as far as i understand, 192.168.1.1 is the router, which re-directs requests from the public internet to the local server where nextcloud is hosted (through a set of port forwarding rules). why might the suspicious login-app suggest that a successful login from 192.168.1.1 is indeed suspicious?
This is more or less what you should expect from the app - it doesn’t alert failed logins - it should show you successful logins not matching previous login metrics… Suspicious login app is using AI to detect anomalies within login metrics. Such anomaly could be login from same IP using different user ids…
Which is what happens when NAT loopback / Hairpin NAT is used. With NAT loopback all requests from devices on the local network will originate from the router IP (192.168.1.1 in this case) instead of the actual IP of the device that made the request.