Screen OS

Currently I only have 2 port used  Trust and untrust,   I am looking to add to port 4 a dmz setup, that will only have access to the internet, connected to port 4 will be a simple netgrear wireless router.  The DMZ is setup with a private address 172.16.50.1, I have setup a MIP on the Untrust interface using a public IP pointed to the 172.16.50.1, I have setup a policy for DMZ to untrust  (Nat for interface mode), the netgear will have a 172.16.50.2 address and use 172.16.50.50-254 for the dhcp, external dns ip's were added.  When a pc is connected wired or wireless it can get to the 172.16.50.1 address but then all stops. 

Any help is greatly appreciated.

Looks like it may be a nat or route problem. Can you post the following:

get sess src-ip <X.X.X.X>  (X is Ip of one of the 172.16.50.X clients)

also a "get route"

also a :get conf | i "policy id X" (where X is the policy ID which you expect it to match

That should pretty much tell us whats wrong

DF-INT-FW1-> get sess src-ip 172.16.50.50
alloc 280/max 32064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 31784
Total 9 sessions according filtering criteria.
id 29233/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 4, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/61609->209.244.0.3/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/61609<-209.244.0.3/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 29469/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 1, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/62146->209.244.0.4/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/62146<-209.244.0.4/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 30006/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 6, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/55235->209.244.0.4/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/55235<-209.244.0.4/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 30263/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 6, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/55235->209.244.0.3/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/55235<-209.244.0.3/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 30642/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 1, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/62146->209.244.0.3/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/62146<-209.244.0.3/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 30650/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 6, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/54072->209.244.0.3/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/54072<-209.244.0.3/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 31052/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 3, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/56885->209.244.0.3/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/56885<-209.244.0.3/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 31462/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 2, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/56885->209.244.0.4/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/56885<-209.244.0.4/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
id 31844/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 3, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/61609->209.244.0.4/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/61609<-209.244.0.4/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5
Total 9 sessions shown

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2

IPv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   5          0.0.0.0/0           eth3  69.30.14.193   S   20     10     Root
*   7     172.16.50.0/24           eth2         0.0.0.0   C    0      0     Root
*   2     192.168.x.2/32           eth1         0.0.0.0   H    0      0     Root
*   1     192.168.x.0/24           eth1         0.0.0.0   C    0      0     Root
*   8     172.16.50.1/32           eth2         0.0.0.0   H    0      0     Root
*   6    192.168.xx.0/24           eth1    192.168.x.14   S   10      1     Root
*   4    69.30.14.194/32           eth3         0.0.0.0   H    0      0     Root
*   3    69.30.14.192/29           eth3         0.0.0.0   C    0      0     Root

set policy id 16 from "DMZ" to "Untrust"  "Any" "Any" "DNS" permit log
set policy id 16

set policy id 18 from "Untrust" to "DMZ"  "Any" "MIP(69.30.14.197)" "DNS" permit log
set policy id 18

Problem is that the DNS traffic is not getting natted out:

  29233/s**,vsys 0,flag 00000040/0000/0001,policy 16,time 4, dip 0 module 0
 if 5(nspflag 800801):172.16.50.50/61609->209.244.0.3/53,17,001f3c27a09b,sess token 24,vlan 0,tun 0,vsd 0,route 7
 if 6(nspflag 800800):172.16.50.50/61609<-209.244.0.3/53,17,0019e820d84d,sess token 6,vlan 0,tun 0,vsd 0,route 5

You need to set up the nat src on policy 16.