I had a double NAT setup like that. Run a firewall like OPNSense as a Proxmox VM, and give it a WAN interface on the ISP router’s IP range; then run everything else on a different subnet, using OPNSense as the gateway. On the ISP router, put OPNSense’s WAN IP in the DMZ. Then, do all your hardening using OPNSense’s firewall rules. Bonus points for setting up a VLAN on a physical switch to isolate the connection.
The ISP router will send everything to OPNSense’s WAN IP, and it will basically bypass the whole double NAT situation.
BigMacHole is becoming KNOWN for being a PATROLIOTIC CHATTER and PROLIFIC SUPPORTER of the current administration! The way JESUS and BBQ want it!!!