Reverse proxy doesn't work when on LAN, only WAN

[Paddle7306]

I've got a working OPNsense VM running but I'm having trouble with my Synology reverse proxy. This was working well with my Asus RT-AX89X router so I assume I have as setting wrong with OPNsense. Here's what I know:

• If I'm connected via WAN (not at home, at home using my hostspot), my reverse proxy works as expected.
• My https://router.[mydomain].synology.me properly redirects to 192.168.1.1:4343, as I set in the HTTPS only admin port.
• My Vaulwarden docker container connects normally at bitwarden.[mydomain]... you get the picture, on WAN
• On LAN (local wifi) I can always connect with IP addresses and port numbers but the reverse proxy is out. I could keep one set of links for local and one set for remote but BitWarden only lets me put in one URL for the sever. This is the main reason I need the reverse proxy as work won't let me use a VPN to get to my self hosted password manager from the work-IT managed computer.

What have I set wrong? I considered maybe I needed port forwards for LAN and WAN but I didn't want to start changing things and risk taking the work-from-home router offline... again.

[bartjsmit]

Do you have NAT reflection set on the firewall rule? The most secure is to use split DNS between internal and external clients but that is a bit more involved.

[Paddle7306]

If you're asking if I turned on "Reflection for port forwards" in Firewall > Settings > Advanced, I didn't have it set but after turning that on it didn't work any differently. It didn't seem to create any news rules under NAT but maybe I have to create rules after enabling that setting.

[JamesFrisch]

I personally solve that problem by setting a DNS override for A records. AAAA records are fine, because they are the same external or internal. My DNS override points to the 192.168.1.10 local IP of the reverse proxy instead of the 80.80.80.80 WAN IP that public resolver gets.