running on bare metal is totally fine. For the setup within your network behind the router, please make sure that at least port 80 and 443 are forwarded. Port 80 is required to obtain LetsEncrypt SSL certificates. Otherwise please check the logs with journalctl -u box when performing the dns setup on your Cloudron, this should show for which IP it is waiting for the DNS records to be in-sync. Possibly it is checking for the wrong (private) IP.
Further when using Cloudrflare, please note that currently Cloudron does not support installing apps that are proxied via Cloudflare. Cloudflare backend only sets up the DNS via Cloudflare API and expects website traffic to be unproxied.