This is twofold. 1. To have each subnet use their own public IP address you set up IP pools. Each one contains only 1 public address. Then, in each policy ' LANx' -> ' wan' you specify NAT, use dynamic NAT, IPpoolX. Outgoing traffic will have this address as source address. If you want all internet-only subnets to use one public address, just reuse the IPpool in the different policies. 2. If you want access from outside via a public address then you set up a VIP (virtual IP address) for each. A VIP translates access from a public IP address to some internal address (server, host, ...). But it does more: it responds to ARP requests on the WAN port, it source-NATs reply traffic from the internal server to external requester, and source-NATs traffic originating from inside. So, in fact, you do not have to use an IPpool here to source-NAT if you access your server via a VIP. VIPs can map one-to-one or many-to-many, i.e. whole subnets. In your case you cannot use the latter if the FGT' s public address is within the /29 subnet you want to translate.

So it is not possible to combine one-to-one and many-to-many? Or is it possible one-to-many? I want to ask: Is it possible to divide, so that the class B addresses, one public address goes to a local network and the whole class C addresses to another public address? In this way I did,' t interrupted class C address.

I do not fully understand what you are trying to do, sorry. Please give examples. Anyway, yes, NAT can be one-to-many as well - one source address is translated to a number of public addresses in a round-robin fashion. Just to name the 4th: the method most often used is many-to-one.

I have 6 public address in the range of x.x.x.122/29 to x.x.x.126/29 and gateway x.x.x.121/29. All public addresses are connected to the FG-100D WAN1 port. I need functionality as if I were directly connected to the router, access from the outside, port forwarding, etc. In this way I should be able to set up access to streaming server. (Wowza) Public address x.x.x.122 going to port1 (VLAN1). Network 192.168.11.0. Public address x.x.x.123 forward to VLAN2 (other device), which is administered by another company. Public address x.x.x.126 should be used for all networks that do not require interconnection, are in different VLANs, but only need exit to the Internet. I hope I have explained better.

So no surprises here, good. You need to set up 2 VIPs: - public.122 for your VLAN1 - public.123 for VLAN2 If you assign public.126 to the WAN port you would not need to create an IPpool for it; just check NAT to Interface IP in the policy. The " assignment" of public IP to internal VLAN occurs while defining the VIPs. Of course, with just 1 public IP address (.122) you can address multiple servers only by port forwarding. So you might consider to use the public address which is used most as the WAN IP of the FGT, and not for a VIP.

I' ve set the x.x.x.126 as WAN1 address. Now each port of FGT can be defined for different network wit one exit to internet. In the policy for WAN1 port I' ve marked NAT. It now works as expected. Thank you. For testing public.122, I have marked ports 3-6 on FG100D as Sofrware switch with an IP / mask 192.168.11.1/255.255.255.0, enabled DHCP in the range 192.168.11.200-254. Set Stream server 192.168.11.2/24 and camera 192.168.11.3/24. Before I had a router with a public address x.x.x.122 and it had a local address 192.168.11.1. On it were forwarded ports for the Wowza streaming server with IP address 192.168.11.2. In the the same network I had a few IP cameras and server for recording camera. All devices on the network were able to access the Internet through a gateway 192.168.11.1 Wowza Standard ports: SERVICE PORT INTERNAL PORT PROTOCOL SERVICE 1935 1935 TCP RTMP/RTMPE/RTMPT/RTSP-interleaved streaming/WOWZ 6970-9999 6970-9999 UDP RTP UDP streaming 80 80 TCP HTTP Adobe HDS, Apple HLS, Microsoft Smooth Streaming, MPEG-DASH streaming, RTMPT 443 443 TCP RTMPS, HTTPS 554 554 TCP RTSP streaming 8084-8085 8084-8085 TCP " 8084 RMIConnectionPort 8085 RMIRegistryPort" 8086 8086 TCP Administration (8086-8088) Now I' m spinning in circles. For the first VIP public.122 I created seven VIP address for the UDP and TCP ports that the server uses, and join them to the VIP group. e.g. VIP Name: public.122_UDP External Interface: WAN1 External IP Address / Range: xxx122/xxx122 (public address) Mapped IP Address / Range: 192.168.11.2/192.168.11.2 (local server address) Port Forwarding: marked, and I define the protocol and mapped ports VIP groups: public.122 (with all 7 virtual IPs) I have VIP group but what now? I tryed with static routing but there can' t be set VIP couse there can be only set gateway (x.x.x.121/29). I tryed to set policy in firewall->policy allowing all trafic from WAN1->LAN and reverse from LAN->WAN1. And I had no success. www.whatsmyip.net shows x.x.x.126 intead x.x.x.122. Pinging x.x.x.122 I don' t receive a response.

Your on the right track, now you need to define the policies for the VIP. To make it less confusing what I would do is one server for the VIP .122 for now so you understand the process and with just one VIP and not a group for now and then later you build the vip-group Let' s say your VIP was name VIP122WOW for the streaming server 1st create a custom service for the not so real-known services; ( examples ) config firewall service custom wowza-1935 set protocol TCP/UDP set tcp-portrange 1935-1935:1-65535 next wowza-RTP-STREAM set protocol TCP/UDP set udp-portrange 6970-9999:1-65535 next end repeat the above as required for all custom services. The above two is an example for what you gave us and for wowza. next, build a service-group that groups the services for that vip ( it will make your life easier in the long run ) config firewall service group edit " wowza-srvc-group" set member " wowza-1935" " wowza-RTP-STREAM" end note, add addition services to this as required Once again create as many groups with the services that' s required for the other vips. Lastly, build the policy with the group listed in the service and correct vip-name ( or group if your doing the group and with the interfaces + services and or service-groups ) edit 0 set srcintf " wan1" set dstintf " port1" set srcaddr " all" set dstaddr " VIP122" set action accept set comments " VIP for WOWZA" set schedule " always" set service " wowza-srvc-group" next DO NOT ENABLE NAT ON THE VIP FWPOLICY Now to this part of your question,

And I had no success. www.whatsmyip.net shows x.x.x.126 intead x.x.x.122. Pinging x.x.x.122 I don' t receive a response.

This is a port-forward VIP so only those services are pinhole to the inside. You need to enable NAT on a policy that allows the inside server outbound for all other traffic if required. It would used the .126 WAN interface or build a ip nat-pool and select that pool for the traffic originating from the inside outbound. All traffic that maps the VIP will automatically reply with the vip mapped-ip. Also diag debug flow with filters would help you understand what fwpolicies are used for both the in or out. Do a search here with the above 3 words, for many examples. BTW, your diagram was extremely helpful. I wish more will explain what they are doing via diagrams. This will assist us with give you guidance or direction. Start with one VIP 1st and then build the group later so you get comfortable on the operation, but your on the right track.