
+++ b/Network.md
@@ -82,6 +82,25 @@ vui4.alogins.net { reverse_proxy localhost:58959 }
 sudo systemctl enable --now caddy
 ```
 
+### Hairpin NAT
+
+The router does not support hairpin NAT — the server cannot reach its own public IP from within the LAN. Services that need to call back to a public domain from the host or from Docker containers must use local overrides.
+
+Add to `/etc/hosts` on the host for any domain that needs to be reached locally:
+
+```bash
+# Loopback for self-hosted domains (hairpin NAT workaround)
+127.0.0.1 docs.alogins.net
+127.0.0.1 vw.alogins.net
+```
+
+For Docker containers, use `extra_hosts` in the compose file:
+
+```yaml
+extra_hosts:
+  - "docs.alogins.net:host-gateway"
+```
+
 **Port forwarding requirements:**
 - Ports **80** and **443** forwarded on the router (source and target, remote IP empty)
 - Port **10051** forwarded for Zabbix active agent connections