Domains redirect to A potential DNS Rebind attack

[Halfhidden]

I've been going nuts trying to figure out what I've done wrong.
I've moved over from Pfsense to Opnsense as I believe that Opnsense software is far more superiour, but I still have a lot to learn.
In short my domains seem to be redirected back to the Opnsense ip giving me a potential DNS Rebind attack.

This is how I've set up my home lab:
Opnsense as a vm on the same server as all the apps running on Proxmox 8.
I created a dhcp pool within Opnsense for all the apps, containers and vms and static mapped the servers I wished to reverse proxy.
As I have 4 physical network cards, so I have LAN, WAN and DMZ.  I setup a DMZ with a dhcp outside of the Opnsense scope and added one app (Nginx Proxy Manager) and static mapped that from the DMZ pool.
So Proxmox node  is on a static ip outside of any dhcp scope.
Opnsense is set with a dhcp and starts with 192.168.1.1 and has a scope of 192.168.1.15 >100
NPM (Nginx Proxy Manager) is set to 192.168.1.5  as a static map so is sat in a DMZ
DMZ is 192.168.1.2 with a dhcp scope of 192.168.1.5>10
 
I created an alia to allow ports for NPM and firewall rules to allow access to NGP from the internal network.
Option   Value
Action   Pass
Interface   LAN
TCP/IP Version   IPv4+IPv6 (IPv6 is optional)
Protocol   TCP
Source   LAN net
Source Port   any
Destination   192.168.1.5
Destination Port   (an alias for port 80, 81, and 443)

I then created a rule to allow access to the servers from NPM
Action   Pass
Interface   DMZ
TCP/IP Version   IPv4+IPv6 (IPv6 is optional)
Protocol   TCP
Source   192.168.1.5 (or use an alias which may include the IPv6 address)
Source Port   any
Destination   192.168.1.111, 192.168.112, 192.168.113, 192.168.113, 192.168.114
Destination Port   WebServerPorts (an alias for port 80 and 443)

I then created a NAT port forwarding rule to allow external network access
Interface   WAN
TCP/IP Version   IPv4+IPv6 (IPv6 is optional)
Protocol   TCP
Source   any
Source Port   any
Destination   WAN address
Destination Port   WebServerPorts (an alias for port 80 and 443)
Redirect target IP   192.168.1.5
Redirect target port   WebServerPorts (an alias for port 80 and 443)
Filter rule association   Add associated filter rule

Any idea what I've done wrong as the domains should be redirected to the internal network but clearly don't.

EDIT****
I've since moved Opnsense from port 443 to 10443 but now the website cannot be reached. It looks like port forwarding isn't working

[Halfhidden]

Edit***
It seems that I have set this up correctly (all but the wrong ip address for the reverse proxy (should be 192.168.1.5 not 192.168.1.2)) and quite by accident I actually tested he domains from my phone wich is connected to a different network. Most of the domains are actually working.
So my local pc (on the same network) is blocking any domain that is originating from the same network.
A firewall thing I guess... Anyone know what this is?

[Halfhidden]

Solved***

This was solved when I looked further into the way I set up the network.
I setup a DMZ and placed nginx in it and then placed everything else behind the Opnsense firewall.
Seemed like a good practice except in my configuration I had two dhcp servers. One for DMZ and the other for Opnsense. Although they were set up for different segments of the same subnet, that was my fatal error.
Unknown to me the DHCP server for the DMZ gave my local pc an address. Stupid me, I didn't check that and obviously I was on the wrong side of the firewall Duh!!
I've resolved this now and everything works as it should.

I can't see how to mark this as solved... anyone know?

[Amr]

I can't see how to mark this as solved... anyone know?

just edit your post and add [Solved] before the post's subjet.

With that said, I advise you to consider changing your network topology, your setup is really confusing and not recommended (I don't think you would be able to find a single professional who's willing to support your setup) having everything in the same subnet (DMZ included) and using firewall rules to control traffic between them by ip is a horror story for future upgrades\expansion you might get away with it since everything is virtualized and it works kinda of like a managed switch and the fact that this is a home lab, but I recommend you learn good practices and deploy them to get a feeling for them.
Here's a couple of ideas to start from:
- since your host has 4 physical NIC, I would leave 1 for proxmox (management port in case something horrible happens and you need emergency access to the hypervisor for example opnsense is down and you can't reach proxmox from LAN)
- pass the rest to the firewall (opnsense) and create WAN, LAN and DMZ with a separate subnet each on a separate port -since this a virtual environment you can even create virtual interfaces to use for DMZ, or any other service that's virtualized on the same host- (ex: 192.168.1.0/24, 192.168.2.0/24, 192168.3.0/24) open the required ports between LAN and DMZ host, then attach your other VM\application to the specific physical\virtual interface, I did a similar setup in my homelab once but I no longer use proxmox so can't help you right now with config examples.