Jitsi meet Docker: Video via "Launch in Web" (IOS) not working per UDP, needs TCP. Why?

My internet domain is connected to my router’s IP address (dyndns), the router forwards ports 80, 443, 4443 (all tcp) and 10000 (udp) to my server.
The server runs a fresh jitsi-meet docker installation 6173 - edited .env to use letsencrypt, docker-host is my domain, url is a subdomain, generated passwords, docker-compose-up, added user with password, all is up and running.
The letsencrypt certificate was generated without a problem, both internal (LAN) and external (public internet) clients can access the server via https.
All can join a room and start a meeting when authenticated with user/password.

But as soon as an internal person joins a meeting with an external user the external video goes black.
Apparently the jvb does not process the external video signal correctly. The log shows no errors.
when I enable jvb tcp (JVB_TCP_HARVESTER_DISABLED=false) the external video works, so a wrong forward for UDP looked like a good explanation. But with netcat I could transfer UDP packages from the internet to port 10000 on my server, so udp forwarding as such seems to be ok.

What should I look for next?
If I just call it a day and enable TCP, what side effects should I expect? Server load, resource consumption, video quality …?

Additional info: I had working setups for 5076 and 5142 that I used a couple of times to host conferences. When I start these now there is the same problem. On the other hand a lot was changed in my infrastructure, new OS in both server and router, new docker version, new client os, client browser and so on.

I don’t know Docker setup but NAT_HARVESTER must be enabled for a typical setup if there are internal clients.

Or a working TURN…

Thanks for the comment, but… well with docker you basically fill in the .env file and the configuration is generated during the start. This was working previously now there is an issue that affects external users, not the internal ones.
So no, I never defined NAT_HARVESTER enabled = true, but there are two entries in the (generated) config …/jvb/sip-coomunicator.properties that contain the NAT_HARVESTER local address and public address. The public address matches the one I defined in .env, i.e. my domain.

further testing shows that external users can participate in video sessions with the app “jitsi meet”, as long as the server url is set to my server. In addition netcat running in the docker container can communicate with an external PC via UDP/10000, so firewall and router seem to be ok. Unfortunately I still can not establish a video conference via UDP per browser with “launch in web”. =

1- Does it work when there are 3 external participants in a room?

2- Does it work when there are 3 internal participants in a room?

Internal participants can always see each other, external (browser) clients - could not see any other clients as long as the server is configured to use UDP.
But - I typically use ios devices to test external (browser) connections. This setup has the problem as described above. If I use an ios device as mobile hotspot instead for other devices then both a mac and other ios device work as expected. => conclusion: issue is related to an ios-setting/feature, not to Jitsi…