NOTABENE:
Without “keeping … unique”,
if all you’ve got is the (external) [IP:PORT] tuple in the adress field of the arriving packet’s IP header
and PORT is ambiguous / used on multiple boxes / (internal) IP destinations,
you don’t have any chance at all to solve this
by setting up classical port forwarding rules in the first place:
- To which of those boxes would you like to specify to re-direct this package then ? !
K I S S 
!
This whole business ( TR-069 [!] ; STUN, ALG, … ) has just one goal:
“Just plug them in - and everything works.” (Your ‘benevolent’ manufacturer / provider)
Yes, everything works - but not only for the (credulous / lazy) user 
:
- Eyes wide shut against all doors open
.
@ms and @bbitsch are perfectly right:
In that case, you don’t need any (linux or bsd based) open-source firewall at all.
Thanks @pmueller for his article:
Security Announcement: Mitigating NAT Slipstreaming
Link: “Strange Invitation” 