Hello,
I have several VLANs and a port forward (80 and 443) to my web server in a VLAN DMZ. I have a domain name on my WAN address, and I can connect to the web server from outside and all VLANs via the external IP address (via DNS resolve).
The strange thing is that I also have a WireGuard server running on the OPNsense router, but I can't connect to the web server via the external address. NAT reflection/hairpinning is failing here.
I don't see anything being blocked.
I specifically created a WireGuard interface (wg0), and I see in the firewall rules that the NAT reflection rules have been automatically created.
I think something is wrong with the routing because wg0 is a tunnel interface, but I can't figure it out.
Extra note: the clients connected to the wireguard server running on OPNsense can connect to internet and all the VLANs.
UPDATE: I was really pulling my hairs out, but the solution was not OPNsense related. My config was alright.
The problem was that I have some external webservices servicing via Docker with dynamic network creation. Guess what? Docker decided to use a subnet overlapping the subnet of Wireguard, which ofcourse created a routing problem of packets leaving the Docker host never to return to the OPNsense box.....
Put some subnet restrictions in daemon.json on the Docker host and problem solved.