Hi,

You can use VIP's with a dynamic IP. But I don't see any VIP's defined in your current config.

I noticed a couple of things:

You have the minecraft en secams services defined with only one source port. Connecting clients will pick a random port in the range 0-65535. So you should define the services as:

set service "seccams" protocol tcp src-port 0-65535 dst-port 8085-8085

You defined the addresses of your servers with a netmask of /24 (255.255.255.0). That way your policies allow incoming traffic not only to your server, but to the whole internal LAN. Addresses should be defined as:

set address "Trust" "192.168.11.245" 192.168.11.245 255.255.255.255

Steve

how would i define a vip, can i just use any ip, or do i have to use one in a certain range?

You add the VIP to your untrust interface (ethernet3). Because you only have the one public IP address, you add the VIP to that address:

- Network>Interfaces>List>Edit ethernet3>VIP

- Select "Same as the interface IP address" and click Add.

- Click New VIP service, select your public IP as Virtual IP

- Select the service in Map to service

- Enter the internal IP address of your server in "Map to IP"

Now create the policy to allow the traffic:

- Policy>Policies Untrust to Trust

- Source address: Any

- Destination address: VIP (ethernet3)

- Service: select service

- Action permit

Steve