Binding to specific network when using multiple networks

Hi, I am trying to replace my nginx reverse proxy with Traefik v2.
I am currently using a macvlan network with a static IP bound to nginx.
Nginx proxy forwarding is also done using a bunch of FQDN's and static IP's to other containers with static IP's.

I want to replace this with Traefik bound to the macvlan IP, that gets port forwarding traffic from the router, and default host traffic coming from mapped ports, and routing internally to containers on docker only networks.
Public IP:443 -> Router Port Forward -> Internal static IP:443 -> Traefik Entrypoint
Internal Docker Host -> Port Mapping:80/443/8080 -> Traefik Entrypoint

The reason I want to use a static IP for external servicing is to isolate that traffic from the host networking, and to allow me to move the containers between machines, and I can then use auth middleware to always force authentication for any traffic entering that IP/entrypoint, while allowing internal traffic to not require auth.

The problem I encounter is that Traefik seems to only bind to the macvlan network, or that docker port mapping only binds to the macvlan network, either way, the only traffic going to traefik is the macvlan network.
I.e. I can access http://staticip:8080 but I cannot access http://hostname:8080.

I have seen problems reported of port mapping when using multiple networks that use alphabetical order and binds to the first network by name. I named my networks "localnet" and "publicnet", so in theory the docker port mappings should bind to "localnet", but they appear to bind to "publicnet" instead.

I do not know how traefik is binding entrypoints, I see no info in the logs, if it is to specific networks or to all networks.

  1. Is what I'm trying to do possible with traefik, i.e. multiple networks with different rules per network?
  2. How do I bind host port forwarding to a specific network?

Ansible task:


# Install Traefik

- name: 'Install Traefik'
    name: traefik
    image: traefik
    pull: true
    hostname: "traefik-{{ ansible_hostname }}"
    domainname: "{{ ansible_domain }}"
    restart_policy: unless-stopped
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      # HTTP port 80
      - "--entrypoints.web.address=:80"
      - ""
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      # HTTPS port 443
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls.certresolver=dns-cloudflare"
      - "[0].main={{ ansible_fqdn }}"
      - "[0].sans=*.{{ ansible_domain }}"
      - "[1].main={{ external_domain }}"
      - "[1].sans=*.{{ external_domain }}"
      # HTTPS port 9443, port forward 443 to 9443 from router
      #- "--entrypoints.externalsecure.address=:9443"
      #- "--entrypoints.externalsecure.http.middlewares=traefik-forward-auth"
      #- "--entrypoints.externalsecure.forwardedheaders.trustedips={{ cloudflare_ips }}"
      #- "--entrypoints.externalsecure.http.tls.certresolver=dns-cloudflare"
      #- "[0].main={{ external_domain }}"
      #- "[0].sans=*.{{ external_domain }}"
      # SSL certs
      - "{{ cloudflare_email }}"
      - ""
      - "--certificatesResolvers.dns-cloudflare.acme.dnschallenge.provider=cloudflare"
      #- "--http.routers.static-service.rule=Host(``)"
      #- "--http.routers.static-service.service=static-service"
      #- "``"
      TZ: "America/Los_Angeles"
      CF_DNS_API_TOKEN: "{{ cloudflare_dns_api_token }}"
      - "{{ appdata_dir }}/traefik/config/acme.json:/acme.json"
      - "/var/run/docker.sock:/var/run/docker.sock"
    networks_cli_compatible: yes
    purge_networks: yes
      - name: "{{ docker_public_network }}"
      - name: "{{ docker_local_network }}"
      - 80:80
      - 443:443
      - 8080:8080

I opened a feature request on github, but the bot closed it saying it is a question.
If it is possible please advise, if not, please accept my feature request: