I've made a few tests, redirections/permissions configurations but with no luck.
You are right. Too complicated mechanism will cause more problems than benefits. On the other hand, the current Snom One redirection rules are too limited, too simple. I think, the separation of forwarding rules for internal and external connections, and adding the possibility of entering a few exception numbers ("no redirected callers") would be the optimal solution that would solve 99% redirection problems and wouldn't be too complicated.