I ran into this same issue first with a R7800 and most recently a R5S.
The fix I found for this was to enable promiscuous mode on br-lan. I haven't seen any negative consequences since doing this a couple years ago.
In /etc/config/network it looks like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
option bridge_empty '1'
option promisc '1'
option ipv6 '0'
but you can also do it in the Interfaces -> Devices -> br-lan -> Advanced -> Enable Promiscuous Mode
As an aside, on the R5S, I also had to disable software flow offloading to get any sort of stability (I would have devices frequently lose connectivity)
@jake919 Thank you so much! I can also confirm that your changes (promiscuous mode and disabling software flow offloading) worked perfectly for my R5S.
Awesome! Software flow offloading isn't necessary for the NAT loopback, but I found it helped stability, particularly with my Nest Thermostats, Ring Cameras and Apple Homepod which would frequently go offline for 10-30 minutes.
I haven't had issues with loss of connectivity with the R5S, but I've only had it as my primary router for a few weeks at this point (5 days uptime right now and I have pings every second to various endpoints with no disruptions). I certainly wouldn't entertain enabling WAN traffic on the firewall - I'm already unhappy with needing to run FriendlyWRT vs. OpenWRT . I would rather sacrifice IPv6 (my ISP doesn't support it so I have it off already).
My biggest complaint on the R5S so far is not being able to do a proper sysupgrade and needing to fresh format each time. I haven't looked to see if SD boot changes this at all.
I concur on the sysupgrade - for how painful this device has been to set up and get everything working, I don't see myself ever doing an upgrade simply because re-configuring all the settings is too difficult.
I have everything working except for ipv6, which I had working previously. I am not sure what changed, but no combination of ipv6 settings results in the R5S pulling an ipv6 address for itself. This still works with my old router (R7000 running DD-WRT).