Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ConfigureAllTheWalls
New Contributor

Some clients not caught by policy

Hi,

 

in order to separate some WiFi users from another part of a network, I have created a VLAN interface using the following settings:

 

Addressing mode: Manual

IP/Netmask: 10.10.80.100/255.255.255.0

 

An address object was automatically created by my FortiGate 30E, currently still running 6.2.10.

 

I also enabled DHCP on that interface using the following address range: 10.10.80.101-10.10.80.254.

 

Next, I set up my Unifi switch and access points to use that new VLAN. This part works flawlessly and the clients on the WiFi get an address from the aforementioned subnet.

 

To allow access to the internet (but not to local networks), I created a policy:

 

From: WLAN (the VLAN interface)

To: wan (the internet connection)

Source: 10.10.80.100/255.255.255.0 (using the automatically created address object)

Destination: all

Schedule: always

Servicy: ALL

 

I quickly realized, that some clients can connect to the internet (using www.google.de in all tests) and some can't. I tried to find out what was happening, and using the "Policy Lookup" function in the GUI, I realized that some IPs from the subnet (e.g. 10.10.80.111) are caught by the policy, thus allowing a client to connect, while for some, I get the following error for different IPs (e.g. 10.10.80.101, 10.10.80.103):

 

 

 

 

Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "WLAN" to destination interface "ppp1" as determined by a route lookup to "142.251.209.132"

 

 

 

 

I really don't understand what is happening here. Am I missing something trivial?

1 REPLY 1
srajeswaran
Staff
Staff

Can you run below commands and confirm the route is correct and showing the expected port numbers that is used in the policy?

 

get router info routing-table details 10.10.80.101

get router info routing-table details 142.251.209.132

Sometimes the policy may not be applied correctly and we may try to create a duplicate policy and place it above the current one and check the behavior.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors