Real client ip - aws elb

Hello, please help understand how work traefik v2 (2.2.0) with real user IP
Currently I create 2 CR (Middleware and IngressRoute) and via:

kind: Middleware
  name: staff-whitelist

try build whitelist for IngressRoute but I got "Forbidden"
My current architecture is:
AWS ELB -> Traefik via Service(LoadBalancer)

  annotations: tcp

  type: LoadBalancer
  sessionAffinity: None
  externalTrafficPolicy: Local

this is part of settings on kubernetes traefik service

I don't use Cloudflare now but this will the second question as on different IngressRoute I must link domain to cluster via Cloudflare proxy.

Thank a lot!

Can you please put Local inside quotes like below and re-deploy?

externalTrafficPolicy: "Local"

Also, would you mind to share your entire Service manifest?