Access Server (port redirect) on Guest VLAN

my Setup
TP-Link Archer C7 v2
OpenWrt 19.07.1 r10911-c155900f66 / LuCI openwrt-19.07 branch git-20.029.45734-adbbd5c

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option src_port '67-68'
	option src 'lan'
	option name 'Allow DHCP'
	list src_ip '10.0.1.11'
	option dest 'lan'
	option target 'ACCEPT'
	option dest_port '67-68'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option network 'guest GUEST'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'guest'
	option src 'lan'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'Allow Guest DNS Queries'
	option target 'ACCEPT'
	option dest '*'

config rule
	option src_port '67-68'
	option src 'guest'
	option name 'Allow Guest DHCP request'
	option dest '*'
	option target 'ACCEPT'
	option dest_port '67-68'
	list proto 'udp'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option src 'guest'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'guest'
	option name 'Allow Guest > Guest DHCP request'

config rule
	option src 'guest'
	option target 'ACCEPT'
	option dest 'guest'
	option name 'Allow Guest > Guest DNS Queries'
	list proto 'all'

config rule
	option name 'Allow Guest -> WAN http'
	option src 'guest'
	option proto 'tcp'
	option dest_port '80'
	option target 'ACCEPT'
	option dest 'wan'

config rule
	option name 'Allow Guest -> WAN https'
	option src 'guest'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'
	option dest 'wan'

config rule
	option name 'Deny Guest -> LAN'
	option src 'guest'
	option dest 'lan'
	option proto 'all'
	option target 'DROP'

config rule
	option name 'Deny Guest -> WAN'
	option src 'guest'
	option dest 'wan'
	option proto 'all'
	option target 'DROP'

config zone
	option name 'smart'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'smart SMART'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'smart'

config forwarding
	option dest 'smart'
	option src 'lan'

config forwarding
	option src 'smart'
	option dest 'wan'

config rule
	option name 'Allow SMART - DHCP request'
	option src 'smart'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow SMART - DNS Queries'
	option src 'smart'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option dest 'lan'
	option src 'smart'
	option name 'Deny Smart -> LAN'
	option target 'DROP'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'SERVER 443'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '10.0.1.14'
	list proto 'tcp'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'SERVER 80'
	option src_dport '80'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '10.0.1.14'

Question
I have 3 VLANS: lan (10.0.1.1/24), smart (10.0.2.1/24) and guest (10.0.3.1/24)

The Server in lan (10.0.1.14) and a device/phone on guest (10.0.3.33)
This Server has a port forward for ports 443 and 80

I can access the server from lan and outside (WAN) through its IP and DNS.
My devices in vlan guest, are not able to connect through my WAN / DNS... but they are able its lan IP 10.0.1.14.

I think i need a route/bridge or something, to make my devices be able to connect via the Router WAN Port.

Tried with

config rule
	option name 'ALLOW MY DEVICE'
	option src 'guest'
	option proto 'all'
	option target 'ACCEPT'
	option dest '*'
	list src_mac '00:0D:EV:MA:C0:00'

You need to use the server's local IP address (for example, configuring the local name server). Or you can use "hairpin NAT" (aka "NAT loopback" or "NAT reflection").

This is not needed.

This is duplicate.

This rule is pointless too.

This is not necessary since there is no forwarding guest->lan.

This contradicts with the guest-> wan forwarding you have.

Duplicate

Unnecessary, since there is no forwarding.

This doesn't work as you intended. There must not be a destination zone in order to be the router the destination:

Maybe you should start from a clean slate, due to many mistakes.
Also you don't have a rule to allow DNS from guest.

To use local IP is kinda weird. Eg. mobile phone uses mobile data (WAN) with WAN IP/DNS then at home i have WiFi in 'guest' VLAN... have to switch the config on mobile...

Thanks!! I will look into 'NAT loopback' etc

Thanks for looking into that!

There is so much to reply to:

1. true:

2. wow first I thought... why! is that there twice. I think this is caused due to the GUI, it shows twice in settings, but in edit it shows only one zone... maybe due to the zone consists of wan & wan6

3. deleted that!

getting back again to it later...

There is only one zone forwarding regardless of the amount of interfaces that belong to the zone.

Anyway, due to all of these mistakes, I'll insist on starting from a clean configuration and adding only the things you need, taking in consideration what the defaults are, so you won't duplicate them.

You can configure the local DNS cache to answer with the local IP.

An external device will query for the FQDN to the global DNS and obtain the public IP. But an internal device will query the local DNS and receive the local IP.

will consider doing it from scratch. For now I asked to get my tasks started.... been kinda busy these days .

thanks for the input, was considering the same solution, but then I will have 'issues' with trust/https (certificate)