16again wrote:@dpurgert
The "missing hairpin masquerade rule" is normally required, to make sure the return packet is also sent to the router.Here you don't need it, because source of the request already is on another VLAN (=another router interface) and thus return packet is already sent to the firewall.
Although request and response are sent on the same cable, this is no hairpin! Inter vlan communcation like this is more like router on a stick. (with additional dNAT rule)
It seems like the interVLAN traffic is not flowing. I did add that extra hairpin rule incase anyone in the VLAN2 needed to access the webserver.
