I tested another router with which everything works fine. So now I'm sure that the MSR2004 is to blame.
I did some more digging and it looks like UDP packets in general are somehow mistreated by the nat. Is there any additional option I need to configure to mimic 'stateful' routing/nating if my UDP packets?
Here is the sanitized config that's currently active:
#
version 7.1.064, Release 0605P20
#
sysname gw-1
#
ip icmp source 192.168.100.1
#
nat address-group 0
address xxx.91.227.170 xxx.91.227.170
#
nat mapping-behavior endpoint-independent
#
dhcp enable
#
dns proxy enable
dns server 8.8.8.8
dns server 8.8.4.4
#
password-recovery enable
#
vlan 1
#
vlan 10
name Management VLAN
#
vlan 11
name Internal VLAN
#
vlan 12
name Guest Wifi VLAN
#
vlan 20
name Sublet 1 VLAN
#
qos map-table dscp-lp
import 6 export 6
#
traffic classifier highprio operator and
if-match acl name sip
#
traffic behavior communication
#
traffic behavior highprio
remark local-precedence 7
#
qos policy communication
classifier highprio behavior highprio
#
stp mode rstp
stp global enable
#
dhcp server ip-pool guest
gateway-list 192.168.210.1
network 192.168.210.0 mask 255.255.255.0
address range 192.168.210.10 192.168.210.200
dns-list 192.168.210.1
expired day 0 hour 4
#
dhcp server ip-pool internal
gateway-list 192.168.200.1
network 192.168.200.0 mask 255.255.254.0
address range 192.168.200.10 192.168.201.200
dns-list 192.168.200.1
expired day 0 hour 8
#
controller Cellular0/0
#
interface Aux0
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.100.1 255.255.255.0
#
interface Vlan-interface11
ip address 192.168.200.1 255.255.254.0
packet-filter 3000 inbound
qos apply policy communication inbound
#
interface Vlan-interface12
ip address 192.168.210.1 255.255.255.0
packet-filter 3000 inbound
packet-filter 3001 inbound
qos apply policy communication inbound
#
interface Vlan-interface20
packet-filter 3000 inbound
#
interface GigabitEthernet0/0
port link-mode route
ip address xxx.91.227.170 255.255.255.248
tcp mss 1460
packet-filter name external inbound
nat outbound address-group 0 port-preserved
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface GigabitEthernet0/27
port link-mode route
#
interface GigabitEthernet0/3
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/4
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/5
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/6
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/7
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/8
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/9
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/10
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/11
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/12
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/13
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/14
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/15
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/16
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/17
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/18
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
port hybrid pvid vlan 10
#
interface GigabitEthernet0/19
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/20
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 12 tagged
port hybrid vlan 1 untagged
port hybrid pvid vlan 10
#
interface GigabitEthernet0/21
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
port hybrid pvid vlan 10
#
interface GigabitEthernet0/22
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/23
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/24
port link-mode bridge
port link-type hybrid
port hybrid vlan 10 to 11 tagged
port hybrid vlan 1 untagged
#
interface GigabitEthernet0/25
port link-mode bridge
port access vlan 11
#
interface GigabitEthernet0/26
port link-mode bridge
port access vlan 10
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0
user-role network-operator
#
line vty 1
authentication-mode scheme
user-role network-operator
#
line vty 2 63
user-role network-operator
#
ip route-static 0.0.0.0 0 xxx.91.227.169
#
ssh server enable
ssh user admin service-type all authentication-type password
#
ssh2 algorithm cipher aes256-cbc
#
ntp-service unicast-server ptbtime1.ptb.de
#
acl advanced 3000
rule 0 deny tcp destination 192.168.100.0 0.0.0.255
rule 1 deny udp destination 192.168.100.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip destination 192.168.100.0 0.0.0.255
rule 1 deny ip destination 192.168.200.0 0.0.0.255
#
acl advanced name external
rule 0 permit icmp
rule 5 permit tcp established
rule 15 permit udp source-port eq dns
rule 20 permit udp destination-port gt 1024
rule 21 permit udp
rule 25 permit 115
rule 9999 deny ip
#
acl advanced name sip
rule 0 permit tcp destination-port range 5060 5061
rule 5 permit udp destination-port range 5060 5061
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash xxx
service-type ssh telnet terminal http
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
cwmp
cwmp enable
#
return