I find it absurd and idiotic that I get "This is not a secure connection" when attempting to connect to devices on my own local area network from within the network itself, while at home. And I would hate to think I have to now add a layer of 'local certificates" in order to get rid of these annoying and unnecessary messages and go on about my business. I get these moronic messages when connecting to my two NASs but I can click to get through to my NASs anyway.How do I get rid of these messages.
Your situation seems like it should be simple and that the security mechanisms are being overly pedantic. But when looking at the general case, where RFC1918 addressing is used for private subnets, there is no guarantee that 'local' IP addresses are used by benign 'local' devices.
It's not always the case that RFC1918 addresses are used for truly local devices and you can't even be certain that RFC1918 addresses on the same subnet are for local devices. For instance, VPN'ed devices, double-NAT'ing (source and destination IPs are NAT'ed to local IPs), or just extended private networks can all have RFC1918 addressing... should you trust all of those just because they use RFC1918 addresses? No. The safest approach for a server is to assume all client devices are hostile, until proved otherwise, and afford them the same level of trust (or dis-trust).
If you're going to access the server using LAN IP then the default will be that the SSL certificate will not cover IP addresses and you'll get an error which you'll have to accept in the browser. Once accepted the exception will remain in the browser for that IP/certificate.
Ultimately it is down to you to make the decision to accept an exception and not the browser to assume it'll be ok. This way you're aware of this lower level of security, though for many this will merely confuse and/or annoy them because it's not fully apparent why it is necessary to be so stubborn.
You could use HTTP for local IP device access and block HTTP from the Internet ... i.e. only port forward HTTPS. My preference is to use HTTPS wherever I am and have a single set of bookmarks.
All the Synology mobile apps have the option to validate secure connections. This requires a valid, signed certificate but you can disable this option and use IP address and self-signed (or signed) certificate. It's the web browsers that enforce the policy of validating certificates against the connection information, and for this you'll have to keep adding exceptions if you want to use HTTPS and an IP address.
But my preference is to run a local DNS server for LAN devices (distributed as part of the DHCP info) and my domain name resolves to local IP. Everything else gets sent to Internet DNS to be resolved. This means my bookmarks are the same for LAN and Internet connected devices and resolution is either direct to LAN IP or to my router's ISP IP. It also means that SSL certificates (managed by DSM) align to the domain names I used to connect to the NAS.