Real client ip - aws elb

Hello, please help understand how work traefik v2 (2.2.0) with real user IP
Currently I create 2 CR (Middleware and IngressRoute) and via:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: staff-whitelist
spec:
  ipWhiteList:
    sourceRange:

try build whitelist for IngressRoute but I got "Forbidden"
My current architecture is:
AWS ELB -> Traefik via Service(LoadBalancer)

  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp

  type: LoadBalancer
  sessionAffinity: None
  externalTrafficPolicy: Local

this is part of settings on kubernetes traefik service

I don't use Cloudflare now but this will the second question as on different IngressRoute I must link domain to cluster via Cloudflare proxy.

Thank a lot!

Can you please put Local inside quotes like below and re-deploy?

externalTrafficPolicy: "Local"

Also, would you mind to share your entire Service manifest?