NAT of priviledged ports



  • I have a local network that is connected to the outside world via pfsense and NAT. I'm trying to mount an outside NFS share (Solaris server) from an inside Linux client. However, that fails since priviledged outgoing ports are mapped to unpriviledged ports by the NAT (server says "authentication too weak", since request originates from unpriviledged port). When the client is connected directly to the outside network, it can connect without problems.

    Is there an option in pfsense that maps priviledged ports to priviledged ports on outgoing NAT connections? In the Linux vmware vmplayer implementation of NAT, there are options "PriviledgedTCP" and "PriviledgedUDP", which do exactly that. Can this be imlemented with pfsense? I've looked at the "static port" option, but I fear that this will break all connections that are made from different clients, same originating port, same server, same destination port?

    Best wishes, Frank



  • Static port is an option, but you're likely right to be afraid of it, if using multiple times same target IP and source & target ports.
    If this is an option to you, you can use Outbound NAT rules to NAT source ports to a specific distinct port for each of your clients (of course, this will work only if you have a list of known clients).



  • Thanks for your comment.

    Yes, hostbased ports would probably do the job - although I'm not completely sure, if there are multiple connections from one inside client to various shares on the same outside server, they should be mapped to different originating ports, I believe, and I wouldn't know how to handle that.

    Anyway, all that requires much more insight into IP than I have. After some research, it turned out that most of the shares I need are also exported as samba shares, I use that instead of NFS now, and it's working reasonably well.

    However, I believe that this is quite a common problem (since VMware has the simple options for it). Would be great to see a better solution than move to a Windows implementation.

    Thanks, Frank


Locked