While I'm not usually a big fan of split-horizon DNS, that's probably the best solution here.
Forget the hairpin NAT, use a DNS name to connect to the NVR, and just make sure that the ERL maps the name to the internal 192.168. address. Your external DNS for the same name then points at the 166.152. address.
Devices inside the network will connect directly to the NVR, without going through either the MiFi or the ERL, and devices outside the network will work with "normal" NAT.