NAT reflection does not work on loopback interface?

[carelesslisper]

I have a few rules setup that forward Virtual IPs to other hosts running on the network. For example, I have port 53 forwarded on my DNS nameserver IPs to my DNS server. I have NAT reflection turned on, and everything seems to working as advertised. The virtual IPs work on both internal and external hosts. What does not work is those same IPs from the router itself. As far as I can tell via `route get my-ip`and the firewall logs, the request go straight to the loopback interface with the rules never applied.

Where this becomes a problem is that I'd like to run my VPN (tailscale) on opnSense, which is entirely working except for these virtual IPs. The virtual IPs on the WAN port are less of an issue since I have aliased them to their local network address via unbound, but this does not work for virtual IPs on the LAN interface. To illustrate that with an example, I have virtual IP 10.10.10.4. On my firewall, I have 10.10.10.4:443 forwarded to another host serving a web UI on a non-standard port. The end result is https://service.my-dns-name.com resolves to that IP, which then connects to the host on the non-standard web port. I am doing this for very specific applications that I do not want to reverse proxy.

Is there a way to make NAT work on opnSense the way that I've described? I have NAT reflection enabled globally, don't see anything fishy in the firewall rules, and don't think I have anything else goofy in my configuration. My backup plan is just to use separate hosts to run tailscale, but if possible I'd like to keep my VPN configuration on my opnSense box. Thanks for any guidance.