Hairpin - email

Eirikr70 · December 27, 2025, 10:29pm

Hello, I am having trouble with hairpin.

Not even close to being a networking engineer, I only partly understand what I’m doing, which is a bit dangerous when it is about firewalling. So here is my problem. I am trying to have Router OS send me an email, which always ends up with Error sending e-mail <email-test>: timeout occurred

My email server is up and running and I have tried to send an email to myself from outside my network with success.

So I suppose that I have a problem with hairpin (which wouldn’t be so surprising). I have set up the following rules for hairpinning (all my rules, but only email-related seem to fail)

1 ;;; hairpin tcp interne
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.xx out-interface-list=LAN log=no log-prefix=""

2 ;;; hairpin udp interne
chain=srcnat action=masquerade protocol=udp src-address=192.168.1.0/24 dst-address=192.168.1.xx out-interface-list=LAN log=no log-prefix=""

3 ;;; hairpin tcp 443
chain=dstnat action=dst-nat to-addresses=192.168.1.xx to-ports=443 protocol=tcp dst-address=<public IP> dst-port=443 log=no log-prefix=""

4 ;;; hairpin tcp 465
chain=dstnat action=dst-nat to-addresses=192.168.1.xx to-ports=465 protocol=tcp dst-address=<public IP> dst-port=465 log=no log-prefix=""

5 ;;; hairpin tcp 993
chain=dstnat action=dst-nat to-addresses=192.168.1.xx to-ports=993 protocol=tcp dst-address=<public IP> dst-port=993 log=no log-prefix=""

6 ;;; hairpin udp2
chain=dstnat action=dst-nat to-addresses=192.168.1.xx to-ports=49273-49393 protocol=udp dst-address=<public IP> dst-port=49273-49393 log=no log-prefix=""

7 ;;; hairpin udp1
chain=dstnat action=dst-nat to-addresses=192.168.1.xx to-ports=3478 protocol=udp dst-address=<public IP> dst-port=3478 log=no log-prefix=""

Do I do it correctly in general and what fails on email in particular (of course I have checked the ports I use) ?

safelogj · December 27, 2025, 10:54pm

I'm not a network engineer either, but as far as I know, HairPIN NAT doesn't work that way. It doesn't need an external IP address, only the internal LAN.

ip/firewall/nat add action=masquerade chain=srcnat comment=HairPIN_NAT dst-address=192.168.1.0/24 protocol=tcp src-address=192.168.1.0/24

My rule looks like this:

ip/firewall/nat add action=masquerade chain=srcnat comment=HairPIN_NAT dst-address=
192.168.88.0/24 dst-port=!8291 protocol=tcp src-address=192.168.88.0/24
src-port=!8291

I excluded the winbox port because the router was becoming unavailable, but I don't remember where it was unavailable from. Maybe from dude installed inside. Just check that winbox is working after configuring hairpin nat.

Eirikr70 · December 28, 2025, 12:00am

After a long digging, it seems that the problem is not originated by my hairpinning configuration but by a problem of trust between my router and my mail server. I keep on digging.

Thanks a lot anyway for your response.

Amm0 · December 28, 2025, 5:18pm

Some ISPs block SMTP ports to customer IPs, might want to confirm with your provider if they need to do something allow it.

Eirikr70 · December 28, 2025, 5:36pm

Hello and thanks for answering,

The problem is not the ISP. I have already dealt with that problem long ago and now use an smtp forwarder. The problem was that my MikroTik was not trusted (absence of a certificate). So I have imported a certificate and that solved the problem. But it took a while to figure out the problem since the mail provider I use to check if my smtp works … itself has a certificate problem so I couldn’t retrieve my email from the mail provider. I thought I had a problem sending, but the fact was I had a problem retrieving from the email provider.