Final update for the day - after much messing around, with firewall rules (RTP on ports 10000-20000), and setting the externip, etc. It finally all sprang to life. Both inbound and outbound calls worked perfectly, and audio in both directions.
Then realised that I had added the extension directly into Freepbx so LMCE knew nothing about it. It didn't seem to mind and would happily receive calls from the extension, just didn't present it as an option anywhere.
So I decided that as it was the general config (sip.conf and sip_nat.conf and sip_additional.conf) and the firewall rules I had been playing with, not the extensions. I would just remove the extension I added directly. And add a device in LMCE properly (as I have done before). After a few reloads and regens, I got LMCE to accept the device and auto-create the extension in Freepbx again. Calls still working.
So I decided to do a full reboot, just to make sure everything was OK. Bang! No outbound calls now (all circuits busy) but inbound calls work perfectly, CallerID and everything!!!
The "full" log is now logging events in debug mode saying something about authentication:
[Aug 23 15:50:16] NOTICE chan_sip.c: Failed to authenticate on INVITE to '
[Aug 23 15:50:16] VERBOSE logger.c: --- (6 headers 0 lines) ---
[Aug 23 15:50:16] VERBOSE logger.c:
<--- SIP read from 18.104.22.168:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 22.214.171.124:5060;received=126.96.36.199;branch=z9hG4bK1a5
From: "pl_40" <sip:0290432XXX@sip.internode.on.net>;tag=as7e3f4931
CSeq: 102 INVITE
WWW-Authenticate: DIGEST qop="auth",nonce="BroadWorksXfk7tbhi3Tu55bdiBW",algorit