Hosting a VPN with Airport Extreme

Following a factory reset, is my Airport Extreme 2013 no longer forwarding VPN traffic?

For years I have hosted a VPN from my home with various versions of Server.app (currently 5.6.3, latest for High Sierra) on various versions of OS X (currently 10.13, High Sierra) installed on a Mac Mini, wired through various ethernet hubs/switches to an Airport Extreme router (2013, 6th Generation running version 7.7.9).

Recently, my entire network went down. Before I noticed this was due to a 8 port hub losing power, I factory reset the router (unplugged power, held down reset button, plugged in power, waited for lights to start blinking, and reconfigured router). Neither the physical topology of my network has not been altered, nor have the IP addresses of devices on my network changed.

Now, everything appears to be working except for VPN. I have had success forwarding various services (ssh, http, https) from outside the network to the Mac Mini. I have a forwarding rule for VPN setup on the router (UDP ports 500, 1701, 4500; TCP port 1723), and the VPN service within Server.App enabled on the Mac Mini. I am able to connect to the VPN service from within my network, but outside the network (e.g., iPhone over cell network) I receive the error message:

The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

Attempting to scan for open ports on the router from outside the network reveals the ports for the other services (22, 80, 443, etc.), but none of the VPN ports (500, 1701, 4500, or 1723). Attempting to scan for open ports on the Mac Mini from inside the network reveals the same situation. This is the case both inside and outside the network whether I use my modem's external IP, a dynamic hostname (provided by ddns.net), or a subdomain on a CNAME entry for a DNS record I have control over.

I do not think my ISP is blocking VPN traffic as this setup worked less than a week prior to the network mishap.

I think something has gone wrong on the router. I have tried these things:

• enabled IGMP Snooping as suggested in this post: VPN Passthrough problems with Airport Extreme.
• ensured IP ranges do not overlap (as suggested also in above post): wired static from .1 – .49; wireless static from .50 – .99; DHCP from .100 – .199, and VPN on .224 – .254.
• ensured Back To My Mac is disabled on the router and the Mac Mini (indeed, I don't believe Back To My Mac exists as such on High Sierra).
• taken the router out of the loop and connected the Mac mini directly to the cable modem. Connections to the VPN succeeded. This confirms that my ISP is not blocking VPN traffic, that the VPN server is working (for internal and external clients), and that the Airport Extreme is the problem.

Things I have not yet tried:

• alternative VPN software (OpenVPN). I think VPN in Server.app is working as I can connect to it on the internal network.
• alternative ports, e.g., on the router forward 22 to 500, 80 to 1701 and 443 to 4500. I have not tried this because I don't know how to configure the VPN client to try to connect on these ports. It also seems not possible to configure the VPN server (at least the one within Server.app) to listen on different ports.