diff --git a/ansible/roles/traefik/templates/remote-services.yml.j2 b/ansible/roles/traefik/templates/remote-services.yml.j2
index ebcc0f5..dd2f8fa 100644
--- a/ansible/roles/traefik/templates/remote-services.yml.j2
+++ b/ansible/roles/traefik/templates/remote-services.yml.j2
@@ -36,6 +36,16 @@ http:
       insecureSkipVerify: true
 
   routers:
+    # Local IP bypass - HTTPS (higher priority, no auth)
+    traefik-secure-local:
+      rule: "Host(`traefik.{{ domain }}`) && (ClientIP(`192.168.0.0/16`) || ClientIP(`10.0.0.0/8`) || ClientIP(`172.16.0.0/12`))"
+      entryPoints:
+        - https
+      priority: 200
+      service: api@internal
+      tls:
+        certResolver: cloudflare
+
     # Static services - HTTPS
     traefik-secure:
       rule: "Host(`traefik.{{ domain }}`)"
@@ -106,6 +116,21 @@ http:
 
     # Auto-configured services - HTTPS
 {% for service_name, config in auto_configure_traefik.items() %}
+{% if config.auth_required | default(true) %}
+    # {{ service_name }} - local IP bypass (no auth)
+    {{ service_name }}-local:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && (ClientIP(`192.168.0.0/16`) || ClientIP(`10.0.0.0/8`) || ClientIP(`172.16.0.0/12`))"
+      entryPoints:
+        - https
+      priority: 200
+{% if config.forward_https | default(false) %}
+      middlewares:
+        - {{ service_name }}-https-headers
+{% endif %}
+      service: {{ service_name }}
+      tls:
+        certResolver: cloudflare
+{% endif %}
 {% if config.auth_bypass_paths is defined %}
     # {{ service_name }} - bypass paths (no auth)
 {% for path in config.auth_bypass_paths %}