it seems you mix different fact…
and
don’t really match together. The second statement means you allow direct connection from the internet to your nextcloud without any TLS certificates.
You need a “reverse proxy” in between - I’m not aware of any SOHO router capable of doing this. look at 101: reverse proxy.