Hairpin nat weirdness

Hairpin nat weirdness

Hi all.
I having a strange behavior of hairpin nat. Even if I don’t enable masquerade rule in nat section of firewall I can access to my forwarded ports via external ip only from wireless clients. But no access from wired. When I enable masquerade rule I have access both from wired and wireless.
Short config: ether5-master and both wlan interfaces are in one bridge. Hw is hap ac lite. Tried with latest rc and stable. What’s wrong? As far as I understand without masquerade rule I can’t have access to my forwarded ports from external ip to my lan hosts.

Probably the target of your forwarding is in ethernet port (and maybe you have ‘use ip firewall’ enabled in Bridge Settings). Now packets from your wlan client to ethernet server go via the router (translating correctly), and packets from ethernet client to ethernet server go directly, router doesn’t see them, so cannot translate.