I'm an old datacentre guy, so please take note.
You should aim for zero public IP exposure to services. It is not good what you've got there.
If all those hosts are on public IPs and your'e not really in control of any upstream device to manage network traffic to them if you do this - you are at the whim of your provider.
How are you going to centrally authenticate and manage/monitor all this? You're missing some sort of gateway that YOU control. You've actually drawn up a honeypot for hackers.
Please run your own virutal firewall at least, and cofigure the vswitches accordingly in layers and microsegment separate each service so one compromised system does not give over the whole network. Setup VLANs to allow for this sort of flexibility (and future flexibilty).
Depending on how may public IPS you have, consider putting everthing behind NAT or PAT. Make a separate netowork just to access the VMware kit and secure this, (no web mgmt consoled on public ips!)
What you've got here is asking for trouble and will be a management mess.
Create somthing like 4 tiers of network and seprate these with your firewall, or two firewalls.
- DMZ (private IPs and nginx go here and pass through to #2 only required ports)
- main docker and VMS (only allow access between DMZ and data layers, no outgoing/egress.
- Your data - the core, only allow layer #2 devices that need access.
- VMWare mangment (it called out of band netwoking) - this is where you have use a private way of accessing this network for back end manamgent. This network cant accress 1,2 or 3)
I forgot to mention, theres actually a whole underworld of router hardware hackers out there (me included) who add custom firmware to these consumer devices - and thus never have these issues. Ever.
A part of hacking router hardware means somtimes "alternative" ways uploading unbricking are needed, and the bwlow link is one such example. Asus routers looks like they all use a simple TFP recovery mode which wont specifically need the Asus recovery app, (which is prob rubbish anyway), you just need a TFP server and the right sequence and timing of upload.
Here is a hacker's recovery method for a similar model.. Asus are likely all the same.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208723
Manual unbricking should be faily straight forward if you pay attention to those steps. They should also map to what the recovery app is trying to do as well, jst without the flakiness.
On a side note, these Asus models look like more security and stability hassles than they are worth OMG Asus firwares have broken so many motherboard and routers this year. Next time, buy somthing compatible with DDWRT (easy) or OpenWRT (adavnced) firmware. This always means avoiding routers with Broadcom based chipsets. Confirm future purchases with these links and play.. you'll never look back..
https://openwrt.org/toh/start
https://dd-wrt.com/support/router-database/