This is easily solved in your source NAT configuration on pfSense. It's a single checkbox to not randomize ports on outbound flows. This will enable full cone NAT.
You can scope it to just your IPsec service, or whatever it is your hosting, or you can enable full cone for the whole subnet.
It is not DNAT, nor is it port forwarding. If you host a SIP proxy, SBC or peer to peer gaming, it will enable these use cases as well.
Clockwork Pi experience with the CM4 is not good. 10 months to ship. Horrible Wifi performance, can't hold a link, and it only has around 50 minutes of battery life. I regret my purchase and it's sitting in my rack next to a bunch of old ham radios.