So, this might be a networking ELI5 post, but I can't wrap my head around the right way to set it up safely/securely.

As background, I bought one of these cool little boxes from aliexpress, with the thinking that it's got lots of headroom to run proxmox, with openwrt and a few other VMs or containers, and as a bonus, I could set it up in a proxmox cluster with my already existing homelab server, and eventually get a third node to provide real HA for my router. I want to dedicate one of the physical NICs as the WAN port to connect to my ISP, so want to pass it through exclusively to the openwrt LXC container[1], and not have it accessible to any other environments. The other three NICs would, I guess, just behave like a dumb switch. So, how do I do this? Do I need to encapsulate the WAN NIC in a virtual bridge on the host, but just don't give it an IP address, then assign that vbr as a NIC on the openwrt container? That seems sketchy, and not particularly secure to my network-n00b brain, but I can't figure out any other way to get it to the container. And what about the other 3 NICs? Should I put them all in a vbr on the host, and just pass one "vbrLAN" interface to openwrt, since I do need an IP address for the host?

[1] I installed openwrt in a LXC container instead of a VM because 1) there's an upstream-maintained openwrt LXC template, and 2) because it looked like by far the easiest way to update/upgrade openwrt in the future. I'd love to hear why it's a bad idea, if it is :)