Yes it’s possible to configure a cluster with LAN-only nodes but there’s still a missing key feature to make it effective: NS8 custom certificate
Custom TLS certificate upload is scheduled for some future release: Trello
TLS certificate today works only if Acme HTTP challenge requirements are met, so public IP + DNS record.
As almost any service in NS8 requires a TLS certificate, it quickly becomes a requirement for the whole system. However, when samba file server module is released we’ll find the rule exception.