Hoping for some opinions on this please
Have been playing with traefik for the past week or so, love it. especially its ability to get a certificate via DNS challenge
Ive been running docker for years. Recently have downsized to standalone docker (1 machine many containers to serve the home) because of power consumption and energy prices!
So I have traefik deployed, it gets a (wildcard) certificate for my domain which I purchased from cloudflare via DNS challenge. Have successfully provisioned a few containers and it works, with cert signing, http redirect etc. the usual stuff.
Questions:
How do you guys separate your internal and external traffic? do you use 2 traefik containers??
separate them with vlans? If so, do you use mac/IPvlan networks?
Or just one instance with different ports for internal/external routing?
With regards to docker networking, ideally, for the control, id like to run IPVLAN so that everything has its own IP address. MACVLAN isnt an option, I dont like the idea of tracking down promiscuous mode settings in all of my devices
Is it possible to run IPVLAN network with traefik? Any limitations?
up to now, ive just used a custom network and all the containers have 172 addresses on the same network as traefik
Million dollar question:
What is the easiest way (with docker containers) to achieve certificate signing for all (internal and external services running) via DNS challenge/traefik so that I never see that stupid browser certificate 'proceed anyway' nonsense 
Thanks for reading and appreciate any answers
Why do you want to seperate? For security? There is a lot more about security (and maybe more important) than just Traefik: OWASP Docker Security Cheat Sheet
Why use VLANs? If everything should go through Traefik, you can simply use Docker networks. Traefik Configuration Auto-Discovery usually uses Docker networks, see simple Traefik example.
Thanks for the reply
I dont 'want' to separate, I was just asking what the common practice is amongst you all.
Im not interested in using owasp profiles. security at that level isnt a concern. firewalled off is fine
Yes, ive got mine currently autodiscovered, and it works fine so that will be the route to take
So what youre saying is, standard docker (custom) network, everything through traefik,
What about separation of internal and external?
- different ports at trafik container, 80/443 for internal, and 81/444 for external, port forward at firewall 81/444?
- or, complete new traefik container and port forward to that instead??
Not sure what OWASP profiles are. The article just states to do simple things like give Docker containers a dedicated user, so when someone hacks your first line of defense (like Traefik), they are not automatically root. If you want to go one step further, you should use a Docker Socket Proxy, so a hacker into Traefik can not view secrets and mess with your Docker services, delete them or run bots or crypto-miners on your servers.
I am not a big fan of security through obscurity. Sure, a non-standard port might help against script kiddies, but there are serach engines like shodan that will find your little secret.
You can use a single Traefik, have internal router rule with Host() && ClientIP() or similar.
You can use a catch-all router to forward all non-matched requests to a second internal Traefik. With dnsChallenge it could even get it's own TLS cert, or use insecureSkipVerify.
OWASP is the link to which you provided, its their article - a very good one to be fair
They are an organisation
I am familiar with them because I work with their profiles. That is, cisco, juniper and microsoft hardware and app firewalls. they have a set of attack and detection rules (among other things) that are compatible with these devices and it is industry standard (pretty much) to have them active and reporting - this is more corporate than homelab
I digress. thank you for the response, I will have a play about with routing between two traefik instances and see what fits.