diff --git a/roles/tools/templates/docker-compose.yml.j2 b/roles/tools/templates/docker-compose.yml.j2
index 7b49f33..6191951 100644
--- a/roles/tools/templates/docker-compose.yml.j2
+++ b/roles/tools/templates/docker-compose.yml.j2
@@ -2,6 +2,10 @@
 # Do not edit manually; re-run ansible-playbook playbooks/tools.yml
 
 networks:
+  # front — non-internal: needed for Docker port binding to work (expose ports to host)
+  # Docker does not create DNAT rules for containers only on internal networks
+  front:
+    driver: bridge
   outline-internal:
     driver: bridge
     internal: true
@@ -24,6 +28,7 @@ services:
     env_file: .env
     networks:
       - outline-internal
+      - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
       - "{{ ip_tools }}:3000:3000"
@@ -92,6 +97,7 @@ services:
     restart: unless-stopped
     networks:
       - n8n-internal
+      - front    # needed for host port binding
     ports:
       # Exposed only to main Traefik (access controlled by UFW)
       - "{{ ip_tools }}:5678:5678"