Does a virtual-ip with firewall rule -this firewall- not work?

[RamSense]

I have nginx installed op opnsense with: firewall - rules - wan - destination "this firewall" port 80 and one with port 443.
This works with the opnsense-router/ISP ip and with ipv6, but I have added a virtual-ip (VIP) ipv4 and ipv6 to opnsense, this firewall rule does not work for the VIP ipv4?
Is that normal behavior? I would have expected it to work since virtual ip bind to the wan?

I have made a workaround for this by adding a firewall-NAT-portforward rule- with destination "Virtual ip" and port 80 and one for port 443 both to Redirect target IP [Opnsense LAN ip / 192.168.1.1], that works...
But is that how it should be?

Anybody else with this behavior? or knows how to fix this with VIP ipv4?

[zan]

Should work the same.
"This firewall" is just an alias to "self" keyword in pf, means all addresses on all interfaces (all VIPs and tunnel local addresses included).

[RamSense]

thnx, yes that is what I expected also. But it does not work with the nginx plugin for VIP ipv4.
I only get nginx to work when I add a Nat portforward rule for this VIP to 192.168.1.1 (port 80 and 443).

Is this how the nginx plugin works or is this a bug in nginx plugin / opsense?

N.B. problem still exists after updating to the latest nginx with:
OPNsense 23.1.10_1-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1u 30 May 2023