Secure NFS v4 & NAT Router



  • hi:

    I am having difficulty to make my NFS client mount a directory from NFS server.
    Here is the summary of my setup:

    NFS Server:  CentOS 6.5 virtual machine, connected to the pfsense WAN interface
    pfSense: pfsense virtual machine
    NFS Client: CentOS 6.5 virtual machine, connected to  the pfSense LAN interface

    Use case 1:
    I am using NFS version 4 and here is my /etc/exports:

    /home/test *(ro,secure,no_root_squash)

    Whenever i try to mount /home/test from the NFS client, i kept getting the following error:
    mount.nfs: Operation not permitted

    and on the /var/log/messages of NFS client, i got the following messages:

    Jun  9 13:22:48 centos65-3 kernel: –> nfs_get_client() = ffff88007ced5400 [new]
    Jun  9 13:22:48 centos65-3 kernel: <– nfs4_set_client() = 0 [new ffff88007ced5400]
    Jun  9 13:22:48 centos65-3 kernel: <– nfs4_init_server() = 0
    Jun  9 13:22:48 centos65-3 kernel: --> nfs4_get_rootfh()
    Jun  9 13:22:48 centos65-3 kernel: encode_compound: tag=
    Jun  9 13:22:48 centos65-3 kernel: decode_getfattr_generic: xdr returned 1
    Jun  9 13:22:48 centos65-3 kernel: nfs4_get_rootfh: getroot error = 1
    Jun  9 13:22:48 centos65-3 kernel: <-- nfs4_get_rootfh() = -1
    Jun  9 13:22:48 centos65-3 kernel: --> nfs_free_server()
    Jun  9 13:22:48 centos65-3 kernel: --> nfs_put_client({1})
    Jun  9 13:22:48 centos65-3 kernel: --> nfs_free_client(4)
    Jun  9 13:22:48 centos65-3 kernel: NFS: releasing client cookie (0xffff88007ced5400/0xffff88007b59f5f0)
    Jun  9 13:22:48 centos65-3 kernel: <-- nfs_free_client()
    Jun  9 13:22:48 centos65-3 kernel: <-- nfs_free_server()
    Jun  9 13:22:48 centos65-3 kernel: <-- nfs4_create_server() = error -1
    Jun  9 13:22:48 centos65-3 kernel: <-- nfs4_try_mount() = -1 [error]

    Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
    on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
    pfsense webui) will be forwarded to the IP address of my NFS client.

    Use Case 2:
    Here is another interesting observation.  Everything works fine if I moved the
    NFS client to the same subnet of my NFS server.  In otherwords, it works fine if I do NOT use
    pfSense.

    Use Case 3:
    I did further experiment. Using the same setting, NFS client is able to mount the same
    directory if change my /etc/exports specification and switch from secure
    to insecure.  Here how my updated /etc/exports looks like now:

    /home/test *(ro,insecure,no_root_squash)

    Also, if i switched from NFS version 3 to NFS version 4 and try to do the same
    in "secure" mode, i get the following error:

    mount.nfs: access denied by server while mounting 10.158.5.15:/home/test

    And here is the message in the /var/log/messages of NFS client

    Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'addr=10.158.5.15'
    Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'vers=3'
    Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'proto=tcp'
    Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'mountvers=3'
    Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'mountproto=udp'
    Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'mountport=892'
    Jun  9 13:48:26 centos65-3 kernel: NFS: MNTPATH: '/home/test'
    Jun  9 13:48:26 centos65-3 kernel: NFS: sending MNT request for 10.158.5.15:/home/test
    Jun  9 13:48:26 centos65-3 kernel: NFS: MNT server returned result -13
    Jun  9 13:48:26 centos65-3 kernel: NFS: unable to mount server 10.158.5.15, error -13

    Use Case 4;
    Even with NFS version 3, if i switched from "secure" to "insecure", everything works fine again.

    In summary, I am not able to setup "secure" NFS server with pfSense.

    Any idea what did i do wrong?

    Thanks
    Jim



  • @sjim:

    Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
    on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
    pfsense webui) will be forwarded to the IP address of my NFS client.

    AFAIK the only difference between the secure and insecure option on NFS is that the server will only accept mount requests from the client if they come from a port less than 1024. I suspect that you may not be using 1:1 NAT and so pfSense is choosing it's own source port for the translated request from the client. One solution would be to use 1:1 NAT since you are already mapping all the ports anyway. You would need to create a special port forward if you need 443 to point to pfSense (by default it should be processed before the 1:1 NAT [1]).

    Another option would be to create a special case NAT rule for just the NFS client to server request using the Translation: Static-port [2] option.

    [1] https://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT
    [2] https://doc.pfsense.org/index.php/Static_Port


Log in to reply