Thanks for your feedback.
My situation is the following : my Incus host is on a untagged vlan 20, and I’d like to have a caddy reverse proxy on tagged vlan 40 which would proxy traffic to private bridged containers (actually caddy + home assistant + mosquitto + z2m). Besides that, I’d like to run a few other containers on tagged vlan 40, like sftpgo etc.
I have a linux bridge with vlan filtering enabled so that I can connect an Incus container either to untagged vlan or tagged 40, with external dhcp (thanks to Incus networking for network engineers).
I thought to achieve that with 1 host and n containers, be it system containers or oci ones. However I can’t figure out how to have an Inucs bridge network with nat enabled and at the same time a caddy container which would connect to both tagged vlan 40 and Incus bridge network to route traffic from the Incus bridge network to vlan 40 (Add second network interface to OCI instance seems to suggest it is a bad idea to have multiple nics each with dhcp).
Then I went with the 2 layers virtualization path (first layer to connect to the appropriate vlan, and the second layer to start application containers), hence the initial question.