FG30E with FortiOS v6.0.1 build0131 - one host fails on policy 0 with drop
I have strange problem on a FG30E with FortiOS v6.0.1 build0131 (GA).
The setup is the following:
I have a local lan with subnet 192.168.1.0/24. The lan ports of FG30E (as hardware switch) acts as gateway with interface ip 192.168.1.1/24.
The WAN port of FG30E (ip 192.168.2.254/24) is connected to a DSL-modem (Fritz!Box) in the subnet 192.168.2.0/24.
There is a default route 0.0.0.0/0 which points to the WAN interface and the ip of the Fritzbox (192.168.2.1/24).
There is one policy the allows all traffic from the lan to the internet:
show firewall policy 2
config firewall policy
set name "Park-to-Internet"
set uuid b5ab8032-89a5-51e8-7074-46a0bd1754d1
set srcintf "lan"
set dstintf "wan"
set srcaddr "NET_192.168.1.0_Park"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
But one host inside the lan (192.168.1.153/24) shows the following error in the packet sniffer
id=20085 trace_id=134 func=print_pkt_detail line=5320 msg="vd-root:0 received a packet(proto=17, 192.168.1.153:49865->192.168.1.1:53) from lan. "
id=20085 trace_id=134 func=init_ip_session_common line=5480 msg="allocate a new session-00002f8c"
id=20085 trace_id=134 func=vf_ip_route_input_common line=2590 msg="find a route: flag=84000000 gw-192.168.1.1 via root"
id=20085 trace_id=134 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
I have no idea why this error occurs and how to solve it.
I tried to create a lan-to-lan policy but the error still occurs.