A quick thought
1. When you build your docker network, think about your networks, ie.. backend, frontend, proxy, tunnel etc..
2. Create these in your basestack (so since my base stack is watchtower, clamAV, fail2ban etc..), I would attach all the above to backend-net but then create the additional networks