In the context that you're dealing with, NAT is normally not involved unless you *wish* to translate public traffic to internal boxes, eg: a web server with a LAN ip/behind your Zyxel router/firewall.
It looks like you're making a mess with attempting to use NAT in a manner it's not intended for.
If you do NOT want internal boxes to be reachable (for services like http) outside your network, then you're barking up the wrong tree as far as NAT goes.
Creating a wireless network adds more security concerns as opposed to wired networks, but wireless broadband routers comes with extra levels of embedded security. Along with the features found in wired routers, wireless routers also provide features relevant to wireless security which include Wi-Fi Protected Access (WPA) and wireless MAC address filtering. ZyXEL routers are high performance routers and they are designed for home and office use. Different kinds of ZyXEL routers are available. So service providers can immediately determine when a router is down and where the failure has occurred.
You say "consistency is rock solid". Could you elaborate on this please. Is the consistency of the Zyxel router better than the consistency of Asus AC68u? How important is the concistency for instance for perceived quality of streaming video content, and how would the Zyxel perform compared with Asus for this kind of usage?