so as far as I can tell, the issue is that when a local device tries to send something to the network's WAN IP, NAT rules just don't apply to it for some reason I don't fully understand. so you have to manually add a rule that says "any traffic from a LAN device to another LAN device should be masqueraded" and once you have that the normal NAT rules for forwarding traffic to specific devices work fine. I suddenly feel like I have a lot more to learn about this
WAIT I GET IT if you're in the local network and you send a request to your public IP the router will send the request on to the internet but it won't receive its own request so it never gets an answer. so you use a hairpin NAT rule to say "if a LAN device makes a request against our WAN IP, pretend it came from the WAN interface and handle it normally"
