[SOLVED]NFS Mouting Failing due to illegal port

Started by nam061, February 21, 2023, 09:51:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 21, 2023, 09:51:53 PM Last Edit: February 23, 2023, 07:34:50 PM by nam061
Hi All

I have a VM machine that has a public IP interface and a private IP interface. The private interface is assigned 192.168.50.78. Then I have a dedicated host that acts as my "router" using private IP 192.168.50.1 and this is, therefore, my gateway for my 192.168.50.0/24 local network. The "router" I have is OPNsense.

That being said, I am trying to mount within my VM to my two remote NFS servers. The mount fails because of an illegal port coming from my VM, which is behind NAT:

Code Select
[root@NFSHOST ~]# tail -f /var/log/messages | grep "rpc.mountd"
Feb 21 22:31:40 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 33744
Feb 21 22:35:22 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 40085

And this is due to port translation happening. A solution is to add `insecure` to my /etc/export file, which I have tested and can confirm does indeed work.

However, as it suggests, it `insecure` and highly not recommended. I have tried adding a port forwarding rule on OPNsense and for some reason, it remains to fail with illegal ports.

Is there any way I can solve this issue, I need to set some sort of rule in OPNsense to handle this accordingly and I am not exactly sure what or how.
February 23, 2023, 04:31:16 PM #1
You said your VM has a public interface but you also said it is behind NAT so I'm not sure if internet outbound traffic goes to your OPNsense router, but in case it does you might want to check your NAT outbound rule.

IIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure.
Make sure you check the "Static-port" on your NAT outbound rule to prevent firewall from modifying the source port on TCP and UDP packets.

You don't need port forwarding rules, those are for S-NAT aka Inbound traffic.


February 23, 2023, 07:34:09 PM #2
Quote from: zan on February 23, 2023, 04:31:16 PMIIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure.
Make sure you check the "Static-port" on your NAT outbound rule to prevent firewall from modifying the source port on TCP and UDP packets.

- This was the solution, thank you very much I have been sitting with this for over two weeks now. I added an outbound NAT with the static port enabled, on my entire local LAN network and it now mounts to NFS successfully on the secure ports. Thank you very much!
Print
Go Up Pages1
User actions