I can't get my head round how to the implement the requirement below.

I though I had it worked out but then discovered that I can't use 'Invert selection' with an object group - so I am stuck.

I have a switchboard on a local server and need to open ports to enable remote phones to be connected only from several specific locations.

So we have:

- PBX server local IP: 10.27.27.xxx
- Ports opened and forwarded to PBX server: P1, P2, P3-P4
- External IPs that should be permitted to connect on those ports: XP1, XP2, XP3

How do I set this up so that ports (P1 and P2 and port range P3-P4) are only accessible from external IPs XP1, XP2, XP3?

Many thanks.

Don't know if you have solved this, but it doesn't sound too dissimilar to what I do with my firewall for VoIP though admittedly I'm not using object groups.
Aside from the port forwarding, the firewall data filter rules I have are quite simple:
1) Pass port 5060 from provider 1 [from a specific IP] to internal IP [set by port forward rule]
2) Pass port 5060 from Provider 2 [again from a specific IP] to internal IP
3) Block any other port 5060 immediately
Repeat above sequence with other ports I need open.

Maybe I've missed something, but it works fine for me.