Should Hairpin NAT bypass internal firewall rules?

This is kind of a theoretical question.

I have WAN1 and WAN2. WAN2 has NAT.

  • WAN1 has some public IP addresses with DNS, and selected public ports are forwarded to internal LAN IPs.

  • There’s an Internal firewall rule saying to block packets from LAN2 to LAN1.

Here’s the weird thing:

  • if LAN 2 makes an attempt to access one of the public servers on WAN1, it is blocked.

I suspect what’s happening is that hairpin NAT is operating, and the Peplink realizes “hey, that public IP address is forwarding from an IP on WAN1 to a LAN1 IP, so I’ll just shortcut and route directly from LAN2 to LAN1.”

Then it says “But I have a firewall rule saying LAN2 may not access LAN1, so I will block it”.

This is definitely an edge-case. What’s the “right” thing to do in this situation?