One idea would be forwarding Port 80 with a reverse proxy on the NethServer, that would allow you to also access services on the NethServer running on port 80.
SSL or Port 443 offers a few possibilities. I'm using it such that the server behind the NethServer does not provide SSL, only Port 80. The NethServer "listens" to Port 443 and provides the SSL encapuslation (Using LetsEncrypt).
My concrete use is a Zabbix Monitoring server (also on ProxMox). The NethServer isn't the firewall - we have a hardware firewall here - but is using Ports 80 and 443. So I use the reverse proxy in NethServer to forward /zabbix to the Zabbix server - unencrypted.They are both running on the same hypervisor, so packets don't leave the host.
This is very stable - the only drawback at the moment is I can't "draw" a map in Zabbix using a reverse proxy. This still needs a direct IP or VPN connection to work.
The client sees a valid encrypted SSL page and access from Internet is encrypted. 'nuff security for a home environment...
Such a scenario would NOT work if the server behind also uses advanced security like eg a Mac Server using SSL and Kerberos...
I do use NethServer, running as a firewall. in another case to forward ARD and VNC (Apple Remote Desktop) to access a Mac Mini behind the NethServer Firewall. This is working stable - but does not deal with ports 80 / 443...
My 2 cents