If the devices that are going to access the server is also on the LAN, to make uniformity (i.e. to access the server, just type the external address) can we just have NAT Hairpinning rule above, instead of port forwarding rule?
If connections from LAN to public address work, but hairpin rule does not have any hits, it means that you already have another rule with the same effect higher in srcnat chain.
And no, hairpin rule (srcnat) does not replace port forwarding rule (dstnat), you need both.
Edit: And you don’t need multiple hairpin rules for each forwarded port, just one common for all is enough:
It would be best to export and post what you actually have (whole firewall). In first post you just copied rules from wiki, second shows only part of your NAT rules, and nobody can know what other rules you have.
Update:
Only the first and second rule got hit, the rest 4 rules didn’t get any hit. Can I safely remove them? And will both port-forwarding and hairpin nat work just using the first two rules?
My goals are:
From LAN should be able to visit 1.1.1.1 and get to port 80 of 10.0.17.2
So does from WAN should be able to visit 1.1.1.1 and get to port 80 of 10.0.17.2
It would be good to decide what addresses you have. You know, if you want traffic forwarded to 10.0.17.2, dstnat rules with to-addresses=192.168.1.2 won’t do it.
You don’t need duplicate rules. These two do the same thing:
Only the second one is limited version that will work only for connections from internet. You can get rid of it and first one will work for connections from both internet and LAN. Same for the other set (for https). And unless you require separate counters, then if destination address is the same, you can have both ports in one rule (dst-port=80,443), so in the end just one rule instead of current four.
You do need some srcnat rule (in addition to main masquerade). Probably this one (but possibly something else, depends on result of point 1):
