Using alias on WAN to access local wifi bridges sort of works, sort of doesn't

[poodad]

I'm using a pair of Ubiquity wireless bridges to get my Starlink signal into OPNSense. The Starlink router is set to bypass (think bridge mode). The Starlink dishy gives OPNSense WAN interface a (CGNAT) DHCP address. This all works as expected.

I want to be able to access SNMP and the web interface on the bridge units so I assigned them IP addresses 192.168.223.223/24 and .224/24. Their default gateway is 192.168.223.1

I added a virtual IP on OPNSense's WAN interface for 192.168.223.1/24. This indeed lets me access the bridge units from my LAN subnet. So outbound traffic from the LAN to the bridges works.

However, I'd also like for the bridges to be able to do ntp and syslog into a server on my LAN, so I added a rule to allow WAN traffic from 192.168.223.0/24 into my LAN. This is where it gets interesting: traffic from the bridges makes it into the server on the LAN (I can see this with wireshark), BUT return traffic from the server to the bridges never makes it to the bridges. I have verified the source address of the packets as observed in wireshark are indeed the 192.168.223.x addresses.

But I can ping the bridges from the server. This is what makes it so odd. It's like inbound traffic doesn't get a state associated with it and gets dropped.

Any ideas?

[defaultuserfoo]

Are you perhaps missing a route entry?

[poodad]

Shouldn't need it. The virtual IP on my WAN is 192.168.223.1/24 which is in the same subnet as the devices (192.168.223.233 and 192.168.223.224).

Besides, from the LAN I can communicate correctly with the bridges. It's when the bridges establish the connection that things fail. If I ping an internal server from the bridge, I can see the ping requests at the server (via Wireshark). I can see the pin replies going back to the bridge's IP. They just never get there.