In the log miniupnpd was complaining about the lack of the chain MINIUPNPD-POSTROUTING.
Running these two lines:
$IPTABLES -t nat -N MINIUPNPD-POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MINIUPNPD-POSTROUTING
from https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/netfilter/iptables_init.sh basically (almost) instantly solved my problems, and as far as I can tell upnp works fine now. Not sure how to persist these changes over a reboot, but as I had an 3 month uptime before this, I'm not too worried.
