FFXI and PlayOnline requires the following ports to be allowed through for the following reasons:
TCP 25, 110, and 443 for e-mail
TCP 80 for web access
And dynamic ports 50000 to 65535 for various communications
UDP ports 50000-65535 for various communications
There should be a setting to allow you to specify that when your computer requests a port, it will trigger the rule to allow access activating all the other ports for a specific communication with a server. You can set it so that one or more of these ports will trigger the rule:
TCP 51220 (Authentication Login)
TCP 53001 (FFXI Patch Connection)
TCP 54001 (FFXI Connection)
TCP 51300 (PlayOnline Menu Update)
TCP 54000 (PlayOnline Patch Connection)
TCP 51240 (PlayOnline Redirection Connection)
or you can just set it as a range from 51000 to 55000 TCP.
It is usually safe to make it so at out going request on that port to a certain server will allow that server to connect back on the other ports. You may have to fiddle with the settings a bit. Maybe I will post up a guide at the end of the month on configuring your firewall.
Please find a place for your router configuration that has "PORT TRIGGERING" or "APPLICATION TRIGGERING" and enter 51000-55000 TCP for the trigger ports! Then input all the ports as specified in the manual to allow access after those ports are triggered.
All this information should be on one line, for ONE APPLICATION. So, an example of this might be:
TRIGGER START PORT: 51000
TRIGGER END PORT: 55000
TRIGGER TYPE: TCP
PUBLIC PORT: 25, 80, 110,443, 116,118,443,50000-65535
PUBLIC TYPE: BOTH
Refer to the image and find something like this on your router and set it appropriately. Special thanks to Oro-dono for the image.