I have a fairly simple setup, a LAN network, and a Guest Network. The Guest network can't access the LAN, but has internet access.
I then have a Port Forward configured to a server on my LAN, that I also wanted to have work from the Guest Network. ie: if a guest user goes to "myserver.example.com" they should be able to get to the site just as if they were on the public internet.
Using the LuCI interface, I couldn't get it it work, and from hours and hours of searching, I couldn't find a solution that I liked. The iptables rules just weren't doing what I needed. I considered messing with DNS (see solution further below), but too hard and requires too much maintenance with updates etc and can lead to many debugging issues (based on my past experiences).
My final solution was this:
In the Firewall - Custom Rules section I added the following lines:
PUBLIC_IP=$(ip route get 8.8.8.8 | awk -F"src " 'NR==1{split($2,a," ");print a[1]}')
iptables -t nat -A PREROUTING -i br-lan.10 -m comment --comment "Guest - Working port forward" -d $PUBLIC_IP -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.1:443
iptables -t nat -A PREROUTING -i br-lan.10 -m comment --comment "Guest - Working port forward" -d $PUBLIC_IP -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80
The first line is to extract the current public IP address (I'm not sure if this script is called when the IP changes, but mine does not change often).
The next 2 lines create the required DNAT rules, but just for traffic that's hitting the UI, and only for traffic from my Guest LAN (which in on VLAN 10, so the interface is br-lan.10). then the --dport is obviously the port the request is for, and the --to-destination should be the IP address and port you want the port forward to go to. The values here are the same as the ones I put under Port Forwards from the WAN.
Hopefully this helps someone else (or maybe someone can tell me I have missed some thing really obvious to make this work).
Split DNS Solution
If you wanted to go with the Split DNS solution, providing your setup is what's needed, it can be done as follows.
Assume you have a dynamic IP address, with a DDNS host name of example.dyndns.org, and a Port Forward configured for both port 80 and 443 to an internal server on the LAN at 10.0.0.1. The forwarded ports must forward to 80 and 443 respectively for this to work.
Then for your public host names/web address, have webserver.example.com be a CNAME record pointing to your DDNS of example.dyndns.org.
In your DDNS config, under the Advanced Settings tab, there must be a DNS-Server entry so the DDNS service does not get confused, for example put in an public DNS server such as 8.8.8.8 or 1.1.1.1.
You can then put in an entry into your /etc/hosts file as follows:
10.0.0.1 example.dyndns.org
In LuCI, under Network > DHCP and DNS > Resolv and Hosts Files, ensure the Ignore /etc/hosts checkbox is cleared. You may need to restart to make this change take effect.
Create a Firewall > Traffic Rule to allow traffic from the Guest LAN to the 10.0.0.1 server IP on port 80 and port 443.
That should be it, once all DNS caches have cleared (typically 2-5 minutes), things should work. The trick here is only overriding the dyndns entry, and leaving the public records consistent. Hopefully that combination should minimize issues down the track.