NAT + Firewall

imho such a job should be done by router/firewall-vm, not by pve-host itself...
If you have leased dedicated server, then you can create whatever VM you want. Just create one more, download install-image of firewall of your choice, and install it. With i.e. pfsense of ipfire you can achieve much more (and more easily) than with PVE...

imho hypervisor should do only one thing: provide virtual hw for VMs. Anything else should be off-loaded to VM...
  • Like
Reactions: hanru