"Connecting to the external address of the firewall from a host on the LAN, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way."
Поэтому тестирование порт-форвардинга из локальной сети может не сработать. Есть и способы пофиксить.