Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secure NFS v4 & NAT Router

    General pfSense Questions
    2
    2
    3.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sjim
      last edited by

      hi:

      I am having difficulty to make my NFS client mount a directory from NFS server.
      Here is the summary of my setup:

      NFS Server:  CentOS 6.5 virtual machine, connected to the pfsense WAN interface
      pfSense: pfsense virtual machine
      NFS Client: CentOS 6.5 virtual machine, connected to  the pfSense LAN interface

      Use case 1:
      I am using NFS version 4 and here is my /etc/exports:

      /home/test *(ro,secure,no_root_squash)

      Whenever i try to mount /home/test from the NFS client, i kept getting the following error:
      mount.nfs: Operation not permitted

      and on the /var/log/messages of NFS client, i got the following messages:

      Jun  9 13:22:48 centos65-3 kernel: –> nfs_get_client() = ffff88007ced5400 [new]
      Jun  9 13:22:48 centos65-3 kernel: <– nfs4_set_client() = 0 [new ffff88007ced5400]
      Jun  9 13:22:48 centos65-3 kernel: <– nfs4_init_server() = 0
      Jun  9 13:22:48 centos65-3 kernel: --> nfs4_get_rootfh()
      Jun  9 13:22:48 centos65-3 kernel: encode_compound: tag=
      Jun  9 13:22:48 centos65-3 kernel: decode_getfattr_generic: xdr returned 1
      Jun  9 13:22:48 centos65-3 kernel: nfs4_get_rootfh: getroot error = 1
      Jun  9 13:22:48 centos65-3 kernel: <-- nfs4_get_rootfh() = -1
      Jun  9 13:22:48 centos65-3 kernel: --> nfs_free_server()
      Jun  9 13:22:48 centos65-3 kernel: --> nfs_put_client({1})
      Jun  9 13:22:48 centos65-3 kernel: --> nfs_free_client(4)
      Jun  9 13:22:48 centos65-3 kernel: NFS: releasing client cookie (0xffff88007ced5400/0xffff88007b59f5f0)
      Jun  9 13:22:48 centos65-3 kernel: <-- nfs_free_client()
      Jun  9 13:22:48 centos65-3 kernel: <-- nfs_free_server()
      Jun  9 13:22:48 centos65-3 kernel: <-- nfs4_create_server() = error -1
      Jun  9 13:22:48 centos65-3 kernel: <-- nfs4_try_mount() = -1 [error]

      Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
      on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
      pfsense webui) will be forwarded to the IP address of my NFS client.

      Use Case 2:
      Here is another interesting observation.  Everything works fine if I moved the
      NFS client to the same subnet of my NFS server.  In otherwords, it works fine if I do NOT use
      pfSense.

      Use Case 3:
      I did further experiment. Using the same setting, NFS client is able to mount the same
      directory if change my /etc/exports specification and switch from secure
      to insecure.  Here how my updated /etc/exports looks like now:

      /home/test *(ro,insecure,no_root_squash)

      Also, if i switched from NFS version 3 to NFS version 4 and try to do the same
      in "secure" mode, i get the following error:

      mount.nfs: access denied by server while mounting 10.158.5.15:/home/test

      And here is the message in the /var/log/messages of NFS client

      Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'addr=10.158.5.15'
      Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'vers=3'
      Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'proto=tcp'
      Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'mountvers=3'
      Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'mountproto=udp'
      Jun  9 13:48:26 centos65-3 kernel: NFS:  parsing nfs mount option 'mountport=892'
      Jun  9 13:48:26 centos65-3 kernel: NFS: MNTPATH: '/home/test'
      Jun  9 13:48:26 centos65-3 kernel: NFS: sending MNT request for 10.158.5.15:/home/test
      Jun  9 13:48:26 centos65-3 kernel: NFS: MNT server returned result -13
      Jun  9 13:48:26 centos65-3 kernel: NFS: unable to mount server 10.158.5.15, error -13

      Use Case 4;
      Even with NFS version 3, if i switched from "secure" to "insecure", everything works fine again.

      In summary, I am not able to setup "secure" NFS server with pfSense.

      Any idea what did i do wrong?

      Thanks
      Jim

      1 Reply Last reply Reply Quote 0
      • M
        MindfulCoyote
        last edited by

        @sjim:

        Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
        on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
        pfsense webui) will be forwarded to the IP address of my NFS client.

        AFAIK the only difference between the secure and insecure option on NFS is that the server will only accept mount requests from the client if they come from a port less than 1024. I suspect that you may not be using 1:1 NAT and so pfSense is choosing it's own source port for the translated request from the client. One solution would be to use 1:1 NAT since you are already mapping all the ports anyway. You would need to create a special port forward if you need 443 to point to pfSense (by default it should be processed before the 1:1 NAT [1]).

        Another option would be to create a special case NAT rule for just the NFS client to server request using the Translation: Static-port [2] option.

        [1] https://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT
        [2] https://doc.pfsense.org/index.php/Static_Port

        Err

        –
        Erreu Gedmon

        Firewalls are hard...
        but the book makes it easier: https://portal.pfsense.org/book/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.