Mike - you may be able to answer this one then. My Zyxel 660H router has a configurable NAT address table, which allows specific port ranges in, but will only direct packets from that port or ports to a single identified LAN address - 1 PC, whereas as the Firewall is configured separately. Its rules allows an external source with known address to pass to a range of LAN addresses, using a specific "service". Some services are preconfigured, such as TCP on port 80 for HTTP, and some you configure yourself.
I have created a "Service" called Pilot Club with TCP/UDP and ports 16000-17000, accessible by all four of the networked PCs, because I entered a range of LAN addresses to which the rule applies. I also have some entries in the NAT table for things like FS multiplayer (23456) directed to my FS PC = although I often run FS on the laptop, for which the NAT setting for FS won't apply as it has the "wrong" LAN address. Nevertheless, my laptop works in Multiplayer. Consequently, I am coming to the view that NAT configuration is unnecessary and it can all be done in Firewall rules. Any comments?
(One day I'll undertsand all this networking stuff - my system works more by accident than design!.)