Internet rate limits in overlay-networks like ZeroTier

[frostbyte]

Hey, does anyone have an idea how I could configure rate limits in such networks? I don't expose my JellyFin instance publicly on "the internet". But only within my ZeroTier family and friends network. The CIDR-based approach of Jellyfin to distinguish local and internet access doen't apply their well.

My workaround for now is to apply rate limits for users individually as they stream from remote in 99% of the cases. Its just me that'd probably stream locally and remote. But I'd remember to reduce the bandwidth when I am remote.

[TheDreadPirate]

As long as the CIDR for your Zerotier IP isn't on the LAN Networks list it should be treated as not local, right?

[frostbyte]

Indeed, even though it might be local (and is most of the time). Local or remote can't be determined by the CIDR in such networks. I can happily connect within my LAN to Jellyfin based on the ZeroTier IPs. I do this most of the time, as the I have a public domain name pointing to a private ZeroTier IP where Jellyfin runs (behind a Nginx, SSL terminated there).
When I connect through this domain/ZeroTier IP from another ZeroTier client, the clients are recognized with their ZeroTier IPs by JellyFin.
I could also connect from somewhere else in the world and JellyFin wouldn't notice. At least based on the IP. It's the same.

[TheDreadPirate]

So your Zerotier clients are still using the reverse proxy for connections? What CIDRs do you have in the LAN Networks config? Did you set a Known Proxy in Jellyfin's config?

[frostbyte]

Yes, even when streamed within the LAN. Just for convenience of having just 1 server connection configured on client-side. Either in apps or in browser bookmarks. But they wouldn't have to. Connections to my domain work everywhere just fine from everywhere (as long as ZeroTier is enabled). It's just that I can't know based on the clients IP whether the stream gets routed through the internet.

My configuration is:
Local networks: 192.168.178.0/24 (actual LAN)
Known proxies: 192.168.178.56 (Local Jellyfin IP), MYLOCALNAS_HOSTNAME, jellyfin.mydomain.tld

[frostbyte]

Finally, I found a solution. Split-DNS is the way to go. Essentially, I hosted a DNS-Server on my LAN to overwrite my public DNS records that'd point to Zerotier addresses to the local addressees. This DNS server is configured on the clients in my network through DHCP. That way the reverse proxy is also not used in the LAN anymore. It wasn't easy to setup on the QNAP and a AVM Fritzbox due to tons of issues like DNS ports were already in use on the NAS, bridge networks could not be created by portainer but had to be created in the native container station QTS app, DHCP settings were not applied until the router was rebooted and like 20 more issues. I use unbound as DNS server. bind9 was way too complex for this. unbound is way too much, either.
That way Jellyfin won't receive requests from ZeroTier IPs within the LAN anymore. So I can fully use the rate limits now.
FYI: Some services (not Jellyfin) are also tunnled via cloudflare (Zerotrust and Access) behind an identity aware reverse proxy where I can whitelist people based on their E-Mail address. Jellyfin would work that way, too but is probably against their TOS. Accessing my apps within the LAN, from the Internet both with Zerotier enabled and disabled works as intended and can be accessed with the same domain name everywhere, now.
I am very happy. Maybe that helps someone else, too.