IngressRouteTCP + TLS passthrough one domain overrides all

Hello,
I'm trying to achieve this configuration in a kubernetes cluster: have Traefik v2.1 performing TLS passthrough to

• Harbor (https://harbor.admin...)
• Notary(https://notary.admin...)
• Kubernetes dashboard (https://k8s-dashboard.admin....)

I'm using one IngressRouteTCP with TraefikService per application/domain (pointing to Kubernetes services) and the Traefik dashboard shows that everything seems configured correctly (in TCP routes and Services tabs)
Harbor and notary have 2 separate kubernetes services which point to the same nginx pod, while kubernets dashboard has its own service pointing to its pod.

My problem is that If I request harbor/notary, the requests are routed correctly, but as soon as I perform a request to the kubernetes dashboard, all subsequent requests are wrongly routed to the kubernetes dashboard domain.
For all domains I'm using a self-signed star certificate: *.admin.... The CA has been imported on the machines and the certificate is correctly trusted.

If I use an IngressRoutes and use https scheme and use the same kubernetes sevices configuration, all requests are routed correctly (with Traefik effectively behavig as TLS passthrough) but I've to set --serversTransport.insecureSkipVerify=true as parameter in Traefik.

My questions are: does Traefik support my desired configuration (TCP routes + TLS passthrough for multiple domains, served by different pods)? Where can I find more examples regarding TLS passthrough? Or is my configuration wrong (very likely)?

Here is my configuraiton:

kind: IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: harbor-tcp
  namespace: harbor
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: HostSNI(`harbor.admin.company.com`)
      services:
        - kind: TraefikService
          name: harbor
          namespace: harbor
          port: 8443
  tls:
    passthrough: true
    secretName: admin-tls
    domains:
      - main: "harbor.admin.company.com"
---
kind: IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: notary-tcp
  namespace: harbor
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: HostSNI(`notary.admin.company.com`)
      services:
        - kind: TraefikService
          name: harbor
          namespace: harbor
          port: 4443
  tls:
    passthrough: true
    secretName: admin-tls
    domains:
      - main: "notary.admin.company.com"
---
kind: IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: kubernetes-dashboard-tcp
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: HostSNI(`k8s-dashboard.admin.company.com`)
      services:
        - kind: TraefikService
          name: kubernetes-dashboard
          namespace: kubernetes-dashboard
          port: 443
  tls:
    passthrough: true
    secretName: admin-tls
    domains:
      - main: "k8s-dashboard.admin.company.com"
---

The relevant configuration for the services:

apiVersion: v1
kind: Service
metadata:
  name: harbor
  namespace: harbor
spec:
  type: ClusterIP
  ports:
    - name: http
      port: 8080
      targetPort: 8080
    - name: https
      port: 8443
      targetPort: 8443
    - name: notary
      port: 4443
      targetPort: 4443
  selector:
    component: nginx
---
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  type: ClusterIP

Thanks for your help.