Q: NAT-PMP vs. application vs. mDNSResponder

This is listed as a Leopard Quad G5 question, but it seems to be relevant an Mountain Lion MacBook Pro as well.

I've set up (with a lot of difficulty), wide-area bonjour on the G5. The network topology internally is a number of Airport Express/Time Capsule access points in bridge mode to an (old) Airport Extreme Base Station (snow aka 802.11g) which hooks up to a cable modem from the cable company. The cable company gives one DHCP address to the AEBS, which then shares the access through the internal 10.0.x.x network. NAT-PMP is enabled on the AEBS. There are

some static port mappings on AEBS, but not for the ports in question (I have also tried turning off all static mapping and it didn't help).

The trouble is none of the standard Apple applications (remote desktop, appleshare, remote desktop to name a few) register properly in the Wide Area Bonjour domain, but only at the normal ports, e.g. ARD/VNC registers an address of <external-address>:5900; AFP at <external-address>:548, etc.

I also have detailed logging turned on for the AEBS and it doesn't show any binding requests.

I have seen requests on port 5353 when I snoop the traffic, but it's mostly for the mDNSResponder ports itself. I can see binding requests in the (debug level) log on the AEBS but only from Skype and Transmission (torrent client) and the ports they request do get opened up (so it seems like NAT-PMP works at the AEBS at least at some level), or it is requests inquiring for the external address.

What is even more problematic is if there is a second machine on the internal network (in this case, the Mountain Lion MBP mentioned above) with screen sharing enabled it will also register at <exernal-address>:5900 and no binding request is logged at the AEBS. And in all cases (one or two machine claiming 5900 for the VNC port), port 5900 is not open to the WAN side, unlike the external ports that have binding requests that do work (such as Skype or Transmission). This seems to imply that it isn't just that the G5 has an old version of mDNSResponder.

I have packet logging turned on in mDNSResponder but only see DNS queries and answers.

So, my question is what to do next? Also, whose responsibility is it do the binding request on the AEBS? Is it mDNSResponder or tha app itself? It seems like (from what I read) it's mDNSResponder, but should I not see it even try?

Thanks in advance for any ideas.-kby