How to use DNAT reflection from localhost

I have an OpenWRT router configured as a WAN router (with fictional public IP 1.2.3.4) for a small business network with a Linux server (192.168.1.42) and 2 zones (lan and guest).

I use a DNAT ("portforward") to redirect HTTPS traffic from 1.2.3.4:443 to 192.168.1.42:443:

config redirect
	option target 'DNAT'
	option name 'proxy https'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_port '443'
	option dest_ip '192.168.1.42'
	list reflection_zone 'lan'
	list reflection_zone 'guest'

The reflection setting was required, so that lan/guest clients can access https://mydomain.tld being redirect to the server instead of seeing LuCI.

This reflection setting does unfortunately not apply to the OpenWRT router itself:

root@openwrt:~# curl -k https://mydomain.tld
(...)
<a href="cgi-bin/luci/">LuCI - Lua Configuration Interface</a>
(...)

What would be required for OpenWRT to follow its own DNAT rule?

P.S.: I really do not want to work around this by using split-DNS (overriding mydomain.tld to 192.168.1.42 in DNS).

Iirc you need a rule with localhost and or your local networks as source address and then the dnat part.

localhost does not forward.
you totally have to use split dns or extra sockets.

I just found this open feature request (https://github.com/openwrt/firewall4/issues/24) describing the problem and suggesting a solution.

This is the working solution for my problem:

root@openwrt:~# cat /etc/nftables.d/30-output-nat-reflection.nft
chain user_pre_output_nat {
  type nat hook output priority -1; policy accept;
  ip daddr 1.2.3.4 tcp dport 443 counter dnat to 192.168.1.42:443
}
root@openwrt:~# /etc/init.d/firewall reload

From my understanding the nat output hook is only called for locally generated traffic, so it should not affect the lan/wan routing behavior.

Probably a PR towards fw4 emitting second reflection rule for host itself, but it will not be able to pick up locally configured addresses and redirect.