I have a media file server in VLAN10 and a media player in VLAN30. VLAN30 is considered insecure and I block all traffic between it and other VLANs, but I would like to make an exception so the media players there can stream music and video files using NFS from the server in VLAN10. I created the following firewall rule:
config rule
option target 'ACCEPT'
option src 'zone0_30'
option family 'ipv4'
option dest_ip '10.0.10.13'
option proto 'tcp udp'
option dest_port '111 2049 32777:32780'
option name 'Allow NFS from VLAN30 to Vault Server'
option dest 'zone0_10'
using NFS port info I found online. But it doesn't work, the media player on VLAN30 cannot see the server on VLAN10 at 10.0.10.13. Any ideas gratefully appreciated.
I am not sure you can have a rule like this with multiple destination ports.
Do a fw3 restart and verify that there is no error (at the top).
Then verify the rule is indeed there: iptables-save -c -t filter | grep 10.0.10.13
I restarted fw3 and the rule is in iptables. The only error is "Unable to locate ipset utility, disabling ipset support" but I don't even know what ipset is....
I got it to work by "allow forward to destination zone 0_10" (VLAN10) in the general zone section, but of course now everything in VLAN30 has full access to VLAN10 which is NOT what I want.
So my questions is: What is the proper structure of this--Should I start by closing everything off from VLAN30 to VLAN10 (like I had it) and then make an exception rule to allow NFS (Which I tried unsuccessfully to do)? OR, open up traffic fro VLAN30 to VLAN10 (which I just did as an experiment) and then try to build some kind of rule to block all traffic from VLAN30 to VLAN except for the desired NFS streaming from the media server?
Port 111 is used by portmap, and 2049 by NFS. But the other ports are not well known. Portmap allows RPC services to use ephemeral ports instead of well known ports. For example rpc.statd and rpc.mountd that are used by nfs, and you probably should explicitly configure them to use certain ports. Ports that you can open in the firewall. But there are other NFS services may be used. You can use rpcinfo -p on the client or server to list all RPC services.
Thanks. I ran the rpcinfo -p command and found the following ports in use by the NFS server: 111, 977-979, and 2049. I added ports 977-979 to my firewall rule, but the media player on VLAN30 still cannot connect to the media server on VLAN10:
config rule
option target 'ACCEPT'
option src 'zone0_30'
option family 'ipv4'
option dest_ip '10.0.10.13'
option proto 'tcp udp'
option dest_port '111 977-979 2049'
option name 'Allow NFS from VLAN30 to Vault Server'
option dest 'zone0_10'
What am I missing? There MUST be a way to allow NFS through the firewall from VLAN30 to the NFS server on VLAN10, something simple or obvious that I'm overlooking....
I actually started this project a year ago and had to put it aside for the winter. It seems so simple, but I have been unable to deploy my OpenWRT router for lack of this basic understanding of its firewall rules. I would like to offer $100 via Paypal to anyone who can make a rule(s) to allow the function, and explain it to me. I am totally serious, paid in advance with the Friends and Family option so you get the full $100. Please, can anyone help? Feel free to PM if interested....
What kind of NFS Server is it? Included within a NAS or similar? Usually you have ports: 111, 2049 and a RPCMOUNTD port (not a range). This RPC port is not fixed usually.
You can fix this port on e. g. on a Linux server in:
/etc/default/nfs-kernel-server
add (or complete, if exists already) the line:
RPCMOUNTDOPTS="--port 20048"
Then allow this port on firewall also. NFSv4 would only need port 2049. There is no portmapper anymore. So this applies to v3 and v2 only.
The server is a FreeNAS box running the latest release. It has 2 Ethernet ports, one of which is the 10.0.10.13 address in my rule. It seems that my rule may actually be working, but for some reason the media player in VLAN30 (which is an Android box running Kodi) takes a LONG time to connect to the share--somewhere in the 2-3 minute range. It's such a long connection time I thought the rule wasn't working! But obviously something is still wrong, and I need to figure out a strategy of troubleshooting why Kodi is taking a few minutes to connect to the NFS share....
I only could guess what is causing this stall. Kodi has a debug/logging feature which you could enable. So you can investigate on client side also. Not only the network side.