Ok, I pushed my experiment here (branch portainer), a README and a bunch of config files.
https://github.com/DavidePrincipi/nethserver-docker/blob/portainer/README.rst
My proposal is to disable the default Docker behavior that mangles iptables configuration, and requires a special Shorewall configuration to work properly in NethServer. Instead, all the Firewall plumbing happens with esmith templates and DB values.
Furthermore the prototype above defines a dedicated docker network, associated to a firewall zone: aqua. The first impression from the sysadmin point of view is to act with aqua like a green zone with some hosts in it. Please read the README.rst file for more info.
Another successful experiment is using a dedicated block device, as recommended by Docker official docs.
Now I have to test if traefik is really useful for us. It can auto-configure the reverse-proxy routes by reading them from containers metadata, which is really cool. Furthermore it is a real reverse-proxy, for large sites, with load balancing, health checks and automatic failover… But I can also drop traefik and configure Apache as reverse proxy too 
Special thanks to @giacomo for helping with Shorewall and @stephdl for his starting point!