use range for signers, and for wan only do verifying, this only need opendkim-verify.conf and opendkim-signer.conf with is binded in as services where it fit
For some reason second postfix refused to route mail out to wan ip (loops back to myself) when i binded it only to, besides, submission port must be on public ip to enable users to send mail with mail clients. After i changed ip address to public ip for second postfix to bind, everything works as supposed to. Current setup i have is: postfix1(wan ip1 port 25 for incoming mail), postfix2 ( for webmail, and wan ip2 ports 465 and 587 for mail clients). Opendkim is also running with two instances where first (used by postfix1) is configured to verify regardless of mail origin, and second is configured only to sign.
Do you have a working configuration that uses only one public ip?