Secure NFS v4 & NAT Router
-
hi:
I am having difficulty to make my NFS client mount a directory from NFS server.
Here is the summary of my setup:NFS Server: CentOS 6.5 virtual machine, connected to the pfsense WAN interface
pfSense: pfsense virtual machine
NFS Client: CentOS 6.5 virtual machine, connected to the pfSense LAN interfaceUse case 1:
I am using NFS version 4 and here is my /etc/exports:/home/test *(ro,secure,no_root_squash)
Whenever i try to mount /home/test from the NFS client, i kept getting the following error:
mount.nfs: Operation not permittedand on the /var/log/messages of NFS client, i got the following messages:
Jun 9 13:22:48 centos65-3 kernel: –> nfs_get_client() = ffff88007ced5400 [new]
Jun 9 13:22:48 centos65-3 kernel: <– nfs4_set_client() = 0 [new ffff88007ced5400]
Jun 9 13:22:48 centos65-3 kernel: <– nfs4_init_server() = 0
Jun 9 13:22:48 centos65-3 kernel: --> nfs4_get_rootfh()
Jun 9 13:22:48 centos65-3 kernel: encode_compound: tag=
Jun 9 13:22:48 centos65-3 kernel: decode_getfattr_generic: xdr returned 1
Jun 9 13:22:48 centos65-3 kernel: nfs4_get_rootfh: getroot error = 1
Jun 9 13:22:48 centos65-3 kernel: <-- nfs4_get_rootfh() = -1
Jun 9 13:22:48 centos65-3 kernel: --> nfs_free_server()
Jun 9 13:22:48 centos65-3 kernel: --> nfs_put_client({1})
Jun 9 13:22:48 centos65-3 kernel: --> nfs_free_client(4)
Jun 9 13:22:48 centos65-3 kernel: NFS: releasing client cookie (0xffff88007ced5400/0xffff88007b59f5f0)
Jun 9 13:22:48 centos65-3 kernel: <-- nfs_free_client()
Jun 9 13:22:48 centos65-3 kernel: <-- nfs_free_server()
Jun 9 13:22:48 centos65-3 kernel: <-- nfs4_create_server() = error -1
Jun 9 13:22:48 centos65-3 kernel: <-- nfs4_try_mount() = -1 [error]Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
pfsense webui) will be forwarded to the IP address of my NFS client.Use Case 2:
Here is another interesting observation. Everything works fine if I moved the
NFS client to the same subnet of my NFS server. In otherwords, it works fine if I do NOT use
pfSense.Use Case 3:
I did further experiment. Using the same setting, NFS client is able to mount the same
directory if change my /etc/exports specification and switch from secure
to insecure. Here how my updated /etc/exports looks like now:/home/test *(ro,insecure,no_root_squash)
Also, if i switched from NFS version 3 to NFS version 4 and try to do the same
in "secure" mode, i get the following error:mount.nfs: access denied by server while mounting 10.158.5.15:/home/test
And here is the message in the /var/log/messages of NFS client
Jun 9 13:48:26 centos65-3 kernel: NFS: parsing nfs mount option 'addr=10.158.5.15'
Jun 9 13:48:26 centos65-3 kernel: NFS: parsing nfs mount option 'vers=3'
Jun 9 13:48:26 centos65-3 kernel: NFS: parsing nfs mount option 'proto=tcp'
Jun 9 13:48:26 centos65-3 kernel: NFS: parsing nfs mount option 'mountvers=3'
Jun 9 13:48:26 centos65-3 kernel: NFS: parsing nfs mount option 'mountproto=udp'
Jun 9 13:48:26 centos65-3 kernel: NFS: parsing nfs mount option 'mountport=892'
Jun 9 13:48:26 centos65-3 kernel: NFS: MNTPATH: '/home/test'
Jun 9 13:48:26 centos65-3 kernel: NFS: sending MNT request for 10.158.5.15:/home/test
Jun 9 13:48:26 centos65-3 kernel: NFS: MNT server returned result -13
Jun 9 13:48:26 centos65-3 kernel: NFS: unable to mount server 10.158.5.15, error -13Use Case 4;
Even with NFS version 3, if i switched from "secure" to "insecure", everything works fine again.In summary, I am not able to setup "secure" NFS server with pfSense.
Any idea what did i do wrong?
Thanks
Jim -
Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
pfsense webui) will be forwarded to the IP address of my NFS client.AFAIK the only difference between the secure and insecure option on NFS is that the server will only accept mount requests from the client if they come from a port less than 1024. I suspect that you may not be using 1:1 NAT and so pfSense is choosing it's own source port for the translated request from the client. One solution would be to use 1:1 NAT since you are already mapping all the ports anyway. You would need to create a special port forward if you need 443 to point to pfSense (by default it should be processed before the 1:1 NAT [1]).
Another option would be to create a special case NAT rule for just the NFS client to server request using the Translation: Static-port [2] option.
[1] https://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT
[2] https://doc.pfsense.org/index.php/Static_Port