Hi. Ive got HA set up on a subdomain with the following SWAG config:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name home.*;

client_max_body_size 0;

ssl on;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_prefer_server_ciphers on;

add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

location / {
    proxy_pass http://10.10.1.11:8123;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host;
}

location /api/websocket {
    proxy_pass http://10.10.1.11:8123/api/websocket;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host;
}

}

The dyndns is on Cloudflare, the subdomain is being tied to my external ip (without proxing) and on my home router theres a nat for ports 80 and 443 forwarding to 10.10.1.13 which runs docker and swag. Swag redirects the home.* to 10.10.1.11 which runs HAOS.
This set up works perfectly fine while im on an external network connection, but i CANNOT connect to HA from the internal network.
Ive got a couple of dozens of revproxy subdomains set up in SWAG in a fairly similar fashion and all of them except of HA are accessible both from the internal and external network.

What am i doing wrong here?

One interesting thing is that if i curl home... from outside network im getting a login page, but when i curl home.... from inside network im getting a pfsense page with "Potential DNS Rebind attack detected. Try accessing the router by IP address instead of by hostname." error

thats how NAT is set up on my router:

and firewall rules