firewall

How to forward Vyos ports correctly?

Good afternoon. There is a task that is not solved in any way.
Given:
1) There is a server in the DMZ, you need to submit 3389 RDP 192.168.38.36/28 to it
2) There are two FWs with Vyos, the first one looks at the Internet 192.168.3.1/29, the second xs why they put it, but it happened and it’s impossible to break 192.168.3.9 yet /29.
3) Routes on both are registered traffic of other rules runs fine.
FW-inet 192.168.0.0 192.168.3.1 255.255.0.0 UG 0 0 0 eth2
FW-DMZ 192.168.38.0 192.168.3.6 255.255.255.0 UG 0 0 0 eth5

Task:
Pass port 3389 through both FWs to the server.
It seems that everything is just taking port 33889, creating a destination nat rule on the FW that looks at the Internet, on the internal we allow connections on this port and profit, BUT no. It doesn't want to work like that. It was done according to buzzwords from the developer's manual.
Configs:

FW-inet

nat{
      rule 75 {
            description test-remote-1
            destination {
                port 33889
            }
            inbound-interface any
            protocol tcp
            translation {
                address 192.168.38.36
                port 3389
            }
}

And just in case, it was added to the FW-DMZ in the Firewall section

rule 150 {
            action accept
            destination {
            }
            protocol tcp
            source {
                address 192.168.38.36
                port 3389
            }
        }

as a result, nothing works and the question according to Chernyshevsky: "What to do?"