Access internal Webserver via Guest-WiFi

Hello Guys,

i've a FortiGate configured to publish our internal Webserver ("CRM") by VirtualIP.

That works great when Clients access from outside the network (Internet) or from local internal LAN.

Now i've created a tunnel Guest-WiFi and configured some policys. amongst other things i've configured a  policy from Guest-WiFi-LAN to the Internet over port1 (our WAN-Port).

But when i try to access our published Webserver ("CRM") i got a unreachable ...

Can you help me? Followed the config of ViP:

config firewall policy     edit 26         set name "CRM Zugriff von Extern"         set uuid 26350ad4-27ca-51e6-1a92-09107f052228         set srcintf "port1"         set dstintf "port5"         set srcaddr "GeoIP-Germany"         set dstaddr "CRM-HTTP" "CRM-HTTPS"         set action accept         set schedule "always"         set service "HTTP" "HTTPS"         set utm-status enable         set logtraffic all     next end config firewall vip     edit "CRM-HTTP"         set uuid e1c62614-f605-51e3-580e-1bb08c927a27         set extip <External IP>         set extintf "port1"         set portforward enable         set mappedip "172.16.0.4"         set extport 80         set mappedport 80     next     edit "CRM-HTTPS"         set uuid e1c62614-f605-51e3-580e-1bb08c927a27         set extip <External IP>         set extintf "port1"         set portforward enable         set mappedip "172.16.0.4"         set extport 443         set mappedport 443     next end