Thank you, we have some more information. These tests are run using Warframe on both a PC running Windows 10, and a Nintendo Switch Lite. Both were connected via WiFi to Peplink AP One Minis running 3.7.0 managed by a Balance One running 8.1.0.b02. There are two WiFi networks, the untagged one and the “Guest” VLAN for untrusted devices.
Test 1:
I have 2 WANs, and in all cases there is an Outgoing Policy set to Enforced to force the device to WAN2
First, the good news: The PC version of Warframe seems to set up UPnP on the VLAN just fine when entering the game:
However, on the Switch, we see problems.
- When launching the game, we get a warning: “Strict NAT detected, please forward UDP ports 4950 and 4955”.
- If we add Port Forwarding rules, this message goes away.
- Once in the game, the game is playable, but there is no NAT-PMP or UPnP showing up.
- Inside the game, if the user Invites another player to join, the person receiving the invitation can not Join, getting a “Host unreachable” message.
Test 2: I turned off all of the Outbound Policy and Port Forwarding rules, and instead set up the nintendo switch with a NAT Mapping rule to use a single unused static IP address on WAN1.
-
When launching the game, we still get the warning: “Strict NAT detected, please forward UDP ports 4950 and 4955”. This seems weird, shouldn’t a NAT mapping rule cover this situation? [Edit: see below, I think this is a problem with NAT mapping outgoing rules]
-
However, now the game works - the Switch user can play, invite others, and the others can reply and join.
In summary, it looks like this may be something weird or buggy with the Nintendo Switch implementation of UPnP or NAT-PMP? If Peplink is interested in pursuing this, you clearly need to buy Switches for all your employees 
but if I can do anything to help debug (packet capture, etc?) do let me know.
I have a separate question about NAT Mapping which I’ll do in a new thread here: NAT Mapping forced to specific outbound WAN