There is a nice workaround that everyone forgets about: Install a proxy server on your infrastructure, and simply use 'host based' firewalling on that w/o proxmox firewall. Then you can use proxmox firewall for your internal stuff, but still get out to the internet WITHOUT needing masqurading. My 'more secure' option is to simply create a vm on the private network, and 'not' firewall that, using normal 'nat here in proxmox option). Then you can do most everything outbound through a proxy. Its a bit of a pain for windows folks, but for linux most of them quite happily will update through squid (apt-get install squid) or apk add squid. The other possibility is just use ipv6.....