I understand that you are not able to reach internet from the downstream switch that is directly connected to the router.
I guess the ping traffic that you initiate is passing through sub-interface always irrespective of where you apply the policy...
Please share the configuration templates that you are using with sub-interfaces and physical interfaces ?
I assume, you have received default route from ISP - Gi-0/0 interface. Share me the source IP and destination IP address for the ping that yo...
