[Help] Optimize the access of services on different networks

Hello everybody,
I don’t know if this is the right section… if not could some admin move it to the right one?

I am trying to understand how kubernates, traefik, etc works…

This is my actual (at least I hope) schema.
Each requests goes trough pfsense and goes back and forward from the k3s network.
So I have:

  1. request for jellyfin.mydomain.com
  2. packet sent to pfsense
  3. pfsense send the request to the dns (pihole on k3s network)
  4. pihole send the answer to pfsense
  5. pfsense send the answer to the origin ip
  6. now the tv knows that jellyfin is on
  7. so it send the request to pfsense to get data from that ip
    etc. etc.

If I correctly understood something like this:

to avoid this mess of packets on the firewall/router (and this is just for 1 service), what is the best option?

  • none this is the best
  • add a second nic to the cluster and expose the existing instance of traefik on the iot lan
  • add a second nic to the cluster and create another instance of traefik and pihole just for the iot lan, something like this

  • you are totally out of the way, this is not how it works
  • other?

Having a NIC on each LAN so the data does not get routed through the firewall would make the most sense.

thank you!
Do you think that the best is to spin up 2 separate instance of traefik (one that manage jellyfin.iot.mydomain.com and the other just jellyfin.mydomain.com) or use one with the access of both network k3s and iot, to “rule them all”?

I don’t use traefik so not really sure what best practice is there. I use HAProxy which let’s you configure separate “Front Ends” for each interface perhaps the same can be done in traefik.

1 Like

I think ( am not an expert, 'cause am learning how it works) that even traefik can work like so, in that case I can use 1 instance of everything to do the job.
I did a modification to the diagram

Have you experience with kubernates?
Because for the network policies I wonder if I need something more “complex” like calico, etc or the base system (I think flannel) will be enough

Nope, I don’t really use Kubernetes either.