Gotcha, thanks so much (to you and the others who mentioned this as well). This has been driving me crazy the last couple hours, as I can connect to any of my VLANs (some which I treat as fairly insecure) and they can all hit my firewall if I use the WAN IP.
I checked Pfsense, and I have NAT Reflection disabled everywhere I found it (System>>Advanced>>Firewall & NAT as well as in my individual NAT rules), however I can still access via the WAN IP.
So I guess all I can really do is set a rule to forward to port 80/443 to something else to avoid this, right? I was thinking of hosting a Matrix chat server which would use those ports, so maybe that’s the play.