[SOLVED] LAN bridge vs. NFS

Started by sobakorova, August 12, 2021, 09:45:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 12, 2021, 09:45:03 AM Last Edit: August 14, 2021, 04:35:59 PM by sobakorova
Hi

I'm trying to set up a mini PC with a LAN bridge and everything works except for NFS, which is essential for the entire setup. Lots of other stuff is working great, just not the NFS stuff. I would truly appreciate any hints.

The system consists of a qotom PC with opnsense 21.7 and on its LAN side a Synology for NFS, a Linux-based TV recorder and client Wifi. The storage for the TV recorder is on the Synology. That setup was previously humming along happily with an Airport Extreme w/ NAT.

The new PC has 8 NICs which I'd like to use as a LAN switch. I assigned a bridge (with members igb1-7 and wifi ath0) to the LAN interface. They all have their type set to none and packet filtering has been reassigned to the bridge in the system tunables. Also, IP do-not-fragment (in Normalization) is enabled (for Linux-based NFS). The LAN interface got an IP and DHCP server, with some (verified) static assignments for NFS permissions.

FW rules: Aside from the automatic ones, I have on the LAN side only two rules for the LAN net interface with any/any for each IPv4 and v6, direction "in".

I can access all devices (ssh) or http external sites without issues. The devices themselves also have full external connectivty. On a laptop, I can access the Synology storage with cifs, but NFS gives me a permission failure. Nota bene: when plugging all systems into an old Airport with NAT, everything works again. (So the configurations on the devices must be ok...)

When the TV recorder is accessing the NFS storage, I see some activity in the FW with ports 3129, 2049, 111, 892 all being passed. There is not a single deny. Yet, there is no data transfer in the end and the files on the NFS are not accessible.

opnsense is truly a gem and I'm deeply impressed at its slick interface and functionality. I'm completely stuck with this NFS issue, though. Thanks for any advice on how to further debug this thing...

-marco
August 12, 2021, 10:15:41 PM #1
Capture the traffic on the FW and look at it through wireshark.  Even if you don't know how to read the data inside the packets, you can at least see issues and perhaps odd communications. 
August 12, 2021, 10:52:24 PM #2
Try to switch Do-Not-Fragment in Firewall ยป Normalization
August 13, 2021, 08:08:59 PM #3
Thank you for your tips, will try the traffic capture... (did already activate the IP-do-not-fragment  - but thanks for your help, mate!)

August 14, 2021, 12:13:38 AM #4
Quote from: errored out on August 12, 2021, 10:15:41 PM
Capture the traffic on the FW and look at it through wireshark.  Even if you don't know how to read the data inside the packets, you can at least see issues and perhaps odd communications.

Holy moly, that is gold. The capture revealed

UDP, bad length 4008 > 1472

so I disabled interface scrub and everything works... so it seems IP do-not-fragment is not sufficient. Interesting. I need to look more into these settings.

Thank you. Thank you. Thank you!
August 14, 2021, 03:17:39 AM #5
Can you change the subject to solved?
Print
Go Up Pages1
User actions