Traefik dashboard didn't show up at my domain. (CGNAT internet ISP)

I'm following Techno Tim (https://www.youtube.com/watch?v=n1vOfdz5Nm8&t=263s) to create Traefik 3 and letsencrypt.
I have Proxmox and create Debian VM. I have T-mobile home internet, so it is CGNAT.

I have dock up and running but it didn't show dashboard at my domain name "traefik-dashboard.example.fyi"

But I can access my dashboard at "http://192.168.12.7:8080/dashboard#/"

Do I need Cloudflare Tunnel? I like to use Traefik.
Thank you

This is my cloudflare DNS records:

Containers:

This is my docker-compose.yaml

#version: "3.8"

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - "8080:8080"
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.example.fyi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.example.fyi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.fyi"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.fyi"
      - "traefik.http.routers.traefik-secure.service=api@internal"


secrets:
  cf_api_token:
    file: ./cf_api_token.txt

networks:
  proxy:
    external: true

Traefik.yml

api:
  dashboard: true
  debug: true
  insecure: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: example@gmail.com
      storage: acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
         disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
         delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

SSL:

{
  "cloudflare": {
    "Account": {
      "Email": "example@gmail.com",
      "Registration": {
        "body": {
          "status": "valid",
          "contact": [
            "mailto:example@gmail.com"
          ]
        },
        "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/2075413497"
      },
      "PrivateKey": "example",
      "KeyType": "4096"
    },
    "Certificates": [
      {
        "domain": {
          "main": "example.fyi",
          "sans": [
            "*.example.fyi"
          ]
        },
        "certificate": "example",
        "key": "example",
        "Store": "default"
      }
    ]
  }
}

curl -v https://traefik-dashboard.example.fyi

  • Could not resolve host: traefik-dashboard.example.fyi
  • Closing connection 0
    curl: (6) Could not resolve host: traefik-dashboard.example.fyi

docker logs traefik - None

nslookup traefik-dashboard.example.fyi
Server: 192.168.12.1
Address: 192.168.12.1#53

Non-authoritative answer:
Name: traefik-dashboard.example.fyi
Address: 104.21.75.54
Name: traefik-dashboard.example.fyi
Address: 172.67.214.210
Name: traefik-dashboard.example.fyi
Address: 2606:4700:3033::ac43:d6d2
Name: traefik-dashboard.example.fyi
Address: 2606:4700:3034::6815:4b36

You can run any service on a local port (like traefik/whoami) and see if you can connect from the Internet.

I recently tried that on a mobile connection, but the local service was not reachable on the given IP from the Internet.

If the Cloudflare tunnel solution can establish a connection from local host to the external provider, then it might work.

AFAIK the Cloudflare solutions have a limited number of (sub-)domains for free.

Alternatively you could try to setup a VPN connection from your local host to a small VM on the Internet and tunnel traffic yourself.

Thank you, bluepuma77

I will try run any service on a local port (like [traefik/whoami])

Cloudflare Tunnel is limited to 5 subdomain. I think it is low.
How do you think about tailscale with exit node on my VM (limited 100 devices) or twingate with 5 user? or WireGuard VPN?
so far i selfhost for Immchi, Ente, and cloud storage.

If my VM only run on local do I need firewall (like opnsense) or any other security?

Thank you for your help.

We use WireGuard as standard VPN, via wg-easy.

Firewall by default only protects ports and can set IP rules, this can be done with standard Linux.

If you need more depends on your threat scenario.

thank you. I will go with wg-easy and standard firewall Linux