How should we set up the virtual networks for swarm?

What’s the best practice approach for setting up the virtual network for a swarm?

Right now on my home vagrant setup I have each docker swarm node (worker and manager) connected to the public network so it can get a DHCP address from the router.

What I am thinking is maybe I can just limit it such that only nodes that have to expose services externally such as the HTTP server proxy are hooked up to the public network and get the router DHCP address so it can be added to the port forwarding of the router and the rest just be in the host internal network.

Haven’t tried it yet but would be one of the experiments I am going to do soon.