Netgate SG-1000 microFirewall

Author Topic: Problems with NFS-Connections  (Read 319 times)

0 Members and 1 Guest are viewing this topic.

Offline fwcheck

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Problems with NFS-Connections
« on: June 19, 2017, 10:41:11 am »
I am searching for a solution for NFS (NFS4) connections:

Client --> pfsense --> Filer A / Filer B

A redundant Filer is behind a pfsense. If now the filer does a failover, the clients send a simple
SYN which is firewalled/droped by pfsense. If i clear the state-table (port 2049) or reboot the client
it is possible to reconnect.

Is there any solution/workaround for this so that nfs failover works flawless ?
Has anybody the same problem ?

pfsense version is 2.3.3p1/2.3.4
Can you configure the pfsense to accept single syns for just this type of connection (maybe via Advanced in the rule tab?)?

Offline awebster

  • Sr. Member
  • ****
  • Posts: 361
  • Karma: +54/-0
    • View Profile
Re: Problems with NFS-Connections
« Reply #1 on: June 22, 2017, 07:38:55 am »
You don't specify if Filer A and Filer B are using different IP addresses and/or MAC addresses, but it sounds like this is the perfect recipe for out of state traffic which will result in dropped packets.
Whatever mechanism is used to detect fail over conditions must also respect basic TCP/IP flows.

Offline ksteinb

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Problems with NFS-Connections
« Reply #2 on: November 23, 2017, 06:12:55 am »

this sounds exactly like my problem.

We do have failover settings and suffer from exactly this problem.

anything seems to be ok as long as the failover is intentional, then the NFS connection  works, as the connections are closed by the server.

But if for any reason a NFS server goes down by crashing, and/or the failover does not work for some reason, we run in the following situation:

The NFS Client (Ubuntu 16.04 or Scientific Linux 7.4 ) then sees a server timeout and tries to reconnect to the server.

The Linux NFS client (NFS Version 4) seems to try the reconnect always from the same source port as before was used. As it sends a SYN with the same Source Port as before it runs into the open state, and the SYN Packets are then dropped.

The NFS connections is hung as long as the state is open. We just can clear this situation by clearing states, not a real good solution with many hundreds of clients spread over many VLAN's.

So we urgently need a solution to run the NFS Data Connection (Port 2049) stateless, or without dropping SYN Packets