When using ESXI I have traditionally set up my configs with a virtualized OPNsense firewall on the WAN as a VM that supplies networking to an internal LAN which my VMS connect to.
From there, depending on the requirement it manages the firewall rules and port forwards.
Is there a way to mimic this on lxd or is there a similar way of doing it?
I have seen a way to add port forwards on the bridge networks but does that provide the same level of security and management as an opnsense would?
So far, most of my exposure with lxd has been via the web UI.
Incus has network ACLs for restricting traffic in and out of containers and VMs. The level of protection is what the Linux kernel packet filtering gives you.
In the default config, where incus creates a managed bridge incusbr0 with its own private subnet, the Linux kernel is forwarding packets and doing NAT for outbound connections. You can create a proxy device to accept incoming connections; it can either work as a regular proxy, or in NAT mode where it configures kernel NAT. In the latter case the original source IP address of the connection is visible to the incus container or VM.