Dave, thank you for the response. Like I said, it' s probably something very simple. I' ll paste that information below. Some names changed to protect the innocent, but everything should match exactly. Excuse the ugly formatting. ---------------------------------------------- Policy configurations (note- I made these very recently trying to get this to work, they weren' t made when the router was first installed): internal -> wifi Source: internal Source Address: [the Firewall Address I made, which binds 192.168.0.0/255.255.255.0 to the internal Interface] Destination: wifi Destination Address: [the Firewall Address I made, which binds 10.10.80.0/255.255.255.0 to the wifi Interface] Schedule: always Service: ANY Action: ACCEPT wifi -> internal Source: wifi Source Address: [the Firewall Address I made, which binds 10.10.80.0/255.255.255.0 to the wifi Interface] Destination: internal Destination Address: [the Firewall Address I made, which binds 192.168.0.0/255.255.255.0 to the internal Interface] Schedule: always Service: ANY Action: ACCEPT ---------------------------------------------- Network/Interface configurations: Name: internal Addressing Mode: Manual IP/Netmask: 192.168.0.1/255.255.255.0 Name: wifi Addressing Mode: Manual IP/Netmask: 10.10.80.1/255.255.255.0 ---------------------------------------------- Network/DHCP configurations: Name: internal Mode: Relay Type: Regular DHCP Server IP: [our working Windows DHCP server on the 192.168.0.x network] Name: wifi Mode: Server Type: Regular IP: 10.10.80.10 - 10.10.80.254 (will probably drop this much lower at some point) Netmask: 255.255.255.0 Default Gateway: 10.10.80.1 DNS Service: Use System DNS Setting ---------------------------------------------- Router/Static Route configuration: (there is only 1 present from the initial configuration) Destination: 0.0.0.0/0.0.0.0 Device: wan1 Gateway: [our public outside IP] ---------------------------------------------- Thanks again.

There' s no ' trick' needed for a situation like this. A firewall is a device controlling network connections based on policies. If you want to allow a connection from ' wifi' to ' internal' then you just need a policy allowing it. I see that you already have this in place. Unfortunately, you left out the crucial part, namely the address definitions. And this is definitly NOT a routing issue. The Fortigate creates a static route for each directly connected network automatically. In other words, it ' knows' where to find a ' wifi' address already. To check this, you could also check and/or post the Routing Monitor table. In fact, you' ve made your life easier with choosing 2 distinct network address ranges for the 2 subnets. One more thing you can do to diagnose the situation: in the Policy Table/Monitor, enable a column called ' Count' . It displays the number of bytes passing each policy. You will immediately see if the policy gets hit or not.

Thanks for the help guys. It sounds like I directed this question to the wrong section of the forum so I apologize for that. I actually got it working and I' m not exactly sure which change did it, although I did enable NAT in both policies and it is working. Does that seem backwards? I ask because of Dave' s comments. Either way, looks good as I can ping & log into shares using IPs from the other subnet. Thanks again!

Fine, just un-check the NAT box in both policies (one for each direction) and you' re done. NAT here is unnecessary as the FGT knows about the whole subnet and does not need to substitute source addresses.