Ideally difuse should be set up as an edge device, meaning it is directly connected to the internet with PPPoE or DHCP or whatever your ISP offers, but in some situations this is not possible and we end up in scenarios where there is another gateway and Difuse ends up being behind it. This can introduce significant hurdles in getting calls to work reliably but there are some ways you can get around most of the scenarios.
Universally there are some things that you need to do to make the PBX work behind NAT, we will go over some of them:
Here's an example of port forwarding done no a Fortigate firewall:
Fortigate - Port Forwarding
Difuse Firewall - Allow (Local) WAN
You might notice the Allow-Trunk rule there as well, this is to let the trunk range (which is part of a Custom Interface) also access the device via an INPUT rule.
Make sure that the External Media Address and External Signalling Address are set to a domain that resolves to your actual public IP.
Local IP Subnets here means what subnets are local to the PBX, so for instance if you have a Fortigate firewall (lets assume range 10.254.248.0/24), and you're connected behind it, and there are clients let's assume desk phones who are also connecting to you from that range, you need to let the PBX know that it is infact "local" to you and does not need to traverse the internet (or set public IP in the SIP headers) to reach those peers reliably.