NGINX access module and internal DNS: How to allow only local clients

I searched through serverfault but couldn't find an answer to this. Maybe I just don't know the right keyword or it's a conceptual misunderstanding. Any help would be appreciated!

The situation:

1. My local services are running behind an NGINX reverse proxy
2. I use a LAN DNS on the router (Draytek) to resolve local requests to *.example.com directly to my local server (192.168.1.2).

Even if there is no internet connection, the domains will be resolved to the local server and all services are accessible. That's why I use the LAN DNS. So far, so good.

Now I want to only allow local clients to access certain services by using the NGINX access module with:

allow 192.168.1.0/24;
deny all;

But NGINX only sees the public IP of the router instead of the IP of the client (192.168.1.100) and so every request is refused:

[...] access forbidden by rule, client: 123.123.123.123, server: service.example.de, request: [...]"

My question is:

How can I distinguish between local and remote clients on NGINX in this scenario?

Link to network diagram

First an assumption/condition, which is to check if your router adds the X-Forwarded-For header or something similar (keeps trace of the actual client IP)

You should resolve the client IP first, through ngx_http_realip_module

The example configuration provided there:

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

With this, the IP used for access checks should be the correct one (actual client).

One caveat is that with such configuration, attempts to add the router to the X-Forwarded-For header cannot be done automatically with proxy_add_x_forwarded_for, as the IP added through will have been altered by the previous directive. That specific case has been discussed on stack overflow