" inside LAN they dont want to run on HTTPS"
this is bad thinking on the decision-makers part. there is no reason not to run internally over HTTPS just as you do externally.
We also have Moodle running both internally and externally. Our DNS is examplemoodle.org. Internally, it resolves to a local 10.xx.xx.xx IP and the SSL cert is served by a webserver . Externally, it resolves to our reverse proxy/firewall applicance, which forwards the inbound requests and also has the SSL certificate installed on it. This is known as "split" or "split brain" DNS.
If you could provide me witha really, really, good reason why you would not run HTTPS internally (I'm very much struggling to think of one, particularly because caching is less important on an intranet) I could help you think, otherwise, I don't really want to provide advice that weakens security. While it's true that if you have switches (cf hubs) there's not a great chance the network could be tapped if your network infrastructure is secure, that possibility still exists.
the other reason this is bad thinking is that the browser (when used externally) may cache the redirect from http to https when the device comes inside. Also means you can't use HSTS. Just can't see the reasoning, sorry.