I am writing a web application using PHP. For a certain endpoint, I want to validate whether the request was sent from inside the network. We use the 10.0.0.0/8 private range internally. Let's say the server is at 10.0.0.10.
Let's say $_SERVER['REMOTE_ADDR'] = 10.2.3.5, can I safely assume the request had to have come from inside the network (or an internal VLAN as the routers will have private addresses too)? Am I right in thinking that if it came from outside the network, this IP address would have to be a public address for the response to find its way back to the external network's router?