diff --git a/content/tutorials/get-started/set-up-secure-signing.md b/content/tutorials/get-started/set-up-secure-signing.md
index 81f6f188fa..24f0fa9a88 100644
--- a/content/tutorials/get-started/set-up-secure-signing.md
+++ b/content/tutorials/get-started/set-up-secure-signing.md
@@ -60,7 +60,9 @@ To use this configuration:
 
     Be sure that this machine meets the minimum [system requirements for `rippled`](system-requirements.html).
 
-2. Configure the `rippled` machine to have a static IP address in the local private LAN, or use a private DNS server to give the server a consistent name.
+2. Configure the `rippled` machine to have a static IP address in your private LAN.
+
+    Consult your network administrator for instructions for setting up a static IP in your LAN. If you do not have a static IP, you must change your config and restart `rippled` every time the machine's IP changes.
 
     With IPv4, private LAN addresses commonly start with `10.`, `192.168.`, or `172.(16 to 31).`. With IPv6, private LAN addresses typically start with `fc` or `fd`.
 
@@ -70,20 +72,26 @@ To use this configuration:
 
         [port_rpc_admin_local]
       	port = 5005
-      	ip = 10.1.0.0 # Changed from 127.0.0.1
-      	admin = 10.1.1.2 # Only the client with this IP is treated as admin
+        # Change the IP port to match the server's static IP
+      	ip = 10.1.10.13
+        # Only the client with the following IP is treated as admin
+      	admin = 10.1.10.2
       	protocol = http
 
         [port_ws_admin_local]
       	port = 6006
-      	ip = 10.1.0.0 # Changed from 127.0.0.1
-      	admin = 10.1.1.2 # Only the client with this IP is treated as admin
+        # Change the IP port to match the server's static IP
+      	ip = 10.1.10.13
+        # Only the client with the following IP is treated as admin
+      	admin = 10.1.10.2
       	protocol = ws
 
 4. If your `rippled` machine runs a software firewall, configure the firewall to accept connections on your local private network at the JSON-RPC and Websocket ports you configured in the previous step. (Ports `5005` and `6006` in the previous example.)
 
     The exact configuration depends on your firewall software.
 
+    If you use Network Address Translation (NAT), **do not** configure your router or hardware firewall to forward these ports from the outside.
+
 5. On the machine(s) that will submit transactions, connect to your server using your `rippled` server's private IP address and the configured ports. Use the [sign method][] (for single signatures) or [sign_for method][] (for multi-signatures).
 
     The example configuration from the previous steps uses port `5005` for JSON-RPC connections and port `6006` for Websocket connections.