At home I probably have running what you’re trying to do…
One public IP Adress (dynamic). I’m using a hardware box (PCEngines) with OPNsense as firewall, but I have (for tests) also created the same environment just using NethServer.
Besides the NethServer, there are two other servers at home (A PI-Hole VM and a DMS System on Debian). Both are also available internally and externally using the same dns fqdn, so for example my iPhone works internally and externally using the same dns name…
One big tip:
NethServer does not (yet) support IPv6, only IPv4 is supported. I turn off ALL IPv6 sources, so my home LAN is completly IPv4 only. (Evades DNS Name conflicts, some not available on IPv6…).
This alone will NOT solve all your problems, but is one big step…
Win10 prefers to use IPv6 if available, meaning all DNS pointing to NethServer may be ignored, only the IPv6 DNS entries are used…
On my firewall, Port 80 and 443 both point to my NethServer. (192.168.31.20).
My PI-Hole, running on a VM, is available externally and internally, with a Letsncrypt SSL.
I’m using the Reverse Proxy to point the name for web usage to the NethServer Reverse Proxy.
Have a look yourself:
This is basically a link collection, all work except for the Synology (Out of service).
The DNS concept behind the magic is called Split-Brain DNS…
My 2 cents