FG30E with FortiOS v6.0.1 build0131 - one host fails on policy 0 with drop

Hi Guys,

I have strange problem on a FG30E with FortiOS v6.0.1 build0131 (GA).

The setup is the following:

I have a local lan with subnet 192.168.1.0/24. The lan ports of FG30E (as hardware switch) acts as gateway with interface ip 192.168.1.1/24.

The WAN port of FG30E (ip 192.168.2.254/24) is connected to a DSL-modem (Fritz!Box) in the subnet 192.168.2.0/24.

There is a default route 0.0.0.0/0 which points to the WAN interface and the ip of the Fritzbox (192.168.2.1/24).

There is one policy the allows all traffic from the lan to the internet:

show firewall policy 2 config firewall policy edit 2 set name "Park-to-Internet" set uuid b5ab8032-89a5-51e8-7074-46a0bd1754d1 set srcintf "lan" set dstintf "wan" set srcaddr "NET_192.168.1.0_Park" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next end

But one host inside the lan (192.168.1.153/24) shows the following error in the packet sniffer

...

id=20085 trace_id=134 func=print_pkt_detail line=5320 msg="vd-root:0 received a packet(proto=17, 192.168.1.153:49865->192.168.1.1:53) from lan. " id=20085 trace_id=134 func=init_ip_session_common line=5480 msg="allocate a new session-00002f8c" id=20085 trace_id=134 func=vf_ip_route_input_common line=2590 msg="find a route: flag=84000000 gw-192.168.1.1 via root" id=20085 trace_id=134 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"

...

I have no idea why this error occurs and how to solve it.

I tried to create a lan-to-lan policy but the error still occurs.

Any suggestions?

Many thanks.