Yes, you can put your Proxmox host behind your firewall, but you should segment your network for improve security.
For example, behind your firewalls you can have several networks:
CONTROL: You can connect to this LAN your Proxmox server, the IPMI interface (if your host has one), switches management, etc.
DMZ: For your servers with public services.
SERVERS: Private servers.
OFFICE: LAN for worker's computers.
And then control the communications between these LANs by means of the firewall policy.
You should use your firewall too for your VPNs server and control with the firewall policy what can do each VPN connection. For example, full access for the sysadmin VPNs and access to the ERP for the commercials VPNs.
Regarding the firewall, do you know FWCloud ?
It is a centralized IPTables/NFTables Linux based firewalls web management tool that that easily allows you manage your firewalls policy, routing, VPNs, etc.
I forgot comment one thing ...
Instead of use a physical device for your firewall, you can create it as a virtual machine and connect it to all your networks.
For our customers we usually build the virtualization infrastructure as a Proxmox/Ceph cluster of at least three nodes and then create a firewalls clusters of two virtual machines managed with FWCloud. This way we have a cluster for such a critical service and don't need to buy another physical device or cluster of physical devices for the firewall system.
