diff --git a/apps/api/src/services/host_aggregator.py b/apps/api/src/services/host_aggregator.py
index 2238a3dd..7e1fcc52 100644
--- a/apps/api/src/services/host_aggregator.py
+++ b/apps/api/src/services/host_aggregator.py
@@ -303,8 +303,15 @@ HOST_CONFIGS = {
             ("K3s API", 6443, "tcp", None),  # tcp 可達 (https /healthz 401 誤判)
         ],
     },
-    # NOTE: NodePort 32335 只在 192.168.0.121，不在 120
-    # 拓撲圖顯示歸屬 120(master)，但 probe 用 121
+    "192.168.0.121": {
+        "name": "K3s Worker",
+        "role": HostRole.K3S,
+        "services": [
+            ("K3s API", 6443, "tcp", None),
+            ("awoooi-api", 32334, "tcp", None),   # NodePort 在 121
+            ("awoooi-web", 32335, "tcp", None),   # NodePort 在 121
+        ],
+    },
     "192.168.0.188": {
         "name": "AI+Web 中心",
         "role": HostRole.AI_WEB,
diff --git a/k8s/awoooi-prod/02-network-policy.yaml b/k8s/awoooi-prod/02-network-policy.yaml
index df1a8003..77373104 100644
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -183,6 +183,19 @@ spec:
         - protocol: TCP
           port: 6443
 
+    # 允許訪問 192.168.0.121 K3s Worker (mon1)
+    # 2026-04-09 新增: NodePort 32334(API)/32335(Web) 在 121 上，host probe 需要
+    - to:
+        - ipBlock:
+            cidr: 192.168.0.121/32
+      ports:
+        - protocol: TCP
+          port: 6443
+        - protocol: TCP
+          port: 32334
+        - protocol: TCP
+          port: 32335
+
     # 允許 DNS 解析
     # 2026-03-26 修復: 使用 namespaceSelector 明確指定 kube-system
     # ADR-011 Appendix B: CoreDNS 只有 k8s-app=kube-dns 標籤，不要加其他標籤要求