Traefik is unable to solve DNS and TLS challenge when used behind Hetzner Firewall

I noticed that Traefik is unable to solve the DNS or TLS challenges when I'm using the Hetzner Firewall, specifically the stateless firewall provided for dedicated servers. Here is my Traefik configuration:

services:
  traefik:
    image: traefik:v2.10
    restart: always
    container_name: traefik
    hostname: traefik
    command:
      - "--log.level=DEBUG"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.email="
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
    networks:
      - traefik-network
    ports:
      - 443:443
      - 80:80
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "./log:/log"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - CF_API_EMAIL=
      - CF_API_KEY=
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.tls.certresolver=le"
      - "traefik.http.routers.dashboard.tls.domains[0].main=*.example.com"
      - "traefik.http.routers.dashboard.middlewares=authentik-proxy@docker"


networks:
  traefik-network:
    external: true
    name: traefik

I even see the TXT records on the Cloudflare dashboard, but the challenge times out. I have uploaded the log file of running Traefik with the firewall enabled and disabled to GitHub, in this case, I was using the DNS challenge but a similar thing happened with the TLS challenge: firewall-disabled.log ยท GitHub

Works for me. Simple Traefik example.

I guess it depends on your firewall settings.

If you really want to debug things, I recommend to start with a single service.

Yeah, I tried that in my last post (Traefik issues default certificate - #12 by rdmchr) and had the same result. Could you share your Firewall configuration? Also are you testing on one of their cloud servers or on a dedicated server?