Traefik, metallb, k8s. Can multiple ip address be pulled under one traefik instance?

So i have been playing with this over the last 6 months or so, and just spent about 3 days with the latest blog posts and versions of everything.

Latest of all software as of July 2021....

I have metallb and traefik installed pulling TLS from cloudflare.

When spun up everything works except one very small issue.

The metallb issues an IP (alternates between public ip group and private ip group in config. This is small issue, we want to specify which pool to draw from).

The traefik will route either web or websecure entries no problem. If websecure trafefik and cloudflare issue the correct cert and all good except everything must go through the external IP on the traefik service.

So the root question is; Can we use the metallb to issue new loadbalancer services and then have them route to the same traefik instance and all will have different IPs. Some external some private

traefik is in traefik namespace. metallb in metallb-system namespace. We are working in default namespace.

Step 1 - Deploy

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: nginx
  name: nginx-full
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx-main-full
  template:
    metadata:
      labels:
        run: nginx-main-full
    spec:
      containers:
        - image: nginx
          name: nginx
          ports:
            - containerPort: 80

Step 2 is the expose below.

This WORKS just fine. But everything is going through one external IP on the traefik service.

k expose deploy nginx-full --port 80

When I do this by using (does not work);

kubectl expose deploy nginx-full --type=LoadBalancer --port 80,443

Everything looks correct. A new service appears with a new IP. The route appears in the dashboard. nothing really in logs. But the website never responds. It's like the router is not getting to the end service.

Step 3 (for both services)(note: we own local.dev so this generates valid cert for us)

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-deploy-full
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`full-priv.local.dev`)
      kind: Rule
      services:
        - name: nginx-full
          port: 80
  tls:
    certResolver: letsencrypt

Thoughts? I'm guessing it is something incredibly simple that I have missed somewhere.

Much thanks.....