If there are no complicating factors I don’t know about, I’d recommend you have only one Nextcloud instance, which would be accessible both from inside and outside the network. You can do this by port-forwarding as you’d expect, then adding the public domain name and/or IP address to Nextcloud’s list of names it will answer to. Here is an article explaining how to add a name/IP to that list.
Third-party trusted SSL certificates can be obtained using the public name only, which may or may not be an issue for you. If you haven’t considered it already, I’d recommend LetsEncrypt, as described here.
Your internal clients can be configured to ignore the name mismatch, or you can use some tricks with your internal DNS server (if you have one) to have your public DNS name resolve to the LAN IP of your server internally. I wasn’t able to find a good how-to on that one, but I can vouch for a smooth user experience - you can give everyone, inside the school or out, the same URL to use for Nextcloud.
Hope I helped, and I can try to answer any questions you have about this setup.