You just hit on a use case that is not truly supported by the MX. In order to do this you'd have to create either individual port forwards, or 1:1/1:Many NAT entries for every inside host... Or more likely a combination of all three of these. None of those are good options for you, or going to actually be manageable. Sorry 😞
"The inbound firewall will deny any traffic that does not have a session initiated by a client behind the MX. This allows internal client machines to connect with any resources they need, but does not let outside devices initiate connections with inside client machines. The exception to this is if a Port Forward or 1:1 NAT is created. "