diff --git a/README.md b/README.md
index dbeb9e3..b21a7ac 100644
--- a/README.md
+++ b/README.md
@@ -94,3 +94,12 @@ PS: Because I access my traefik dashboard through my local network. I commented
 - 2025.4.21 Fix the trusted IP settings; later replaced by an internal updater instead of the traefik-plugin-cloudflare. 
 - 2025.4.18 Add Souin HTTP Cache Middleware (in feature branch, not merge into main)
 - 2025.4.18 Temp disable the compression middleware. It has MIME type bugs. 
+
+## Notes on Host Networking
+
+Traefik currently runs with `network_mode: host` so it can bind directly to both `10.0.0.225` (public) and `192.168.50.4` (internal) entrypoints. Moving back to bridge mode would break that dual-IP isolation because Docker cannot publish the same container port on two different host interfaces. Host networking also means:
+
+- Traefik reaches app containers like any other host process, ignoring `traefik.docker.network` labels.
+- Linux handles firewalling/routing between the two interfaces; Docker’s conntrack optimizations aren’t used.
+
+If you ever want to switch to bridge networking, you’d need either separate Traefik instances (one per subnet) or an external L4 proxy in front of a single Traefik that listens on generic `:80/:443` ports. For now the host-mode trade-off is intentional to keep the internal/external split simple.