Hi,
in order to separate some WiFi users from another part of a network, I have created a VLAN interface using the following settings:
Addressing mode: Manual
IP/Netmask: 10.10.80.100/255.255.255.0
An address object was automatically created by my FortiGate 30E, currently still running 6.2.10.
I also enabled DHCP on that interface using the following address range: 10.10.80.101-10.10.80.254.
Next, I set up my Unifi switch and access points to use that new VLAN. This part works flawlessly and the clients on the WiFi get an address from the aforementioned subnet.
To allow access to the internet (but not to local networks), I created a policy:
From: WLAN (the VLAN interface)
To: wan (the internet connection)
Source: 10.10.80.100/255.255.255.0 (using the automatically created address object)
Destination: all
Schedule: always
Servicy: ALL
I quickly realized, that some clients can connect to the internet (using www.google.de in all tests) and some can't. I tried to find out what was happening, and using the "Policy Lookup" function in the GUI, I realized that some IPs from the subnet (e.g. 10.10.80.111) are caught by the policy, thus allowing a client to connect, while for some, I get the following error for different IPs (e.g. 10.10.80.101, 10.10.80.103):
Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "WLAN" to destination interface "ppp1" as determined by a route lookup to "142.251.209.132"
I really don't understand what is happening here. Am I missing something trivial?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you run below commands and confirm the route is correct and showing the expected port numbers that is used in the policy?
get router info routing-table details 10.10.80.101
get router info routing-table details 142.251.209.132
Sometimes the policy may not be applied correctly and we may try to create a duplicate policy and place it above the current one and check the behavior.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1028 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.