Mike's question was based on an assumption that your ISP is actually delivering packets for other devices to your FG. But it's not the case now. Only thing you could do, to me, is pretty much negotiating with your ISP to provide at least one static IP (or a /30 for your FG and their GW device) different from you have now and route an additional subnet you have now to your FG IP by insisting you have to terminate/route all traffic through your FW(FG).

Could any of these issues have anything to do with having a Windows 2008 R2 server doing DHCP on our network?  I am not sure how though because the old DVR system worked fine.

I am out of ideas.  The Internet IPs other than our main can be pinged to.  The ISP has the MAC addresses of the DVRs linked to the reserve Internet IPs.

If you have decided to go that route, you can't put your DVR devices behind the FG. You need to have a switch connected to ISP's modem on WAN side then all devices, FG, DVRs, others that have the public IPs from the ISP need to be connected to the switch to pull the IP from ISP's DHCP server. At that time, at least DVRs have no network connection to your internal Win DHCP server.

What route?  How can an older DVR system hooked up the same way work and now this new system not work when all we did was change the IPs allowed to us?  What else can I tell the ISP to change?

You said your ISP got DVRs' MAC addresses. That means your ISP is expecting each DVR to request the assigned IP from them. If it's behind your FG, the DHCP request wouldn't get through to reach the ISP side. They, DVRs, have to on the same broadcast domain with ISP's modem for their DHCP to work.

I would recommend you create a diagram how your netowrk is laid out and discuss with your ISP for your options. 

I was thinking of the following sniff :

diag sniff packet any 'host X.X.X.151 or host X.X.X.152 or host X.X.X.153 or host X.X.X.154 '

Then try to ping all of theses IPs (from another connection - for example ping from your mobile, or ask a friend from somewhere else :) ) 

If your ISP is working correctly, you should see some packets being captured.

If you don't see anything, then talk with your ISP...

I don't have much to report back.  It seems something is screwy with the reserved IP addresses.  I can change any of the reserved IPs to our main IP and the DVRs group using that IP work just fine away from the building.  If I use one of the reserved IPs, they will not work.

I have no idea what I can say to the ISP.  They keep telling me the IPs are reserved and they look for the MAC addresses of the DVRs.

Locking the other public IPs to one MAC each is the problem here.

The only way to handle this IMHO is to install a small WAN switch. Plug in

- the WAN line from the router

- the FGT's WAN port

- the DVRs WAN ports

This way, the DVRs will address the ISP's router showing their original MAC addresses and receive their public addresses. Of course, then they are exposed to the internet! No protection from the FGT at all.

As a true solution, your ISP should just route a /28 subnet to your FGT and skip authenticating via MACs. Or rather, authenticate one MAC for the whole subnet. Then you could create VIPs for all the other public IPs and this will just work.

I wish it was that simple, but the DVRs are in different buildings and they go through a Windows Server before getting to the Fortigate which is in another building.

So then the reserved IPs could be reserved to the same MAC address (the Fortgate's MAC the modem is plugged into)?