I've tried searching for an answer to this to no avail - possibly because I'm not searching for the right thing.

Basically we have a 2820 with a range of WAN IP addresses set up as aliases. There's the default IP which is used for general internet surfing and inbound email, and the additional IPs are for our future use.

I need to route traffic on certain ports on one of these additional IPs to one particular fixed LAN IP. I also need all the traffic out of this LAN IP to appear on the interweb from the same certain WAN IP. I found I could achieve this by putting the LAN IP in the DMZ with that WAN IP.

Unfortunately this means that LAN IP is completely unfirewalled (other than the software firewall).

Surely there must be a way to achieve this WAN/LAN association without losing the firewall?

Thanks,
Martin.

You can also do that using the Address Mapping feature under the NAT menu, to control which IP it uses for outbound traffic, then set up port forwarding / open ports for that IP. Address Mapping is only in 3.3.3.

Alternatively, you can keep it as the DMZ, set up a firewall rule under firewall - Filter setup set to Block if no further match, direction WAN to LAN with that PC's IP as the destination, service type left as Any to Any. Then make rules after with the same destination / direction, action would be Pass Immediately and you'd need to edit the service type's destination port.
The first option is easier though.