Thanks Andrew. When you said Vodafone's DNS are flakey, are you talking about Vodafone UK or Vodafone NZ?

Its not the same server twice (note one is 203.109 and the other 203.118), but nevertheless I will put 8.8.8.8 as a secondary.

Yes I would like to do as you suggest re all the home devices we have, but would like just to get this pesky issue which is stopping some phones from getting internet and also the smart TV.

I also note I have changed the DNS servers in the fortigate, but even after a release renew, the clients are not picking up the new servers?

Yes, I was referring to Vodafone UK- not sure how Vodafone NZ's servers are working but be worth a bit of Googling perhaps. Sorry for the mistake there- quick look they seemed to be identical addresses!

Andriod devices (and in fact anything Google related) tend to prefer Google DNS- so as a general plan you can't go too far wrong with using one of their addresses. Also provides a little resiliency if Vodafone's DNS servers do fail for any reason.

If you are in NZ- hello! I'm a fellow Kiwi- been living in the UK for over 20 years. I was back over Xmas and will likely return again one day.

But good luck with the Fortigate- they are great devices. The Cookbooks online and documentation generally is pretty good too. I started off buying one myself as a complete novice and learning along the way. I would never go back to a "consumer" router now. If you are from an IT or Telco background you will get the hang of them pretty quickly.

Good luck,

Andy.

if I may chirp in...

Your list of the policies in CLI does not reflect their sequence. "edit 1" only denotes ID 1, not that this is the first policy in sequence.

Policies are matched top-down. The most detailed, or the one which specifies the most criteria, is followed. Matching fields are source interface, destination interface, source address, destination address, service, schedule. Particularily, fields for UTM (AV, IPS, ...), status and NAT are NOT matched.

As soon as traffic matches a policy it's processing stops. Only if traffic does not match the first policy it is handed down to the second, and on.

So make sure that your policies' sequence is what you intend to achieve. Please check as well that your single address object has got a /32 netmask.

Yes I have changed the order and tried disabling everything but the policy which allows internet access- no avail.

I note a chromecast works fine - just this pesky TV wont detect internet.

I guess you have logging enabled on all the policies? If you have can you see if anything is being blocked in the log files (check for result= Deny (All) or Action = Blocked)?

At this point to you have any security policies applied to the policies? If you have logging enabled the the logs will also indicate which Fortigate security policy has been triggered (eg Web Filter, App Filter, AV etc).

Also have you checked your MTU sizes on both the lan and wan interfaces? You may see "ip-conn" (IP connection) errors in the logs if you have issues there. I'm not sure what Vodafone NZ use- but it looks as though it's pretty standard at 1500 bytes for the WAN side for Fibre connections.

Lastly, I know that the TV software often causes issues- have you checked the TV software is up to date as well? Is there a setting for MTU size on the TV too perhaps? Checked that maybe?

Good luck.

Andy.

As if things weren't bad enough an Apple iPhone behind the router also has intermittent issues where for a few minutes all the trace shows is this:

2683.685404 192.168.85.190.5353 -> 224.0.0.251.5353: udp 139 2692.702805 192.168.85.190.5353 -> 224.0.0.251.5353: udp 139 2719.760759 192.168.85.190.5353 -> 224.0.0.251.5353: udp 139

No reply from the router. Eventually after a few minutes it springs into life, or if I do a renew on the iphone it goes. I am ready to return this if this is the sort buggy stuff they put out.