A DMZ, short for DeMilitarizedZone, is a special network which is used to separate your home network from the network which host your externally accessible services.
Since i am using direct SSH tunnels to connect the home server to the external server, the DMZ is not really needed in my case.
But these is a specific reason why i use a DMZ and it's related to how i want to access my services from inside and from outside the home network.
Using the simple approach, the solution was to remap the home external subdomains to the local IP address of the home server, so that when you are inside home, it will go to the internal address, while when outside, it will go trough the external server and the SSH tunnel.
When using opnSense there is a much better approach, which relies on a mix of Destination NAT and Source NAT rewriting every request to your external IP, on port 443, to your home server.
The DNAT will ensure that any request from your home network toward your external server on port 443 will be redirected to your home network, but there is a catch: you cannot do that on the same ethernet network. This is because the reply-to address will be the router itself, and your clients on the home network will not be able to atually receive any data from your home server behind DNAT. You need then to add also a SNAT layer that will redirect it back to the client.
For all this to work properly, i added a DMZ interface to connect riectly the opnSense and the home server because i also plan to route on this interface the proper external services access once i will get to it, using WireGuard instead of SSH tunnels, but more on this later on.
Go to Firewall → NAT → Port Forward
add two rules: one on interface DMZ, source LAN Net, any port, destination external server IP on port 443, to the DMZ IP address of the home server, port 443. The second one, identical, but for port 22 (this will be needed for GIT service, if you use Gitea/Forgejo or similar).
Go to firewall → NAT → Outbound
Switch to mixed mode and add one rule: interface DMZ, source LAN net, all ports and IPs.
This will ensure that all packets coming back FROM DMZ toward the LAN will be correctly SNATted.