Just to get this out of the way - Asterisk (and by extension, FreePBX) doesn't play well in a multi-tenant environment, which it sounds like you are trying to set up.
OK - what you really need to do is read up on NAT. Most of the FreePBX settings you're concerned about won't actually have much impact on your proper networking.
The Ingress from the Internet to the local network on the server LAN needs to be a firewalled system that only allows some very specific ports. Specifically, UDP 5060 and UDP Range 10000 to 20000. All of these should be "redirected" to the Internal Address of the server in the LAN. You can set the server up with a public address if you want, you'll still need to make sure the Internal network can connect to the local port on the server (requires 2 Ethernet cards).
In FreePBX, turn on the Adaptive Firewall (along with the Integrated Firewall) - this opens the server to the world on port 5060. I would, for now, eschew the PJ-SIP channel driver. It's "new and improved" <sarcasm/> but it's still popping up new problems every day. Chan-SIP is old, and proven, and just works.
Your Client A devices will be able to connect to the server without issue. They should be set up with NAT turned off. Set the firewall up so that the local network is "trusted".
Your Client B devices will connect through the external firewall They need to have NAT turned on and need to be able to identify the external address of the firewall or have a STUN server (out in the wild) that can report the "apparent" address of the phone. This allows Asterisk to send your traffic to the right place. If you know the address range and it's static, you can assign the network to one of the Trusted Zones so that the phones don't end uo getting locked out in the case of a bad connection or password.
Your Client C devices need to be set up just like the Client B devices. The difference here is that, since the IP address of the client will change from time to time, so you won't be able to "whitelist" these addresses. That fact that they're coming over 3G is a complete red herring - it's all IP networking. Once again, you are likely to require either the 'external' address of the device or a STUN server in the wild (if it doesn't have a routable address). If it has a routable address, you don't need to set NAT since the traffic will be able find its way back to the device through the IP address of the phone.
You set it once for the system default in Advanced Settings and then in the individual extensions if they have problems.
May I direct you to this discussion: http://forums.asterisk.org/viewtopic.php?f=1&t=1334
NAT mode is set per "direction" so if the point you are trying to set up is behind a NAT device and connecting to something outside its local network, NAT needs to be "YES".
Basically, anytime you have a device that's communicating with something "outside" the LAN, you need it. It's possible that the devices at both,, one, of none of the ends will need NAT based on networking requirements.
An important note that you might have missed (your questions lead me to believe you haven't realized this yet) is that Asterisk is what ALL phones connect to. In POTS terms, phones connect to other phones through the switch. In FreePBX, the switch connects to phones and allows them to communicate, so there's no "end to end" path. Everything goes through the FreePBX server.
Since your server is on a dynamic address, you will need to refer everyone to your DynDNS hostname. Once you've got a static address, you can reconfigure the system so that your address is set up in DNS and just works. Having said that, though, it's important to remember that you are running behind a firewall and that address is the one you'll be using for all of your external connections. In the local net - use the local network interface IP address and skip the DNS headache.