One-to-one NAT not working at same time as NAT Port Forwarding

[thisisjjd]

I'm trying to switch to Opnsense and having a hard time getting it working. (I posted something similar a couple weeks ago, but I don't think I described it properly.)

Goal: I have two static IP addresses from my provider, 123.2.3.50 and 123.2.3.53. I want to use NAT port forwarding to forward ssh to the router WAN address (123.2.3.50) to go to local address 192.168.1.2.

I also want to use one-to-one NAT to forward ssh traffic addressed to 123.2.3.53 to go to 192.168.1.7.

I'm using One-to-one NAT with Virtual IP address to configure the second external static address.

Problem: When configured as described below, all ssh traffic for both 123.2.3.50 and 100.0.56.53 goes to 192.168.1.2 and none goes to 192.168.1.7.

Config:
WAN Interface: IPv4 address: 123.2.3.50/24
LAN Interface: 192.168.1.1/24

Virtual IP: IP Alias, WAN
Network / Address: 123.2.3.53/32

Firewall -> NAT -> One-to-One: WAN, BINAT
External Network: 123.2.3.53/32
Source: Single Host or Network: 192.168.1.7/32

Firewall -> NAT -> Port Forward:
TCP SSH from WAN address forward to 192.168.1.2/32

Firewall -> Rules -> WAN:
TCP SSH pass to 192.168.1.7/32
(automatic rule) TCP SSH pass to 192.168.1.2

Results:
When the virtual IP was set to /24:

• ssh from *internal* hosts on the *LAN* to external 123.2.3.53 would work correctly to 192.168.1.7
• ssh from external internet hosts to 123.2.3.53 would hang

When the virtual IP was set to /32:

• ssh from *internal* hosts on the *LAN* to external 123.2.3.53 would work correctly to 192.168.1.7
• ssh from external internet hosts to 123.2.3.53 would incorrectly forward to 192.168.1.2

What am I missing?  I'm concerned I got some of the netmask specifications incorrect.  (The ISP instructed to use /24 for the WAN address.)

Thank you.