I think the packets take one way in, and get routed a different way out.

It looks incredibly convoluted. My best guess is that traffic hits 172.168.1.254 and gets routed out on the internet and doesn’t pass the dmz.

Then i assume there is something wrong in the routes from your lan when returning traffic that got initiated through the internet opnsense. If you can see traffic hit the LAN network, all should be well on the way in.

Perhaps some sessions on the way time out due to low TTL. I’ve experienced drops of traffic when there are too many hops.

Its possible, depending on how you’ve setup your NAT, that the traffic cant return due to coming from a public ip.

Why do you have public ip-span configured as LAN?