" If thats the case then anything from my working LAN that needs to see the server is going through the router anyways (multiple subnets.) "
But not through the nat engine.. For it to work the source has to be natted to the external IP. So when 192.168.1.100 wants to talk to 192.168.2.100, he is using the public IP of pfsense to get there lets call it 1.2.3.4.. So now to send the traffic to 192.168.2.100 pfsense has to nat that source IP to 1.2.3.4 so that it can be returned through the same path.. If not you have a asymmetrical, and that part of it even stated in the rfc cited.
a) A NAT's hairpinning behavior MUST be of type "External source IP address and port".
What if your 2 segments are on a downstream router.. Now you have to transverse all the way up to the edge just to come back down..
Its always the same common theme with these threads asking about nat reflection - they don't understand how to resolve the IP they want to get to its local IP vs its public IP.. I agree if there is NO way for you to use the local IP.. Like a hard coded public IP in the application. Or the system uses some method of finding the other system it wants to talk to via some outside 3rd party method that can only return the public IP.. Then you don't really have any choice.
But I have not seen that case ever brought up in all my years here that I can recall. So it seems it comes down to laziness.. I don't want take the time to resolve to the local IP and not have to nat if another segment, or just talk to the guy next to me.. So I am just going to use the public IP and make the firewall do extra work, and or even hairpin my traffic through its interface..
This is clearly not a optimal configuration - so it blows my freaking mind why anyone, that actual finds or is told there is another way would continue to do such a thing.
dcol setup is clearly a boondoggle of massive proportions.. EV cert provide no extra security.. It might make business sense if your site is hit by the masses.. But from what I can make of it its some sort of file sharing system for doctors. And is non-profit so he can only get 1??? But the lawyers and doctors want them?? But can not spend the few extra bucks for more?? Come on give me a break. Why would you spend $ on something like that.. So this forces him to use only 1 fqdn??? That has to talk to multiple ips which are really on the same box - so now he is running different parts of this application on different ports - and they need to talk to each other it seems? So if I read that right and they are using the public IP.. This server has to use nat reflection to talk to itself even?? How and the hell could that be optimal..
If you don't read that thread of his and think its a borked config – you shouldn't be in networking that is for damn freaking sure!! Or even IT of any fashion at all - shouldn't even be handling the support contracts ;)
Normally how it should go when talking between networking engineers..
eng1: Hey look I have this setup xyz, here is the drawing here are the details.. What do you think??
eng2: WTF dude - that is borked beyond anything I have ever seen..
eng1: Really - how would you do it..
eng2: Well you could do ABC, here draw it up for you - what do you think.
eng1: But how does Z work in that setup..
eng2: Like this - see the packets route here.. And now are not natted.
eng1: Hmmm so all I have to do is X and and then it doesn't do all that extra..
eng2: Yeah
eng1: Well F me.. Thanks dude..