After "Brute Forcing" the configuration (for the second time) I've managed to get this to work.
The first time I tried to configure this every conceivable way I could think of, I didn't have the Virtual Interfaces assigned to the WAN interface. Apparently in Zentyal (an possibly the networking world entirely), the router/gateway/whatever it's called technically, isn't completely "aware" of the other IPs in your CIDR (assuming you have something other than a /32 with more than 1 IP)
After I'd assigned the Virtual Interfaces (called wan2 -> wan4, not important really), I didn't even think to try to configure this again right away, as, due to my lack of networking experience, I didn't think they were important, nor did I know what they even were (still don't, really, nor do I understand why it's important).
With the all of the Extra IPs in the CIDR assigned to you by your ISP/DC/ARIN assigned to Virtual Interfaces (I think other solutions like PFSense calls them Virtual NICs or vNICs, for reference), you can follow the configuration guide below. Keep in mind that I'm completely useless when it comes to networking and I did "brute force" this config until it worked (I tried everything) so Your Mileage May Vary (significantly). I could be completely wrong and have just gotten lucky.
That said, definitions!:
SNAT address This is the IP you're trying to "Masquerade" as when you connect to a site like Google.
Outgoing Interface I wanted to send the traffic out over the public network, so I left this set as my "External" interface. This worked for my purpose.
Source This is the IP of the Machine/VM sitting Behind your Private network that you want to be seen on the Internet as having the address defined above in the SNAT address field.
Destination I believe you would use this to change which site sees which IP. So if I only wanted to show 69.1.1.2 to Google and wanted Facebook to see the Router/Zentyal IP, I could set that here (Google uses Round Robin DNS, so probably a bad example as you don't always connect to the same IP when you visit google, not sure how you would handle that!)
Service Presumably this works similarly to Destination, except I have no idea if it affects the Local Service, or the Remote Service. Since it's immediately after the Denstination field, it might be safe to assume it affects the Destination address.
Above you can see my configuration using placeholders, this is working and tested from a Windows 7 Enterprise client, testing by typing "My IP" into Google (who graciously shows which IP they're seeing).
Also, I saw mention during my Googling that to use "SNAT" (Source NAT) rules, you need a
"DNAT" (Destination NAT) rule that corresponds, so traffic can return. If there's anything else that needs to happen for the traffic to be returned to the correct VM/Machine, Zentyal will do this for you (I think, as it's working right now as one would expect without any further configuration).
If I can be more specific, or if anything in here is completely wrong, please let me know.
UPDATE:
If you're still having trouble with this, make sure you click the Save button in the Top Right of the Zentyal Admin Portal after you make just about any change in Zentyal as Zentyal doesn't write the configuration files (or restart the service so it uses the new config) when you "save" the setting on the current page. Presumably this allows you make a bunch of changes at once that could conflict and then "commit" them all at once. Honestly this can be frustrating when debugging as it's easy to forget to do this and you're left smashing your face on a keyboard wondering why it "won't work."
To get this setup working, is it simply a case of asking the people who own the building to forward port 1194 to the ip address they have assigned our router?
Yes.*
Or is it potentially more complicated than that?
No.*
Also, if we want to remote desktop in to one of our pcs, is it just a case of getting them to forward port 3389 to our router and then forwarding the same port on our router to the ip address of the pc we want to remotely control on our subnet?
It's safer to access RDP server through VPN. Don't leave any other doors to your network, it will work if your ISP'd forward that port too.
Finally, is ddns going to be a challenge with this setup?
It depends if your ISP uses static or dynamic public address, if it's static, then you use address provided by your ISP. It can be simply your outside NAT address as well, you can check it for instance here. If dynamic, then there are some options too.
*assuming that your ISP does simple (P)NAT.
Best Answer
The missing piece of information here is the Identifier (aka. query ID) which lives in the 8-byte ICMP header - see https://en.wikipedia.org/wiki/Ping_(networking_utility)#Echo_request. When multiple inside hosts ping the same outside host simultaneously they will most likely do so with different query IDs.
This is used in place of a TCP/UDP port number in the NAT table of the router so that replies coming back can be matched to the initial request and sent back to the correct inside host (as well as the usual matching based on the outside global address).
See also https://www.rfc-editor.org/rfc/rfc5508#section-3.1