Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT of priviledged ports

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wuebbel
      last edited by

      I have a local network that is connected to the outside world via pfsense and NAT. I'm trying to mount an outside NFS share (Solaris server) from an inside Linux client. However, that fails since priviledged outgoing ports are mapped to unpriviledged ports by the NAT (server says "authentication too weak", since request originates from unpriviledged port). When the client is connected directly to the outside network, it can connect without problems.

      Is there an option in pfsense that maps priviledged ports to priviledged ports on outgoing NAT connections? In the Linux vmware vmplayer implementation of NAT, there are options "PriviledgedTCP" and "PriviledgedUDP", which do exactly that. Can this be imlemented with pfsense? I've looked at the "static port" option, but I fear that this will break all connections that are made from different clients, same originating port, same server, same destination port?

      Best wishes, Frank

      1 Reply Last reply Reply Quote 0
      • L
        lp
        last edited by

        Static port is an option, but you're likely right to be afraid of it, if using multiple times same target IP and source & target ports.
        If this is an option to you, you can use Outbound NAT rules to NAT source ports to a specific distinct port for each of your clients (of course, this will work only if you have a list of known clients).

        1 Reply Last reply Reply Quote 0
        • W
          wuebbel
          last edited by

          Thanks for your comment.

          Yes, hostbased ports would probably do the job - although I'm not completely sure, if there are multiple connections from one inside client to various shares on the same outside server, they should be mapped to different originating ports, I believe, and I wouldn't know how to handle that.

          Anyway, all that requires much more insight into IP than I have. After some research, it turned out that most of the shares I need are also exported as samba shares, I use that instead of NFS now, and it's working reasonably well.

          However, I believe that this is quite a common problem (since VMware has the simple options for it). Would be great to see a better solution than move to a Windows implementation.

          Thanks, Frank

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.