Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?
Security from what? Get a threat model.
A NAT will restrict connections from the internet, but won’t stop attacks from your local network. As your network grows, it might be a good idea to isolate shitty IOT devices (firmware is often full of holes), home internet and sensitive devices like cameras.
There are also issues like NAT hole punching and guessed port attacks that can get through NAT. This typically isn’t a major problem because actually getting a connection will be very difficult but if your NIC or kernel has a bug it may be possible to trigger it with a packet or two.