Ssh all machines behind a router

You could use a VPN to connect to the remote network first, and then directly connect via SSH. This may or may not be possible, may or may not be what you want to achieve in the first place, but it will work.

I heavily recommend you expose as few as possible machines to the internet via port mapping! Especially if password/keyboard interactive authentication is allowed. People do have weak passwords.

Another suggestion might be to connect to your proxy machine and have it explicitly build tunnels to each and every machine you want to directly reach behind your NAT. You can either specify one (or more) SSH tunnels directly from the command line like this:

ssh -L localport:hostnameOrIPofMachineBehindNAT:remoteMachinePort yourusername@proxy.example.com

Where localport ist the port number you need to connect on your localhost that will be forwarded to the machine behind NAT, SSH tunneled through your proxy.

hostnameOrIPofMachineBehindNAT is the LAN IP or LAN DNS of the non-proxy machine you want to reach behind NAT. Often in a private IP Range like 10/8, 192.168/16 or 172.16/12.

remoteMachinePort is the port number of the service you want to connect to on the remote machine behind NAT. In case of SSH it is likely that this will be the standard port 22.

yourusername@proxy.example.com is trivial I guess.

You can then connect to your other machine like this from another local shell:

ssh usernameOnRemoteBoxBehindNat@localhost

Since a command line can easily get very long an tedious to type, it is way better to stuff all this, with as many SSH options you want, and as many port tunnelings you like into your ~/.ssh/.ssh_config file. This will reduce your typing to ssh connectionNickname and always have all the forwardings and options set automatically.

See man 5 ssh_config for an in depth explanation and list of config options you can use in ~/.ssh/.ssh_config.