Otdfbt

I deleted my original answer, because I wasn't fully confident that it was correct. I have since had some time to set up a little virtual network of VMs to simulate the network in question. Here is the set of firewall rules that worked for me (in iptables-save format, for the nat table only):

-A PREROUTING -d 89.179.245.232/32 -p tcp -m multiport --dports 22,25,80,443 -j DNAT --to-destination 192.168.2.10
-A POSTROUTING -s 192.168.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.10/32 -p tcp -m multiport --dports 22,25,80,443 -j MASQUERADE

The first POSTROUTING rule is a straightforward way of sharing the internet connection with the LAN. I left it there for completeness.

The PREROUTING rule and the second POSTROUTING rule together establish the appropriate NATs, so that connections to the server via the external IP address can happen, regardless of whether the connections originate from outside or from inside the LAN. When clients on the LAN connect to the server via the external IP address, the server sees the connections as coming from the router's internal IP address (192.168.2.1).

Interestingly, it turns out that there are a couple of variations of the second POSTROUTING rule that also work. If the target is changed to -j SNAT --to-source 192.168.2.1, the effect is (not surprisingly) the same as the MASQUERADE: the server sees connections from local LAN clients as originating from the router's internal IP address. On the other hand, if the target is changed to -j SNAT --to-source 89.179.245.232, then the NATs still work, but this time the server sees connections from local LAN clients as originating from the router's external IP address (89.179.245.232).

Finally, note that your original PREROUTING/DNAT rule with -i ppp0 does not work, because the rule never matches packets coming from the LAN clients (since those don't enter the router via the ppp0 interface). It would be possible to make it work by adding a second PREROUTING rule just for the internal LAN clients, but it would be inelegant (IMO) and would still need to refer explicitly to the external IP address.

Now, even after having laid out a "hairpin NAT" (or "NAT loopback", or "NAT reflection", or whatever one prefers to call it) solution in full detail, I still believe that a split-horizon DNS solution---with external clients resolving to the external IP and internal clients resolving to the internal IP---would be the more advisable route to take. Why? Because more people understand how DNS works than understand how NAT works, and a big part of building good systems is choosing to use parts that are maintainable. A DNS setup is more likely to be understood, and thus correctly maintained, than an arcane NAT setup (IMO, of course).

A common solution is to point your internal hosts at a local DNS server that returns the correct "internal" address for these hostnames.

Another solution -- and we're using this where I work on our Cisco firewalls -- is to rewrite DNS responses on the firewall that correspond to these addresses. I don't think there are tools for Linux that do this right now.

You should be able to configure the routing on your gateway to do the right thing. You may need to configure the servers to be aware of their externally mappped ip address (e.g., by assigning it to a dummy interface). With this configuration, communication from one internal system to another internal system -- using it's "external" address -- would go through the router.

What you are asking to do is called NAT Loopback and it requires that you add a SNAT rule so that packets originating from your LAN to your Server will go back through the router:

-A POSTROUTING -p tcp -s 192.168.2.0/24 -d 192.168.2.10 -m multiport --dports 22,25,80,443 -j SNAT --to-source 89.179.245.232

larsks comment about hosting an internal version of the namespacedomain is generally the way I've handled this issue in the past. Of course, you need a DNS server internally in order to do this.

I came up with the following solution to allow my guest network to connect to ports that were forwarded from my wan to lan network. This script is placed in my "Network -> Firewall -> Custom Rules" section:

# lookup the public IP (DDNS resolves to this)
wanip=$(ip route get 8.8.8.8 | awk -F"src " 'NR==1split($2,a," ");print a[1]')

# Guest network to LAN
# srcname is the guest network name, this needs to match for iptables
srcname=guest
# CIDR notation of guest and lan networks
srcnet=192.168.15.0/24
tgtnet=192.168.10.0/24
# router (openwrt) IP on lan network
tgtrouter=192.168.10.1
# host on lan network where ports are normally forwarded
tgthost=192.168.10.5
# ports to forward as a list or range
tcpports=8080,9090
udpports=12345

prechain=prerouting_$srcname_rule
postchain=postrouting_$srcname_rule

# reset the tables to prevent duplicate rules
iptables -t nat -F $prechain
iptables -t nat -F $postchain

iptables -t nat -A $prechain -s $srcnet -d $wanip/32 -p tcp -m tcp -m multiport --dports $tcpports -m comment --comment "$srcname NAT reflection TCP DNAT" -j DNAT --to-destination $tgthost
iptables -t nat -A $postchain -s $srcnet -d $tgthost/32 -p tcp -m tcp -m multiport --dports $tcpports -m comment --comment "$srcname NAT reflection TCP SNAT" -j SNAT --to-source $tgtrouter
iptables -t nat -A $prechain -s $srcnet -d $wanip/32 -p udp -m udp -m multiport --dports $udpports -m comment --comment "$srcname NAT reflection UDP DNAT" -j DNAT --to-destination $tgthost
iptables -t nat -A $postchain -s $srcnet -d $tgthost/32 -p udp -m udp -m multiport --dports $udpports -m comment --comment "$srcname NAT reflection UDP SNAT" -j SNAT --to-source $tgtrouter

To support reboots, I needed to run the following from the ssh command line on openwrt (otherwise, I believe there is a race condition where some rules were added and then flushed during the reboot):

uci set firewall.@include[0].reload="1"
uci commit firewall

NAT reflection is setup for connections within the LAN network to itself, but not to other networks if you have created multiple interfaces to isolate traffic. I tried configuring a forwarding rule from the web interface, but that sends all traffic to a port from the guest network to that LAN host. The above only intercepts requests to the WAN IP instead of all network traffic.

An internal DNS could be used instead of this, but only if all port forwards only go to a single host. If you have multiple hosts where you forward different ports, you can repeat the rules for different ports to different tgthost IP's and ports.

You want to use dnsmasq to override the real DNS entry for your server to use the INTERNAL IP address.

If your server is www.example.com and it's IP address is 1.2.3.4, from the OUTSIDE, it should look like:

Name: www.example.com
Address: 1.2.3.4

But on the INSIDE of your network, you need www.example.com to point to 192.168.2.10 so that you can access using the same name as you would on the outside, so nslookup should return this on your LAN:

Name: www.example.com
Address: 192.168.2.10

Why have those packets "leave" your LAN to just come right back in? I've never had much success in doing that. But at the same time, I never had a reason to do it either. I have seen this same operation done in many other configurations such as with Endian firewalls, or larger more complex network hidden behind Cisco ASA devices as well as a variety of different DNS servers.

So long as the Internet knows how to get to your server and your internal hosts know how to get to your server (by means of overriding the DNS entries at your local DNS servers), that is the important thing.