In case someone else is interested - https://web.dev/cors-rfc1918-feedback/#chrome’s-plans-to-enable-cors-rfc1918 had a reference to chrome://flags/#block-insecure-private-network-requests I disabled that flag, and now Chrome is back to doing direct connections.
this is the description of the flag:
Block insecure private network requests.
Prevents non-secure contexts from making sub-resource requests to more-private IP addresses. An IP address IP1 is more private than IP2 if 1) IP1 is localhost and IP2 is not, or 2) IP1 is private and IP2 is public. This is a first step towards full enforcement of CORS-RFC1918: https://wicg.github.io/cors-rfc1918 – Mac, Windows, Linux, Chrome OS, Android
So - for the moment, it is possible to get chrome to work as before, I have not looked at what edge does.
I can only assume that disabling “block-insecure-private-network-requests” is a temporary workaround, and that it will vanish when CORS-RFC1918 is fully implemented.
I also assume that this will make the Vera fully dependent on the mios cloud, for some of the UI actions (ie those where you have to be logged in)