SSH via kubernetes Traefik to external Forgejo

Traefik Traefik v3 (latest)
,
1

I have a k3s cluster running traefik 3, which acts as the reverse proxy for my entire home network. I also have a physically separate Unraid server that runs some services, and I've set up a bunch of externalName Services with traefik so it can route internal requests to and from those Services.

For web interfaces, I have this working perfectly. However, I cannot seem to configure traefik to work for SSH access to the Forgejo instance I have running on the Unraid server.

First, I updated my traefik helm chart to include the following:

ports:
  ...
  forgejo-ssh:
    port: 55522
    expose:
      default: true

That gives me a new entryPoint dedicated for Forgejo ssh/git access.

Then, I have a Service + IngressRouteTCP combination:

apiVersion: v1
kind: Service
metadata:
  name: forgejo-git-svc
  namespace: external-svc
spec:
  type: ExternalName
  externalName: unraid.my.network
  ports:
    - name: forgejo-ssh-port
      protocol: TCP
      port: 55522
      targetPort: 2222
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: forgejo-git-ir
  namespace: external-svc
  annotations: 
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - forgejo-ssh
  routes:
    - match: HostSNI(`*`)
      services:
        - name: forgejo-git-svc
          namespace: external-svc
          port: 55522

By my understanding, this should: take incoming TCP requests on port 55522 (ie, ssh), and forward them to port 2222 of unraid.my.network (which is the location and port where Forgejo is running).

If I do this directly, ie ssh -T git@192.168.1.10 -p 2222, I get the expected response (along the lines of "Hi there! You've successfully authenticated, but Forgejo does not provide shell access"). But if I instead use the DNS entry that forwards through traefik, ie ssh -T git@unraid.my.network -p 55522, I get a "kex_exchange_identification: Connection closed by remote host" SSH console error (though debug1 indicates "Connection established"), and in the traefik logs I see this:

2025-04-08T23:48:52Z DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=unraid.my.network:55522 remoteAddr=10.42.2.1:50501
2025-04-08T23:48:52Z ERR github.com/traefik/traefik/v3/pkg/tcp/proxy.go:48 > Error while dialing backend error="dial tcp 192.168.1.10:55522: connect: connection refused"

By my reading, it seems like traefik is forwarding the request on port 55522 to the same port on the Unraid server, when it should be sending it to port 2222 on the Unraid server.

Any help with this would be appreciated.