1: If no gateway to the WAN exists, the certificate chain cannot be validated.
2: I did say "mostly" useless. If your LAN is at risk of spoofing or MITM, then TLS probably will not solve all of your problems anyway.
3: Obviously you can create a local cert and add it to your trust chain. You'll still have problems with various embedded devices that don't have a RTC.
what do you mean?
> Requiring TLS on an inter-LAN connection is mostly useless
there are many ways to intercept inter-LAN traffic, and:
> and impossible if no Internet gateway is available.
DNS validation? Run your own CA and trust it in your intranet?