in order to separate some WiFi users from another part of a network, I have created a VLAN interface using the following settings:
Addressing mode: Manual
An address object was automatically created by my FortiGate 30E, currently still running 6.2.10.
I also enabled DHCP on that interface using the following address range: 10.10.80.101-10.10.80.254.
Next, I set up my Unifi switch and access points to use that new VLAN. This part works flawlessly and the clients on the WiFi get an address from the aforementioned subnet.
To allow access to the internet (but not to local networks), I created a policy:
From: WLAN (the VLAN interface)
To: wan (the internet connection)
Source: 10.10.80.100/255.255.255.0 (using the automatically created address object)
I quickly realized, that some clients can connect to the internet (using www.google.de in all tests) and some can't. I tried to find out what was happening, and using the "Policy Lookup" function in the GUI, I realized that some IPs from the subnet (e.g. 10.10.80.111) are caught by the policy, thus allowing a client to connect, while for some, I get the following error for different IPs (e.g. 10.10.80.101, 10.10.80.103):
Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "WLAN" to destination interface "ppp1" as determined by a route lookup to "220.127.116.11"
I really don't understand what is happening here. Am I missing something trivial?