Two Rules with priority (internal / external) - ip addr. forwarding faulty?

Traefik Traefik v3 (latest)
1

Hello

I use Traefik in my Homelab environment as a revers proxy to access my servers remotely.

For protection i use authentik and for a week or so also fail2ban.

This works great but when i am trying to access locally i want to bypass these middlewares.

I created 2 routers for this which use the same service and gave the internal router higher priority but it never seems to fetch. I think this is because the local ip addr. is never handed over to traefik although i created a DNS A record in my unifi setup to forward all subdomains (*.mydomain.com) to the ip addr. of the docker vm that’s running traefik. traefik is configured to pass all http requests to https.

for fail2ban i defined forwardHeaders for cloudflare where my domain is hosted:

  websecure:
    address: :443
    forwardedHeaders:
          trustedIPs:           
            - 173.245.48.0/20
            - 103.21.244.0/22
            - 103.22.200.0/22
            - 103.31.4.0/22
            - 141.101.64.0/18
            - 108.162.192.0/18
            - 190.93.240.0/20
            - 188.114.96.0/20
            - 197.234.240.0/22
            - 198.41.128.0/17
            - 162.158.0.0/15
            - 104.16.0.0/13
            - 104.24.0.0/14
            - 172.64.0.0/13
            - 131.0.72.0/22

            - "127.0.0.1/32"
            - "192.168.1.0/24" 
            - "172.18.0.0/16"

Am i missing something? Do i really need a local DNS like pihole or so for this “simple” task?

    labels:
     - traefik.enable=true
        # Internal (without Auth, with IP-Whitelist) 
     - traefik.http.routers.evcc-internal.rule=Host(`evcc.${DOMAIN}`) && (ClientIP(`192.168.1.0/24`) || ClientIP(`192.168.3.0/24`))
     - traefik.http.routers.evcc-internal.entrypoints=websecure
     - traefik.http.routers.evcc-internal.priority=100
     - traefik.http.routers.evcc-internal.tls=true
     - traefik.http.routers.evcc-internal.service=evcc
     - traefik.http.routers.evcc-internal.tls.certresolver=cloudflare
         # External (with Auth)
     - traefik.http.routers.evcc-external.rule=Host(`evcc.${DOMAIN}`)
     - traefik.http.routers.evcc-external.entrypoints=websecure
     - traefik.http.routers.evcc-external.priority=10
     - traefik.http.routers.evcc-external.middlewares=authentik-middleware@file,fail2ban@file
     - traefik.http.routers.evcc-external.tls=true
     - traefik.http.routers.evcc-external.service=evcc
     - traefik.http.routers.evcc-external.tls.certresolver=cloudflare
         # Service port definition
     - traefik.http.services.evcc.loadbalancer.server.port=7070