Why is classified as suspicious login?

as far as i understand, is the router, which re-directs requests from the public internet to the local server where nextcloud is hosted (through a set of port forwarding rules). why might the suspicious login-app suggest that a successful login from is indeed suspicious?

This is more or less what you should expect from the app - it doesn’t alert failed logins - it should show you successful logins not matching previous login metrics… Suspicious login app is using AI to detect anomalies within login metrics. Such anomaly could be login from same IP using different user ids…

Which is what happens when NAT loopback / Hairpin NAT is used. With NAT loopback all requests from devices on the local network will originate from the router IP ( in this case) instead of the actual IP of the device that made the request.