diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index 583df4276..7caca0830 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -40,10 +40,20 @@ host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
 
-# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
-# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
-# within github.com/iiab/iiab/blob/master/roles/
-services_externally_visible: True
+# Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
+# (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
+# Only 1 of the 6 lines below should be uncommented:
+#
+#ports_externally_visible: 0    # none
+#ports_externally_visible: 1    # ssh only
+#ports_externally_visible: 2    # ssh + Admin Console
+ports_externally_visible: 3     # ssh + Admin Console + common IIAB services
+#ports_externally_visible: 4    # ssh + Admin Console + common IIAB services + Samba
+#ports_externally_visible: 5    # all but databases
+#
+# Or further customize your iptables firewall by editing:
+# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
+# And then run: cd /opt/iiab/iiab; ./iiab-network
 
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False