infra/docs/plans/2026-05-30-traefik-dedicated-ip-etp-local-design.md

Design: Dedicated MetalLB IP for Traefik with externalTrafficPolicy=Local

Date: 2026-05-30 Status: Draft — for review (no changes applied yet) Author: Viktor + Claude

Problem

Two issues share one root cause on the Traefik ingress LoadBalancer:

1. CrowdSec is blind to real client IPs on the 24 non-proxied/direct apps. Traefik logs 10.0.20.103 (k8s-node3's IP) as the client for the overwhelming majority of direct-app requests (measured: 2522 hits vs 3 real external IPs). Cause: the Traefik LB is externalTrafficPolicy: Cluster, so kube-proxy SNATs every external client to the MetalLB-elected node's IP before Traefik sees it. CrowdSec therefore makes ban decisions against an internal node IP it would never block → no effective IP-based protection on the direct apps (immich, forgejo, send, ytdlp, servarr, ebooks, novelapp, freedify, affine, health, f1-stream, kms, k8s-portal, etc. — 24 total). Proxied apps are unaffected — they arrive via the cloudflared tunnel and get real IPs through Cloudflare's X-Forwarded-For.

2. HTTP/3 / QUIC does not complete for the direct apps. An external probe (http3check.net) confirms "QUIC connection could not be established" despite Alt-Svc: h3 being advertised and UDP 443 reaching Traefik (verified: pfSense NATs UDP 443 → Traefik LB; Traefik binds UDP 8443). Same root cause: ETP=Cluster + 3 replicas means kube-proxy SNATs and can spread the UDP flow across pods, which breaks the QUIC handshake.

Both are fixed by externalTrafficPolicy: Local on the Traefik LB (no SNAT → real client IPs preserved → QUIC stays pinned to one pod).

Why we can't just flip ETP on the current IP

Traefik currently shares MetalLB IP 10.0.20.200 with 9 other services via metallb.io/allow-shared-ip:

dbaas/postgresql-lb (Terraform state backend), headscale/headscale-server, wireguard/wireguard, coturn/coturn, xray/xray-reality, shadowsocks/shadowsocks, beads-server/dolt, servarr/qbittorrent-torrenting, tor-proxy/torrserver-bt.

Per MetalLB docs, services sharing an IP must all use Cluster (or point to identical pods). Mixing Local and Cluster on a shared IP is not allowed and would break the IP allocation — taking down all ingress and the Terraform state DB (locking out terragrunt itself), plus VPN/DNS path. → Traefik must move to its own IP.

Target state

• New dedicated MetalLB IP 10.0.20.203 (free; pool is 10.0.20.200-220), not shared, externalTrafficPolicy: Local, for the Traefik LB.
• 10.0.20.200 keeps the other 9 services unchanged (still all Cluster).
• Internal split-horizon DNS apex viktorbarzin.me A → 10.0.20.203 (currently 10.0.20.200). All *.viktorbarzin.me CNAME → apex, so this one record moves every internal ingress hostname.
• pfSense: the WAN 443 (TCP and UDP) port-forward target moves from the <nginx> alias to a new pfSense alias for 10.0.20.203 (per request: define a VIP/alias, do not hardcode the IP in rules — matches the existing <nginx> / <k8s_shared_lb> alias pattern).

Key decisions

• Dedicated IP, not shared — forced by the MetalLB mixed-ETP rule above.
• 10.0.20.203 — first free IP after technitium (.201) and kms (.202).
• pfSense reference by alias, not literal IP (user requirement) — create alias e.g. traefik_lb = 10.0.20.203, reference it in the rdr + firewall pass rule. One place to change later.
• Cutover style — two options, decided at review (see plan):
  • In-place (recommended for maintainability): change the Helm Service to the new IP + ETP=Local in one edit; brief cutover window (mitigated by pre-lowering DNS TTL + staging the pfSense change).
  • Additive (zero-downtime): stand up a second LB Service on .203 (ETP=Local) alongside the existing .200 one, cut DNS/pfSense over, then retire Traefik from .200. More moving parts to maintain.

Risks & watch-items

• Terraform state backend lives on .200 — every phase must verify dbaas/postgresql-lb:5432 stays reachable. We never touch .200's config, only remove Traefik from it at the end; low risk but explicitly checked.
• Live-firewall edit (pfSense rdr + alias) — done via the pfSense UI (persisted in config.xml); CLI pfctl edits don't persist. Per the network-device rule, this step is operator-driven/confirmed, not automated.
• CrowdSec behavior change — once it sees real public IPs on direct apps, it will start making real ban decisions there. Confirm the security allowlist (source-IP allowlist 10.0.20.0/22, 192.168.1.0/24, tailnet; identity me@viktorbarzin.me) is correct so family/legit IPs aren't banned.
• MetalLB ETP=Local node election — .203 is announced only from a node running a ready Traefik pod. Traefik has 3 replicas (node4, node5, +1) and PDB minAvailable=2, so ≥2 eligible nodes always exist; re-elects on failure.
• Cloudflare-proxied apps route via the cloudflared tunnel → Traefik ClusterIP, not the LB IP, so they are unaffected — verified in plan.
• Cutover window for the in-place option — keep it short; have rollback staged.

Out of scope

• No change to the 9 services on 10.0.20.200.
• No change to Cloudflare-proxied apps' path.
• No re-architecture of the pfSense↔K8s ingress beyond the 443 target move.

Affected docs (update on apply)

• .claude/CLAUDE.md (Networking & Resilience / Service-Specific notes)
• docs/architecture/networking.md (or equivalent — Traefik LB IP, ETP)
• docs/runbooks/ — add a short "Traefik LB IP / ETP" runbook entry
• .claude/reference/service-catalog.md if it records LB IPs
• memory: update the QUIC/ingress entries (ids 3241-3246)