Solution #1:
firewall rules:
FwCMD="/sbin/ipfw"
outip="123.123.123.123"
httpserver="192.168.1.2"
NetIn="192.168.1.0"
NetMask="24"
${FwCMD} -f flush
natd -a ${outip} -p 8888 -redirect_port tcp 192.168.1.2:3389 3389
${FwCMD} add divert 8888 log ip from ${NetIn}/${NetMask} to any out via fxp0
${FwCMD} add divert 8888 log ip from any to ${outip} in via fxp0
${FwCMD} add pass log tcp from ${outip} 3389 to any via fxp0
${FwCMD} add pass log tcp from any to ${outip} 3389 via fxp0
${FwCMD} add allow all from any to any
Solution #2:
firewall rules:
ipfw="/sbin/ipfw"
${ipfw} -f flush
${ipfw} add divert natd all from any to any via sk0
${ipfw} add allow all from any to any
In /etc/rc.conf add:
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
natd_interface="sk0"
Create file /etc/natd.conf and add:
redirect_port tcp 192.168.1.2:3389 3389
Solution #3:
Add to /etc/rc.conf:
ipnat_enable="YES"
Create file /etc/ipnat.rules and add:
rdr fxp0 123.123.123.123/32 port 3389 -> 192.168.1.2 port 3389 tcp
You should not have conflict in IPFW for this.