Traefik V3, Pi-hole as DHCP on macvlan and non macvlan api access from homepage

Traefik Traefik v3 (latest)
1

Can I have my cake and eat it too? I cant seem to figure out how to proxy requests from two containers on same host one on macvlan (pihole) and one not (homepage)

I have HA Pi-Hole on two hosts synced via nebula sync as DHCP and of course DNS for entire lan - both use a macvlan with static IP. Traefik is reverse proxy with Cloudflared origin cert to container(s) on main host using bridge network casaproxy. Everythign works flawlessly EXCEPT I want homepage widget to access PiHole API with homepage on casalan (bridge) and pihole(s) each on their macvlan.

I can curl from a ws to pihole api and get auth and stats. I cannot curl form host for same as macvlan is isolated.

I am trying to use traefik as proxy on LAN for this use case. here is my setup:

traefik docker compose snippet (in stack)

traefik:
image: traefik:v3.3.4
container_name: CASA_TRAEFIK
command:
- "--configFile=/etc/traefik/traefik.yml" # Point to the external traefik.yml
ports:
- 80:80
- 443:443
- 8079:8080
- 8088:8088
environment:
- CF_API_EMAIL=MYCFEMAIL
- CF_API_TOKEN=MYCFAPITOKEN # Cloudflare API Token
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /apps/network/proxy/letsencrypt:/letsencrypt
- /apps/network/proxy/certs:/etc/traefik/certs
- /apps/network/proxy/traefik.yml:/etc/traefik/traefik.yml
- /apps/network/proxy/dynamic:/etc/traefik/dynamic
- /apps/network/proxy/accessslogs:/var/log/traefik # Mount host directory for logs
networks:
- casaproxy
depends_on:
cloudflared:
condition: service_healthy
labels:
- homepage.group=Network
- homepage.name=Traefik
- homepage.icon=traefik.png
- homepage.href=http://192.168.1.94:8079/
- homepage.description=Reverse Proxy
- homepage.widget.type=traefik
- homepage.widget.url=http://192.168.1.94:8079

my traefikl.yml

Version:0.9 StartHTML:0000000105 EndHTML:0000008292 StartFragment:0000000137 EndFragment:0000008260

################################################################

Global configuration

################################################################

global:

checkNewVersion: true

sendAnonymousUsage: true

################################################################

EntryPoints configuration

################################################################

entryPoints:

web:

address: ":80"

http:

redirections:

entryPoint:

to: "websecure"

scheme: "https"

websecure:

address: ":443"

#tls: {} # Empty tls block here to indicate Traefik handles TLS on this entry point

local: # New entrypoint for LAN-only HTTP traffic

address: ":8088"

################################################################

Traefik logs configuration

################################################################

log:

level: DEBUG

################################################################

API and dashboard configuration

################################################################

api:

insecure: true # Enable insecure API for monitoring

dashboard: true # Enable Dashboard (set to false to disable it)

################################################################

Access logs configuration

################################################################

Enable access logs

By default it will write to stdout and produce logs in the textual

Common Log Format (CLF), extended with additional fields.

Optional

accessLog:

filePath: /var/log/traefik/access.log

format: json

################################################################

Providers configuration

################################################################

providers:

docker:

endpoint: "unix:///var/run/docker.sock" # Docker socket

exposedByDefault: false # Do not expose containers by default

defaultRule: "Host({{ .Name }})" # Default rule for container names

file:

directory: "/etc/traefik/dynamic" # Only load dynamic config files from here

watch: true

my dynamic config for pihole (primary)

http:
routers:
piholepri-http-api: # Router specifically for the API over HTTP
rule: "PathPrefix(/piholepri)"
entryPoints:
- local # Use the 'local' entrypoint (HTTP on port 8088)
service: piholepri-service
middlewares:
- strip-piholepri-prefix
# Remove the add-host-header middleware for the API
#- add-host-header-piholepri

services:
piholepri-service:
loadBalancer:
servers:
- url: "http://192.168.1.24"

middlewares:
strip-piholepri-prefix:
stripPrefix:
prefixes:
- /piholepri

add-host-header-piholepri:
  headers:
    customRequestHeaders:
      Host: "192.168.1.24"
2

So it finally dawned on me that since traefik and pi-hole were on the same host my config would NEVER work -macvlan isolation would thwart traefik just like it thwarted homepage. The solution (now working ) was a simple nginx proxy on a DIFFERENT host which worked perfectly. Case closed and now eating my cake.