1
Does Caddy come with the ionos dns challenge plugin built into it or do you need to compile it with the plugin?
I regret moving my phone number to Google Voice because at this point I fully expect Google to someday kill the service.
If they are on the same l2 network then your options are basically either to use nginx ACLs or a local firewall on the nginx host since the traffic wont traverse the firewall.
Something like iptables -I INPUT -s 1.2.3.0/24 -j DROP on the nginx host should work
As a protective measure, you could block your local synapse server from federating with matrix.org and that should keep anybody from joining any of the giant rooms on the largest matrix server.
I've been running a synapse server for a few years using https://github.com/spantaleev/matrix-docker-ansible-deploy
I'd highly recommend the above Ansible playbook as it makes it easy to manage not only synapse but also to manage a bunch of bridges and bots if you have the need for them. I have a bunch of rooms that are bridged to Slack for my bozo friends that refuse to use a cool open-source alternative.
Can you share your firewall config? It could be that the firewall isn't allowing packets to be forwarded from the tun/tap interface on the router to the LAN interface or vice versa.
Can you ping the ssh server from the phone?