TCP/UDP routers not passing source IP to destination

shlomi · July 29, 2022, 12:18pm

I tried to use Traefik in front of a DNS server (AdGuard Home) to load balance UDP and TCP DNS requests.

Both AdGuard and traefik are on the same docker host.

traefik.yml config

entryPoints:
  dns53t:
    address: :53/tcp
  dns53u:
    address: :53/udp

adguard docker compose labels

# port 53 tcp
      - "traefik.tcp.routers.adguard53t.entrypoints=dns53t"
      - "traefik.tcp.routers.adguard53t.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.adguard53t.service=adguard53t"
      - "traefik.tcp.services.adguard53t.loadbalancer.server.port=53"
# port 53 udp
      - "traefik.udp.routers.adguard53u.entrypoints=dns53u"
      - "traefik.udp.routers.adguard53u.service=adguard53u"
      - "traefik.udp.services.adguard53u.loadbalancer.server.port=53"

But in adguard logs the client ip is showing the ip of traefik docker container.

I know passing headers is not relevant to TCP/UDP but I can't overcome this issue.
In AdGuard i use different settings (blocking services) by the source ip.
Does anyone have any ideas?

Thank you

shlomi · August 15, 2022, 3:24pm

No one knows?
this is so frustrating to me

cumpsd · April 15, 2023, 7:50pm

Would love to know too

bluepuma77 · April 15, 2023, 10:10pm

A TCP connection has a source and a target, those are always the real IPs, so when Traefik is forwarding TCP packets, the source will be the Traefik IP.

A common way around this is to utilize the ProxyProtocol, which adds the original IP within the TCP packet (as data). Traefik should support this for incoming connections (e.g. from a load balancer) and outgoing connections (to a target service). Your target service must support it, too.

lroutledge93 · November 24, 2023, 2:00pm

We're having the same problem.

Trying to set-up DNS in Kubernetes using Traefik as the ingress.

We just need Traefik to route the traffic to the pods rather than proxy it so we need to find another solution ...

@shlomi - Did you find a work around for this?

tuongvu · December 25, 2024, 2:56pm

We're having the same problem. Eventhough I set:

        - --entryPoints.udp.address=:4001/udp
        - --entryPoints.udp.proxyProtocol.insecure=true
        - --entryPoints.udp.proxyProtocol.trustedIPs=0.0.0.0/0

Has anyone solved this problem?

bluepuma77 · December 25, 2024, 3:33pm

What do you want to achieve? By using ProxyProtocol, the original IP is preserved, Traefik can process it internally, when using http it is passed as header.

If you want to see the original IP in the target service, then you need enable ProxyProtocol in Traefik service and implement ProxyProtocol in your application.

How else should it work, Traefik will not fake UDP IP addresses.

tuongvu · December 25, 2024, 6:37pm

@bluepuma77 I sent a test message to my UDP server deployed as a pod in the Kubernetes cluster via Traefik UDP. I noticed that even though I set the UDP entry points to enable the proxy protocol as shown above, the UDP server reports that the source IP is the IP of the Traefik Kubernetes pod, not the source IP of the machine from which I sent the message.

chrisss404 · January 15, 2025, 7:42am

Could be related to https://github.com/moby/libnetwork/issues/1994

Topic		Replies	Views
TCP Service forward original IP Traefik v2 docker , tcp	2	1546	February 19, 2023
Source IP in AdGuard behind Traefik (Docker) Traefik v2 docker	4	2826	June 3, 2023
TCP reverse proxy pass through (nginx equivalent) Traefik v2 file , tcp	4	3428	January 10, 2025
Pihole TCP/UDP Services for port 53 behind Traefik Traefik v2 docker , tcp	6	9089	July 20, 2020
Traefik v2.2 DNS service UDP howto Traefik v2 docker	0	3967	April 25, 2020

TCP/UDP routers not passing source IP to destination

Related topics