Ports 80 and 443 forwarded work externally but not internally on CGA4131COM in router mode

I recently changed my Comcast Business service, and part of the new contract included a new CGA4131COM modem/gateway with cellular backup. Previously I just had a Netgear cable modem. I have a Ubiquiti UniFi Security Gateway (USG) that functioned as my firewall and router. I continue to use this; it just sits as a client behind the Comcast gateway. I had defined, on the USG, a number of port forwarding rules, including 80/443 for web, 21/990/50000-50009 for SFTP, and 32400 for a Plex media server. The USG originally grabbed 10.1.10.186 from the Comcast gateway, so I set that as the static IP. I then configured new port forwarding rules on the Comcast gateway to point to the USG as follows... 80 --> 80, 443 --> 443, 21 --> 21, and so on. Any inbound traffic would hit the Comcast gateway first, then pass through to the USG, and ultimately to the appropriate destination.

Ports 80/443 are sent to a Raspberry Pi running Nginx reverse proxy, allowing the running of a few different websites. The SFTP ports are routed to a different machine running an SFTP server, which is configured to receive and process bug reports submitted by users of our software.

After I set up the new port rules, I ran a smoke test from my laptop, and everything looked great. What I neglected to realize I was running a VPN client on it at the time. In essence, I was an "external" user, despite being on my local network.

When I went to push some website updates, I found I was not able to test them! If I tried to hit my URLs from a machine running on the local network, they would clock for 20 seconds then report timed out. I started digging in, double-checking my port forwarding rules, made sure services were running, etc.

What I found out was this. If I was on my local network, I could not "loop back" to ports 80 or 443. I could loop back to 32400 (the Plex server), as well as SFTP ports. It seemed that ONLY ports 80 and 443 were impacted, AND they were only impacted INTERNALLY. If I launched a VPN such as Nord VPN, or switched networks to a mobile hotspot, I could hit the sites perfectly fine over 80/443.

I created another set of rules on the USG -- forward 21080 and 21443 to ports 80 and 443 on the same Raspberry Pi running Nginx. Now I had two USG rules for this -- rule 1 is 80-->80 and 443-->443 and rule 2 is 21080-->80 and 21443-->80. Internally I could then hit https://sitename:21443 and it worked perfectly, but https://sitename did not.

Even more peculiar is that if I changed the Comcast gateway from Router mode to Bridge mode (it defaulted to Advanced Bridge), the problem went away entirely. My USG port forwarding rules worked perfectly, both internally and externally. The drawback is that I cannot use the SecurityEdge features, which is handy for malware, phishing, and site blocking.

The problem came back when I switched back to Router mode. Turning off the Comcast gateway's firewall completely didn't fix the problem either.

Is there another setting I'm overlooking? My investigation shows that there is something happening with ports 80/443 on the Comcast gateway, but only when hit internally, that blocks even port forwarding rules.