Caddy/pfSense - external domain name works, internal network gives ERR_CONNECTION_REFUSED

I have Caddy setup to forward a subdomain (using duckdns) to port 8123 on Home Assistant. This works well from outside the network, the page loads as expected. However inside my network I get ERR_CONNECTION_REFUSED. I initially thought this was an issue with NAT reflection, so I set that up in pfSense (rule is using Pure NAT and both “enable NAT reflection” and “create automatic outbound NAT rules” are enabled. An nslookup from another machine inside the network does resolve to the correct IP for the HA install (this is hassio installed via the .img, running in ProxMox). Given the IP looks right I assume I’ve done something wrong in the HA config and it’s rejecting the connection. Here’s what I have:

  use_x_forwarded_for: true
  # You must set the trusted proxy IP address so that Home Assistant will properly accept connections
  # Set this to your Caddy machine IP, or localhost if hosted on the same machine.
    - 10.0.0.x

Any advice on what I can look into? The only thing I haven’t tried yet is a host override, but I’m not sure how that would help since the nslookup is working. Thanks!