Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Some clients not caught by policy



in order to separate some WiFi users from another part of a network, I have created a VLAN interface using the following settings:


Addressing mode: Manual



An address object was automatically created by my FortiGate 30E, currently still running 6.2.10.


I also enabled DHCP on that interface using the following address range:


Next, I set up my Unifi switch and access points to use that new VLAN. This part works flawlessly and the clients on the WiFi get an address from the aforementioned subnet.


To allow access to the internet (but not to local networks), I created a policy:


From: WLAN (the VLAN interface)

To: wan (the internet connection)

Source: (using the automatically created address object)

Destination: all

Schedule: always

Servicy: ALL


I quickly realized, that some clients can connect to the internet (using in all tests) and some can't. I tried to find out what was happening, and using the "Policy Lookup" function in the GUI, I realized that some IPs from the subnet (e.g. are caught by the policy, thus allowing a client to connect, while for some, I get the following error for different IPs (e.g.,





Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "WLAN" to destination interface "ppp1" as determined by a route lookup to ""





I really don't understand what is happening here. Am I missing something trivial?


Can you run below commands and confirm the route is correct and showing the expected port numbers that is used in the policy?


get router info routing-table details

get router info routing-table details

Sometimes the policy may not be applied correctly and we may try to create a duplicate policy and place it above the current one and check the behavior.



- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Top Kudoed Authors