What is your phone using for dns.. If not resolving the public fqdn your using?
doh - dns over http, you been sleeping in a cave the last couple of years? You hear about the global pandemic? ;)
doh and dot (dns over tls) are the latest craze to get you to send your dns to the big players, while telling you its more secure.. Because that big bad isp of yours won't see your dns queries.. Oh my gawd - they know you looked up amazon.com ;) Even though they still know you went to ip of amazon, and hey your https connection sent and sni that told them you going to amazon.. But oh my goodness - lets hide the dns query from them.. Anyhoo - browsers like to turn it on by default.. Phones for sure do, etc..
So if your phone is doing that it wouldn't be using your local pfsense dns to even see your host overrides. Also phones like to not use your local dns - android big on this.. you know they know better and even though you tell them via dhcp to use pfsense IP for dns, they like to use 8.8.8.8 anyway. If that is the case and not doing doh, you can just redirect the dns query going to 8.8.8.8 to pfsense.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
One way or the other you really need to pick your poison here.. Do you want haproxy to send the traffic.. So your clients use the public IP to try and access. If your doing that you do not use nat reflection.. Nat reflection is for port forwards, not reverse proxies..
Either or - if your using host overrides - devices on your local network using your local dns, would never hit your wan/public IP to either be reflected or proxied.
So your phone is on your wifi - right? And this is not behind some nat router doing your wifi? its on one of your lan1 or lan2 networks? Also why are you hiding rfc1918 addresses? Nobody gives 2 shits if your using 192.168.1 or 192.168.23.. They are all private.. They don't tell anyone where your at, Sure and the hell can not get to your network via that address.. I use 192.168.9/24 on my lan, and my current pc is 192.168.9.100.. Does that tell anything that you could use to do anything to me, or find out where I am, or anything?
I use 192.168.9/24, and 192.168.3/24 for my dmz network - hey I have ntp server open to the public on 192.168.3.32.. There is zero reason to hide or obfuscate rfc1918 space.. My nas is at 192.168.9.10, and I also using 192.168.2 and .4 and .5 and .6 and .7 for other vlans.. And I also have a 192.168.10 network I use as san between my pc and nas that uses 2.5gbps interfaces.. But since I do not have a 2.5gbps switch I have that setup as a san.. Does any of that info really give away anything? Its rfc1918 - everyone on the planet is using it.. It doesn't route over the public internet.
Is your wan of pfsense actually public, ie not a rfc1918 IP? 10/8, 192.168/16, 172.16/12 - pick your poison.. If your using haproxy there is little need for host overrides pointing public fqdn to your rfc1918 IP..
