I have an HTTP(S) server that's running inside my local network (on a personal server, not on the router) that I expose to the Internet via a port forwarding rule for tcp port 80 (and a completely equivalent rule for port 443).
This works OK for requests from the Internet and LAN likewise, but does not work for the requests originating from the router itself.
Maybe there is a configuration option that I missed that will do everything properly? If there isn't, which rules do I need to add to support NAT reflection for local requests?
First, at least in my opinion, properly managing DNS is a much more robust approach than hairpin NAT, and may be what you need to resort to.
If you want to continue with NAT, with the server on the same box, the route will be through loopback and will never hit a forward rule. It is a direct connection. Edit: No forward in play for router to inside host either.
@jeff@trendy No, I explicitly do not want to use any kind of a split DNS setup. My DNS setup is very complex (to be clear, I'm not using builtin OpenWRT's dnsmasq) and I do not want to make it even more complex.
Also, split DNS is hardly "properly managing DNS" Won't work with DNSSEC too.
If you want to continue with NAT, with the server on the same box, the route will be through loopback and will never hit a forward rule. It is a direct connection. Edit: No forward in play for router to inside host either.
To clarify, the router and the server are not the same box.
It would appear that OUTPUT chains are consulted after routing. Indeed, if I add this rule, fire up tcpdump -i eth0.2 -vvv 'tcp port 80' (where eth0.2 is my WAN interface) and make a request, it shows that the packet to 10.196.254.2 is sent from the WAN interface. That's exactly the problem I've hit originally.