Difference between network forward and proxy device

Any suggestion on the preferred way to forward ports from both a public IPv4 and a public IPv6, to a static IP 10.x.x.x, on the lxdbr0, of an LXD container running a conferencing app jitsi, the ports it says it needs are
|Media Traffic |UDP |10000 |JVB |Public|
|Media Traffic in Restricted Firewalls |TCP |4443 |JVB |Public|
|For XMPP components (eg: Jicofo)* |TCP |5347 |Prosody |Private|
|For external XMPP clients (eg: JVB, Jibri)** |TCP |5222 |Prosody |Private|

You cannot forward IPv6 packets to IPv4 addresses using nat=true mode so you would need to use a proxy in non-NAT mode. Or add an IPv6 address to the container and then setup multiple proxy devices on the container using nat=true mode, for the IPv4 and IPv6 addresses respectively.

Ah OK. Should’ve been more specific, not trying to cross over IP protocol versions 4 and 6. What about, four network forwards, one for each of the 4 ports, listening on host public IPv6 address, to the Jitsi app LXD container’s unique local IPv6 address FDxx? Plus, four network forwards, one for each of the 4 ports, from host public IPv4 address, to Jitsi app LXD container’s static IPv4 address 10.x.x.x ?

Yes using network forwards will work to. This uses the same underlying firewall DNAT rules as LXD’s proxy device does with nat=true set. When using either approaches it is necessary to setup a static internal IP in the instance so the firewall rules have somewhere static to forward to.

When using proxy in nat=true mode it will require that the instance’s NIC config have a static ipv{n}.address set. Whereas using network level forwards will just expect you to provide IPs for an instance.

This difference is because the proxy device allows the firewall forward rules to follow the instance (if its stopped/started/moved), whereas network forward rules remain linked to the network and host.