MFA when reverse proxied from router otherwise not from within LAN?

I know I can set up MFA but I don’t need it internally on my LAN.
If I set up my reverse proxy (caddy at the router) correctly will HA be able to see that I am trying to log in from an outside IP or at least the IP of the router? In which case can I tell HA to only enable MFA if the client logging is either external IP or my router IP?

Alternatively I suppose I can turn MFA on and then maybe give HA a list (or preferably a range) of IPs that don’t require MFA (or even a login at all).

Anyway I can dig around for details and proably set things up on my own I’d just like to know apriori what is possible so I don’t waste time.

Just so you know what I am not interested in doing for remote access.

  1. Using the HA cloud
  2. Using a VPN (I have a vpn server set up but AFAIK all android vpn clients can’t do a split tunnel so when the vpn client is on ALL traffic goes back home first when I all want is traffic for my public IP. So I have to turn the client on/off when I want to “phone home”.

I have to same question. Too bad no-one has answered yet.
How to differentiate to have MFA when connecting from WAN but not from LAN