* Emby server 188.8.131.52 on MacOS 10.12.6 Sierra and also running PIA 1.1.1
* Internet is cable to an ISP-supplied modem, WAN port to Asus RT-AC68U, ethernet to the Emby server.
* Emby server has a manually-assigned IP via the Asus GUI to its MAC address.
* Emby remote port is 8096 via http
When my server is not connected to the PIA VPN, I can scan the server's public-facing IP (from another computer) for open ports and I see 8096 is indeed open. When I connect the server to the VPN and scan the server's new public-facing IP, 8096 isn't open. These are the things I've tried and have all failed:
1. Forward 8096 to the server's local IP address via the Asus GUI.
2. Enable port-forwarding in the PIA VPN client; change the Emby server remote http port to the port the VPN is forwarding (this is a read-only assigned port in PIA); forward the new port to the server's local IP address via the Asus GUI. Scanning the new public-facing IP shows the new port (and 8096) is not open.
3. Same as #2 but leave the Emby remote port as the default 8096.
4. In the Asus GUI additionally specify the destination local port as 8096.
5. All of the above with different PIA VPN locations among the ones that support port-forwarding.
6. All of the above with MacOS firewall disabled.