diff --git a/services/caddy.nix b/services/caddy.nix
index 1e4095a..f31ea1d 100644
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -89,6 +89,12 @@ in
       port = "http,https";
       logpath = "/var/log/caddy/access-*.log";
       # defaults: maxretry=5, findtime=10m, bantime=10m
+
+      # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
+      # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
+      # Browser subrequests for static assets (favicon.ico, etc.) without Authorization
+      # headers cause 401s that quickly trigger the ban threshold.
+      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
     };
     filter.Definition = {
       # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)