Longtime lurker, first-time poster here! Still learning networking so please be patient.<\/p>\n

Advertisement

Close

I’m currently reconfiguring some policies and settings on our FortiGate 80F. Recently, we transitioned from FortiGate APs to Unifi APs, which required setting up new VLANs to manage both the main WiFi and guest WiFi networks.<\/p>\n

Advertisement

Close

Here’s our current setup:<\/p>\n

LAN: Configured on internal1 of the FortiGate with an IP/Netmask of 192.168.1.1/255.255.252.0.<\/p>\n

Main WiFi (VLAN40): Assigned to VLAN40 with an IP/Netmask of 10.10.40.1/255.255.255.0.<\/p>\n

Guest WiFi (VLAN50): Assigned to VLAN50 with an IP/Netmask of 10.10.50.1/255.255.255.0.<\/p>\n

The Issue
\nDevices on the internal1 subnet are unable to ping devices on the main WiFi network (VLAN40), except for the VLAN gateway 10.10.40.1. However, devices on the main WiFi network can successfully ping and remote into any device on the internal1 subnet.<\/p>\n

I’ve attached screenshots of the current firewall policies for traffic between internal1 and VLAN40 (main WiFi) in both directions.<\/p>\n

Any guidance or suggestions on how to resolve this would be greatly appreciated!<\/p>\n

vlan40<\/span>787×1132 48 KB<\/span>
\n

internal1<\/span>793×1110 46.1 KB<\/span>

Longtime lurker, first-time poster here! Still learning networking so please be patient.<\/p>\n

I’m currently reconfiguring some policies and settings on our FortiGate 80F. Recently, we transitioned from FortiGate APs to Unifi APs, which required setting up new VLANs to manage both the main WiFi and guest WiFi networks.<\/p>\n

Here’s our current setup:<\/p>\n

LAN: Configured on internal1 of the FortiGate with an IP/Netmask of 192.168.1.1/255.255.252.0.<\/p>\n

Main WiFi (VLAN40): Assigned to VLAN40 with an IP/Netmask of 10.10.40.1/255.255.255.0.<\/p>\n

Guest WiFi (VLAN50): Assigned to VLAN50 with an IP/Netmask of 10.10.50.1/255.255.255.0.<\/p>\n

The Issue
\nDevices on the internal1 subnet are unable to ping devices on the main WiFi network (VLAN40), except for the VLAN gateway 10.10.40.1. However, devices on the main WiFi network can successfully ping and remote into any device on the internal1 subnet.<\/p>\n

I’ve attached screenshots of the current firewall policies for traffic between internal1 and VLAN40 (main WiFi) in both directions.<\/p>\n

Any guidance or suggestions on how to resolve this would be greatly appreciated!<\/p>\n

vlan40<\/span>787×1132 48 KB<\/span>
\n

internal1<\/span>793×1110 46.1 KB<\/span>

I’d recommend setting the source and destination to match those VLAN addresses. And only allow the services you need across those subnets. This is how I configured the routing policies at my last job, which used FortiGate as well.<\/p>","upvoteCount":0,"datePublished":"2025-01-17T16:05:37.764Z","url":"https://community.spiceworks.com/t/fortigate-firewall-policies/1164597/2","author":{"@type":"Person","name":"tb33t","url":"https://community.spiceworks.com/u/tb33t"}},{"@type":"Answer","text":"