OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • [SOLVED]NFS Mouting Failing due to illegal port
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED]NFS Mouting Failing due to illegal port  (Read 2205 times)

nam061

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
[SOLVED]NFS Mouting Failing due to illegal port
« on: February 21, 2023, 09:51:53 pm »
Hi All

I have a VM machine that has a public IP interface and a private IP interface. The private interface is assigned 192.168.50.78. Then I have a dedicated host that acts as my "router" using private IP 192.168.50.1 and this is, therefore, my gateway for my 192.168.50.0/24 local network. The "router" I have is OPNsense.

That being said, I am trying to mount within my VM to my two remote NFS servers. The mount fails because of an illegal port coming from my VM, which is behind NAT:

Code: [Select]
[root@NFSHOST ~]# tail -f /var/log/messages | grep "rpc.mountd"
Feb 21 22:31:40 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 33744
Feb 21 22:35:22 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 40085
And this is due to port translation happening. A solution is to add `insecure` to my /etc/export file, which I have tested and can confirm does indeed work.

However, as it suggests, it `insecure` and highly not recommended. I have tried adding a port forwarding rule on OPNsense and for some reason, it remains to fail with illegal ports.

Is there any way I can solve this issue, I need to set some sort of rule in OPNsense to handle this accordingly and I am not exactly sure what or how.
« Last Edit: February 23, 2023, 07:34:50 pm by nam061 »
Logged

zan

  • Full Member
  • ***
  • Posts: 175
  • Karma: 31
    • View Profile
Re: NFS Mouting Failing due to illegal port
« Reply #1 on: February 23, 2023, 04:31:16 pm »
You said your VM has a public interface but you also said it is behind NAT so I'm not sure if internet outbound traffic goes to your OPNsense router, but in case it does you might want to check your NAT outbound rule.

IIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure.
Make sure you check the "Static-port" on your NAT outbound rule to prevent firewall from modifying the source port on TCP and UDP packets.

You don't need port forwarding rules, those are for S-NAT aka Inbound traffic.


Logged

nam061

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Re: NFS Mouting Failing due to illegal port
« Reply #2 on: February 23, 2023, 07:34:09 pm »
Quote from: zan on February 23, 2023, 04:31:16 pm
IIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure.
Make sure you check the "Static-port" on your NAT outbound rule to prevent firewall from modifying the source port on TCP and UDP packets.

- This was the solution, thank you very much I have been sitting with this for over two weeks now. I added an outbound NAT with the static port enabled, on my entire local LAN network and it now mounts to NFS successfully on the secure ports. Thank you very much!
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • [SOLVED]NFS Mouting Failing due to illegal port
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2