Using lxc profile, lxc device and network forward for public to private traffic

I have been working with lxd containers and have managed to setup the server.

Basically, the parent host has one container called debianweb which will host virtualmin for mail and web in and office

I have been confused on lxc profile and lxc network forward. At first, I assume it would be lxc network forward I would be using to forward traffic from the parent host to the containers. I couldn’t find a good example or forwarding lets say parent host to container, in which pfsense router is forwarding WAN traffic to parent host

I ended up finding lxc profile to be useful for this with these commands:
lxc profile create http
lxc profile device add http hostport80 proxy connect=* listen=* etc
lxc profile add debianweb http

This is when I quickly realized it would not work for postfix submission port (and maybe port25?).
Thankfully, I found this awesome post from @tomp that described how to setup proxy in NAT mode and test it out (thank you)

In regard to that post, the instance now being IP static, and executing this command

lxc config device override debianweb hostport587 nat=true listen="tcp:" connect="tcp:"

I can see it has attached in my debianweb instance config, under devices, the actual proxy with nat = true

In the end, things are starting to work well, as long I figure out what forwards actually need mode NAT and not just default proxy. But I’m confused on a few things.

  • Now that debianweb instance has under its devices the hostport587 for NAT, why not just setup all forwards like this in NAT mode and attach to this container as its static and NAT would be better

  • Do I really need all the entries in lxc profile list? now that they are attached to the container itself
    The reason to have these profile list are for them to be shared for multiple instances use?
    lxc profile list

|    NAME    |     DESCRIPTION     | USED BY |
| default    | Default LXD profile | 1       |
| http       |                     | 1       |
| https      |                     | 1       |
| imap       |                     | 1       |
| smtp       |                     | 1       |<------ this is the 25
| submission |                     | 1       |<---- this would be my hostport587
| usermin    |                     | 1       |
| virtualmin |                     | 1       |
  • Could this have been done with lxc network forward ?

I didn’t want to experiment with the container and its parent host since things are working right now and users are using it. I would appreciate any feedback and advice in my kind of setup.
I have I properly explained everything
Thank you