I have a similar setup but instead of workstations with external IPs I have servers.
How I set it up is to have three interfaces
eth00/ppp00 = WAN
eth01 = LAN
eth02 = Server (public) Subnet
The block of IP addresses I am assigned through PPPoE puts the gateway address for the ppp00 interface. Assign this same address to the eth02 interface and zeroshell will add an auto route to the routing table for the eth02 subnet.
You can enable DHCP on the LAN and Public subnets if you wish (I have DHCP on the LAN and hand-code the servers)
Enable NAT on both the ppp00 (or eth00 if you don’t use PPPoE) and the eth02 interface. This works for my setup because the eth02 interface is basically set up as a second mini-internet that only handles the subnet for the static block of IPs, everything else goes out the ppp00 interface.
If there is a better way to do this that would allow me to map just ports from external addresses to internal (private) addresses that would be preferable. From what I can tell there is no mechanism for re-routing publicIP:port to privateIP:port, just Port to IP:Port
Hope my setup is helpful, and if you know of a better way let me know.