NFS Mouting Failing due to illegal port

Granwille

2/21/24, 8:44 PM

I have a VM machine that has a public IP interface and a private IP interface. The private interface is assigned 192.168.50.78. Then I have a dedicated host that acts as my "router" using private IP 192.168.50.1 and this is, therefore, my gateway for my 192.168.50.0/24 local network. The "router" I have is OPNsense.

That being said, I am trying to mount within my VM to my two remote NFS servers. The mount fails because of an illegal port coming from my VM, which is behind NAT:

[root@NFSHOST ~]# tail -f /var/log/messages | grep "rpc.mountd"
Feb 21 22:31:40 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 33744
Feb 21 22:35:22 NFSHOS rpc.mountd[28721]: refused mount request from 197.189.XXX.ZZZ for /data/secondary (/data/secondary): illegal port 40085

And this is due to port translation happening. A solution is to add insecure to my /etc/export file, which I have tested and can confirm does indeed work.

However, as it suggests, it insecure and highly not recommended. I have tried adding a port forwarding rule on OPNsense and for some reason, it remains to fail with illegal ports.

Is there anyway I can solve this issue, PS I cannot use "bridge" mode either I need to set some sort of rule in OPNsense to handle this accordingly and I am not exactly sure.

631

2 + 0

networking

debian

nfs

opnsense

Score:0

Server

Granwille

2/23/24, 6:37 PM

Managed to finally solve this specific issue. I was told here: OPNsense Link

The following:

IIRC NFS servers expect the source ports coming from clients to be under 1024 to be considered secure. Make sure you check the "Static-port" on your NAT outbound rule to prevent the firewall from modifying the source port on TCP and UDP packets.

I ended up adding a NAT outbound rule on OPNsense for the entire local LAN with static port enabled, and it solved the issue. I can now mount NFS via secure port ranges.

+ 0

Score:0

Server

Thomas

3/10/24, 12:25 PM

For me the problem was the server did not support older protocol version. You can either force a client to use other version like this:

mount -o vers=3 -t nfs 123:/

This applies to standard linux client of course. If you can not influence a client like this check this post how to have other protocol support in server side:

https://askubuntu.com/questions/974696/how-can-i-make-the-nfs-server-support-protocol-version-2-in-ubuntu-17-10

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: NFS Mouting Failing due to illegal port

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.