Using Cloudflare, pfSense and Traefik. Oh yes that 522 error agin

I really don’t know if this is the right place, but it seems to be with all the knowledge here.
So my setup:
Cloudflare holds all my domains, they are all proxied.
All domains has a A record pointing to my WAN port. The one I want to use also has a few subdomains. I can ping all the domains and I get the Cloudflare IP.

So step 2, when a web request comes along from Cloudflare, my SG2100 is in the way as it should be.
I have opened 80/443 pointing to my server where Traefik will take over.
I can ping the goal server from pfSense and vice versa.

I also have a rule that accepts all the Cloudflare IPs to web ports.

No matter what I do I get the 522 error, I had this working just fine before I redid my pfSense setup.
Big difference is that the switch in the SG2100 is now in use. The LAN is on every port so all servers and clients can reach it.

This is my latest try, ofc a fail.

What happens when you take CF out of the equation?

Well all got solved yesterday after great help on the Netgate forums.
Basically you need to do a Port forward, not just open a port in the FW.

Like this:

And then the port opening happens automagically:

After this it all started to work for me, domain and subdomains proxied at CF reaches my services on the inside.