Hello Falko,
Separating networks is a very good idea of course. I was asking about your setup to comment about how the current bruteforce protection would work in regards to exceptions.
From the point of view of this feature, there are 2 scenarios:
Clients are reaching the system via individual IP addresses. In this case, we assume that a client causing way too many faulty authentications is doing something wrong or bad and should be blocked. We can of course add the option to define exceptions. I was commenting before, that if a block happens in this case, you should want it to happen; a 51st authentication attempt is likely not more succesful than the previous ones but still puts load on the system.
Clients are reaching the system via the same or very few IP addresses. In this case, bruteforce protection, as its implemented right now, is useless as it cannot differentiate between clients. Adding exceptions to the one or few expected IPs would just turn the feature off.
We are of course open to address requirements such as this. But we do consider the use cases to avoid unnecessary options that still add to software complexity.
From your description, for internal traffic, clients would reach the system with individual IPs. Given my comment above in scenario 1, would you still want clients, that create a lot of faulty authentication attempts, to not be blocked due to an exception?