I finally figured out a decent fix for my networking situation. For those unfamiliar with the situation, the Arris BGW210-700 modem/router combo units from AT&T do not support NAT Loopbacking (even though the previous modems did). So I had to do a little network trickery in order to get it to work.
First step was to enable a DNS server on my server. This wasn’t hard as I already have AdGuard up and running for the VMs on my server’s network. It was just a matter of telling the modem to use my server’s DNS resolver instead of the modems. Once I did that, I made AdGuard rewrite all requests to *.heestand.tech to the private IP address of the server, that way packets wouldn’t be routed to the modem.
Afterwards I had to enable NAT loopback in OPNSense since my internal VMs were getting routed to the firewall instead of the server. Once that was over, everything worked fine!
I still wish the Arris BGW210-700 modems supported NAT loopback, this would have saved a ton of time and a large headache on my part. But everything is working as expected now so I can not complain!