This sort of thing is not my speciality, but by my understanding, the "best practice" way of doing this sort of stuff is to have a single server (I'd recommend a full VM) in a DMZ (and outside your LAN IP range and your local firewall). Have your router configured so that all incoming connections can ONLY reach this server. So essentially this server is the only thing that can be contacted from the internet - unless the connection was initiated from a PC (virtual or otherwise) within your LAN.
Then configure this "public" server to act as a reverse proxy. Personally, I like Nginx for this purpose, but there are lots of other options. Configure your reverse proxy to respond to the desired domain name(s) and to ignore any other connection attempts. Configure the reverse proxy to forward the desired subdomains and/or ports to the relevant servers within your LAN. Configure specific rules in your firewall to only allow the "public" server to connect to the specific servers on the specific ports (and nothing else).
Using this sort of model, you could define a subdomain for your Proxmox instance instead if you wanted (e.g. https://pve.mydomain.com rather than https://mydomain.com:8006) and you could assign a subdomain for your nextcloud instance too, e.g. nextcloud.mydomain.com
I've personally only ever used reverse proxying to reroute traffic like your trying to do, although in theory, I'm sure that it should also be possible via firewall rules (so long as each service uses a unique port). My assumption on that is that you would essentially replicate the existing config that you have to forward port 8006 to your Proxmox host, but instead forward port 443 (default HTTPS) or some other custom port you'd rather use.
Networking is not my speciality
This sort of thing is not my speciality, but by my understanding, the "best practice" way of doing this sort of stuff is to have a single server (I'd recommend a full VM) in a DMZ (and outside your LAN IP range and your local firewall). Have your router configured so that all incoming connections can ONLY reach this server. So essentially this server is the only thing that can be contacted from the internet - unless the connection was initiated from a PC (virtual or otherwise) within your LAN.
Then configure this "public" server to act as a reverse proxy. Personally, I like Nginx for this purpose, but there are lots of other options. Configure your reverse proxy to respond to the desired domain name(s) and to ignore any other connection attempts. Configure the reverse proxy to forward the desired subdomains and/or ports to the relevant servers within your LAN. Configure specific rules in your firewall to only allow the "public" server to connect to the specific servers on the specific ports (and nothing else).
Using this sort of model, you could define a subdomain for your Proxmox instance instead if you wanted (e.g. https://pve.mydomain.com rather than https://mydomain.com:8006) and you could assign a subdomain for your nextcloud instance too, e.g. nextcloud.mydomain.com
I've personally only ever used reverse proxying to reroute traffic like your trying to do, although in theory, I'm sure that it should also be possible via firewall rules (so long as each service uses a unique port). My assumption on that is that you would essentially replicate the existing config that you have to forward port 8006 to your Proxmox host, but instead forward port 443 (default HTTPS) or some other custom port you'd rather use.
I hope that helps...