You know, I'm not sure if this is the best place to ask, but there's one thing I've always wondered. Why can't I just, instead of forwarding, tell the router in the package header to which internal IP I want it redirected? If I know both the address of the router and the internal IP of the PC behind it I want to reach, why should the PC I want to reach forward the port in the router instead of letting me tell the router to which PC I want the package to go?
Imagine a basic company server cluster behind a router, and we'll also assume it doesn't have ISA. In this situation, all outgoing traffic is marked in a NAT list in the router so that when a reply is sent back, the router knows where it's going. Any outstanding incoming traffic is ignored because no one asked for the data. Now imagine a "hacker" sending random internal addresses bypassing the router pretending to be another internal computer...the computer gives up any vital information because it thinks it's inside the network.
This is bad.
Think of it like the postal service. The router is the person in your house who goes through the mail looking at the names and handing it out to the family members it belongs to...any mail that doesn't belong gets thrown away. In the same analogy, being able to bypass this is like the postman kicking down your door and grabbing the first person who moves and forcing them to read a letter that doesn't belong to them.
If you don't tell someone who you are and where you live, they cannot address you properly, just like internet.
Now look at it on the side of the server, who actually wants a specific port to make it through. But again, the server needs to be secure...just because you want a person to come into your home, doesn't mean you want him to walk into your bedroom and steal your checkbook. You have to tell the household member that "if any of my friends come here, let me know." This is telling the router which computer in an entire network to send traffic to.
Also, let's say that the computer that is handling all incoming traffic crashes, what do you do? An expert would simply run the server on a different computer in the network and all is good....however, the new computer might have a different IP address. In your situation, the game clients have NO idea about this new computer's internal IP address. Players are trying their hardest to connect to the crashed computer because that's the only internal IP address they were given right? In a normal situation, all server maintenance has to do is change the portforwarding address to the new computer and done. Not only is your situation insecure, it is not possible with current technology, nor wanted.
Portforwarding is only needed by the server, and takes literally 20 seconds to do....there is no excuse.