Static NAT - why can't use a trusted interface/IP?
This is probably an edge use case and/or I need to convince the client to rearchitect their WAN setup, but I have a setup for which ideally I'd like to do a static NAT against a trusted interface IP address, but https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_static_config_about_c.html says it cannot be done for trusted or custom interfaces.
I guess I am wondering why that is not permitted, and would this qualify as an enhancement request.
The setup, interface wise, looks like this (using letters for simplification):
A = a MPLS WAN connection with a /30 IP (there is an Internet connection with a FireboxV on this WAN which inbound connections come through) - this is of type "External" for various reasons.
B = a "trusted" VLAN, which has its /24 subnet routable across the MPLS WAN.
C = a "custom" VLAN, which has a separate /24 subnet but is not routable across the MPLS WAN (and client doesn't want to pay to get it routed at this stage).
Request is to do some port forwardings to a device on interface C via the Internet connection reachable from the WAN on interface A.
While I could simply create the static NAT against the interface A IP address and be done with it (I'll have to do this in the interim), there is a high likelihood that there will be multiple devices on interface C I have to make accessible, and changing port numbers breaks the app.
The trusted interface B's subnet has spare IP addresses I can use for this (they also have access to sufficient public IP addresses), but since the interface type is "trusted" I can't use this for static NAT.
Is there a way around getting a larger subnet for the WAN link (interface A), short of an enhancement request to permit static NAT against trusted and custom interfaces?