A 1:1 NAT doesn't expose the complete hosz to the internet. You still need firewallrules to allow traffic. But I wouldn't use 1:1 NAT for only a few ports either and it's more flexible if you do it with portforwards as you can forward some ports to server a and some other ports to server b then. Another advantage is that portforwards will work with natreflection whereas 1:1 nat won't.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.