Oh, thanks for clarifying. Two things that come to my mind are:
1) Try to do it on the application level. For example, try a following hack - check $_SERVER['REMOTE_ADDR'] in LocalSettings.php and conditionally set $wgGroupPermissions['*']['read'] to false (also 'edit', 'createaccount', 'createpage', 'createtalk', 'writeapi') => the wiki will become [unreadable] for non-local addresses... Or another kind of hack - maybe it's even better because of missing userCanRead() calls in different parts of MW: redirect all anonymous external users to Special:Userlogin (again with PHP, using IP check in LocalSettings.php), so the only page they will have access to will be the login page.
2) Try "Satisfy any" in Apache and still use REMOTE_USER, i.e.:
Allow from 192.168.0.0/24
Require valid-user
Satisfy any
This will probably lead to external users having to log in using HTTP authentication and internal users having to use normal application-level authentication. But I think this is uglier, at least because of HTTP auth.