[SOLVED] 2 WAN IP's, 1:1 NAT and outbound NAT rules troubles

[simonv]

I have 1 WAN interface with 1 main WAN IP plus one additional WAN IP set up as a virtual IP on the WAN interface.

On the LAN side I have one web server (srv1.example.org) with LAN IP 10.0.0.10. To make it reachable from the outside I set up a NAT portforward with WAN IP 1 as destination and destination ports 80 and 443. Now I can reach srv1.example.org over WAN IP 1

Then I have another web server (srv2.example.org) with LAN IP 10.0.0.20. I want to assign WAN IP 2 to this server, so I set up a 1:1 NAT rule and opened the appropriate ports in the firewall. I have disabled NAT reflection because otherwise the ACME LetsEncrypt client will fail to verify the DNS name (it will then see the LAN IP instead of the WAN IP). So far so good, I can now also reach srv2.example.org over WAN IP 2

So from the outside all is good, I can reach both webservers individually over port 80/443.

BUT my problem now is that if I try to access srv2.example.org from within the LAN, I get served the website of srv1.example.org instead.  I assume this must be an outbound NAT problem. I tried to add a manual outbound NAT rule with different destination/NAT address combinations (e.g. destination WAN IP 2, NAT address 10.0.0.20) with no luck. At this point I don't know what to do anymore. I'd appreciate any help.

[simonv]

I figured it out, so NAT reflection is what I want and then I had to enable "Automatic outbound NAT for Reflection"  in "Firewall -> Settings -> Advanced".... somehow I didn't see this option the whole time.