diff --git a/ansible/roles/traefik/templates/remote-services.yml.j2 b/ansible/roles/traefik/templates/remote-services.yml.j2
index 3487532..ebcc0f5 100644
--- a/ansible/roles/traefik/templates/remote-services.yml.j2
+++ b/ansible/roles/traefik/templates/remote-services.yml.j2
@@ -122,22 +122,6 @@ http:
       tls:
         certResolver: cloudflare
 {% endfor %}
-{% endif %}
-{% if config.auth_required | default(true) %}
-    # {{ service_name }} - internal network (no auth)
-    {{ service_name }}-int:
-      rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && ClientIP(`10.0.0.0/21`)"
-      entryPoints:
-        - https
-      priority: 50
-{% if config.forward_https | default(false) %}
-      middlewares:
-        - {{ service_name }}-https-headers
-{% endif %}
-      service: {{ service_name }}
-      tls:
-        certResolver: cloudflare
-{% endif %}
     # {{ service_name }} - default path (with auth if required)
     {{ service_name }}:
       rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
@@ -156,6 +140,24 @@ http:
       service: {{ service_name }}
       tls:
         certResolver: cloudflare
+{% else %}
+    {{ service_name }}:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
+      entryPoints:
+        - https
+{% if config.auth_required | default(true) or config.forward_https | default(false) %}
+      middlewares:
+{% if config.auth_required | default(true) %}
+        - pocketid-auth
+{% endif %}
+{% if config.forward_https | default(false) %}
+        - {{ service_name }}-https-headers
+{% endif %}
+{% endif %}
+      service: {{ service_name }}
+      tls:
+        certResolver: cloudflare
+{% endif %}
 {% endfor %}
 
     # Auto-configured services - HTTP to HTTPS redirect