Messages

IIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure.
Make sure you check the "Static-port" on your NAT outbound rule to prevent firewall from modifying the source port on TCP and UDP packets.

- This was the solution, thank you very much I have been sitting with this for over two weeks now. I added an outbound NAT with the static port enabled, on my entire local LAN network and it now mounts to NFS successfully on the secure ports. Thank you very much!

Hi All

I have a VM machine that has a public IP interface and a private IP interface. The private interface is assigned 192.168.50.78. Then I have a dedicated host that acts as my "router" using private IP 192.168.50.1 and this is, therefore, my gateway for my 192.168.50.0/24 local network. The "router" I have is OPNsense.

That being said, I am trying to mount within my VM to my two remote NFS servers. The mount fails because of an illegal port coming from my VM, which is behind NAT:

Code Select Expand

[root@NFSHOST ~]# tail -f /var/log/messages | grep "rpc.mountd"
Feb 21 22:31:40 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 33744
Feb 21 22:35:22 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 40085

And this is due to port translation happening. A solution is to add `insecure` to my /etc/export file, which I have tested and can confirm does indeed work.

However, as it suggests, it `insecure` and highly not recommended. I have tried adding a port forwarding rule on OPNsense and for some reason, it remains to fail with illegal ports.

Is there any way I can solve this issue, I need to set some sort of rule in OPNsense to handle this accordingly and I am not exactly sure what or how.

[clientaddr=197.189.XXX.YYY]

Hi Guys

I updated to 23.1 a few days ago, and now I am experiencing an issue with one of my machines. I have one machine with OPnsense installed that acts as a basic NAT router for my private subnet 192.168.50.0/24. This machine/router uses the private IP 192.168.50.1, which is the gateway for my 192.168.50.0/24 network.

I have a physical machine with 1x Public NIC and 1x Private NIC. On this machine, I have a VM running also equipped with 1x Public IP and then 1x Private IP falling in the 192.168.50.0/24 subnet. I am trying to mount an NFS share on this VM. I have two NFS shares and only ONE NFS share mounts successfully while the second refuses.

This is what the NFS mounts look like:

Successful Mount

root@s-145-VM:~# mount -t nfs -vvv 102.165.XXX.YYY:/data/secondary /mnt/SecStorage/test
mount.nfs: timeout set for Thu Feb 16 14:07:58 2023
mount.nfs: trying text-based options 'vers=4.2,addr=102.165.XXX.YYY,clientaddr=197.189.XXX.YYY'
root@s-145-VM:~#

Failed Mount:

root@s-145-VM:~# mount -t nfs 102.165.XXX.ZZZ:/data/secondary /mnt/SecStorage/test
mount.nfs: access denied by server while mounting 102.165.XXX.ZZZ:/data/secondary
root@s-145-VM:~# mount -t nfs -vvv 102.165.XXX.ZZZ:/data/secondary /mnt/SecStorage/test
mount.nfs: timeout set for Thu Feb 16 14:07:11 2023
mount.nfs: trying text-based options 'vers=4.2,addr=102.165.XXX.ZZZ,clientaddr=192.168.50.53'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=102.165.XXX.ZZZ'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 102.165.XXX.ZZZ prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 102.165.XXX.ZZZ prog 100005 vers 3 prot UDP port 892
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 102.165.XXX.ZZZ:/data/secondary

As you can see, in the failed mount attempt, the VM passes its private IP address when it tries to mount the second NFS. And not its public IP 197.189.XXX.YYY. And the reason this is happening is that the VM automatically after each reboot adds the following line to its IP routing table:

- 102.165.XXX.ZZZ via 192.168.50.1 dev eth1

When I delete this entry from the routing table, the NFS mounts successfully.  Something in the "Firewall" OPnsense router is causing this behaviour and making it create this entry in the IP route table. And I have no idea what it could be. What puzzles me, it only creates this entry for this IP and not for the other NFS, which is successful and they are basically on the same network space `102.165.XXX`

I have double-checked the Opnsense server and rebooted it many times and I cannot pinpoint what is causing this behaviour. All I know is, that it happened right after updating to 23.1 and rebooting this VM is now causing this behaviour.

Any suggestions for this will be extremely appreciated, please.

Solution posted here: https://serverfault.com/questions/1117143/how-to-configure-2-x-nic-with-each-having-their-own-gateway

[some]

Hi

I have successfully configured OpenVPN via OPNsense. And I can successfully connect to it and successfully access the OPNSense GUI via a private IP address from a remote PC.

The problem, however, for some reason, I cannot reach any other clients on the same private subnet as the OPNsense server. My physical LAN network is set up as  192.168.50.0/24 and I have about 5 other clients on it. They can ALL successfully ping each other. My OPNsense server (192.168.50.1) "acts" as the gateway for my physical LAN network.

My OpenVPN network is set on a different subnet, which is 192.168.10.0/24. And I have the following firewall rules in place:

- WAN: https://tinyurl.com/2h632lj2
- OpenVPN: https://tinyurl.com/2fmdqajt
- LAN: None Configured

Am I missing something?

EDIT:

I have enabled "Redirect Gateway" in the VPN server settings. Should this be left so?

Also, I see that I can ping some other clients in the 192.168.50.0/24 network but still not ALL of them.

It seems the only difference between those that are reachable and those that are not, is that those not reachable do not have a gateway set to 192.168.50.1 whereas those that are reachable do.

The problem is if I enable a gateway on these clients since they have 2x NIC (1WAN & 1LAN), the entire server/client becomes unreachable, I think Linux does not like to have two NICs with each having a gateway.

Is there a way around this, which I believe is most likely the reason this is happening?

Thank you very much, I tried using Linux basic NAT solution and it worked somewhat. However, I ran into issues on my VMs via stack and they could not reach the gateway.

In any case, I have successfully installed OPNSense on a new Linux box and I am pleased to confirm it works PERFECTLY out of the box. Thank you for your input.

@pmhausen

Correct, yes. Based on what they said, the public NIC would serve as the "gateway" in this case, based on @cookiemonster's concerns.

Does this mean OPNsense can accomplish this task and serve as a "basic firewall" for my hosts on the private LAN? If yes, are there any guides and or documentation you can recommend that would achieve this outcome?

Thank you in advance.

Have you asked your ISP if what you're thinking will work? Otherwise what makes you think you can circumvent the network isolation they've put in place for all machines?

Hi, thank you for getting back to me, yes I have spoken to the ISP and they were the ones to recommend this. This was their response in this regard:

We cannot set up a gateway on the private network. The private network is a completely separate physical infrastructure and does not connect to our uplink network.

You will need to configure a NAT firewall yourself. Only one host is required to provide the gateway function for all your backlink hosts / VMs.

An example of a good, free and open-source NAT firewall is OPNsense (https://opnsense.org) but there are many others.

Hi Guys

Was there any sort of feedback on this? I would really appreciate any sort of update on this, please?

Hi Guys

I have zero experience in OPNsense and I am looking for some advice before I proceed with installing and using it. I read some documentation and I am not 100% sure if OPNsense is the right product for me, therefore, hoping the community can provide some insight on this, please.

I have four Linux boxes, each with two NICs. One NIC has a publicly assigned IP and the other NIC has a privately assigned IP using the  192.168.50.0/24 subnet. Each of these four Linux boxes can ping each other on either network successfully.

Sadly, however, my ISP where I am renting these boxes has completely isolated my private network from accessing the internet, meaning if  I run a simple ping test to google.com using the private NIC from any of my boxes, it fails immediately. They said that the private network is completely isolated from their public uplink, meaning I cannot have them assign my private network to the uplink infrastructure they have.

After numerous googling, it came down to the that I need to get an additional Linux box and configure that box as a gateway server where my clients on the 192.168.50.0/24 subnet can route traffic to the internet successfully.

I would like to know if I get a fifth Linux box with the same 2x NIC setup and install OPNSense, would I be able to configure it as a gateway server for my private subnet? If yes, can you please confirm the steps I would need to take? I assume I would need to forward all traffic from the LAN interface to the WAN interface for it to work and then use this fifth server's IP address as the gateway IP in my private subnet, yes?

Kindly provide basic steps I can take to achieve this with OPNsense or an article that best describes how I can implement this.

If OPNsense is not possible to achieve this, was there any other open-source solution?

I appreciate your time and any assistance contributed towards my query.