the two rules are because I tried to bind the floating rule to both the inside and the outside net, because I hoped that this helps.
I tried it also diffently.
nfs is Port 2049 (especially with NFSV4 anything is running over Port 2049)
the seond poster: Yes NFS is TCP (UDP may work but is not recommended since long long times, and nobody uses UDP with NFS nowadays)
A stateful rule with NFS works as long as nothing goes wrong with the server.
Why do we need the stateless rule (or some other method to avoid dropped SYN's):
-> if a server fails ( broken failover on a Highavailble Server, crashed single server, or an overloaded server because of too many clients
on too few NFSD threads)
we get clients which try to reconnect, but as NFS is a beast, they try for some reason from the same client socket, as before, so
pfsense believes that the connection is already open (state ESTABLISHED), and drops the newly coming in SYN Packets.
The client will never be able to reconnect to the server until somebody deletes the state at the pfsense Firewall
So we hoped to get around this (and maybe better throughput because of avoiding the state engine) by stateless rulles.
But for reasons I do not understand "state=NONE" does not work. So I'm in need of help.
Sincerly,
Klaus