Issue - unable to mount NFS shares from Synology NAS.
Main symptoms:
I spent the rest of the day trying to figure out what feature of Linux/Debian/Proxmox could possibly be blocking outgoing connections bound to privileged ports, unsuccessfully.
After eliminating pretty much any other possiblity, I started looking into my smart switches, since they have some basic L3 features - and indeed, eventually I found an option on the TP-Link switch to which my Proxmox hosts are connected - under "Security" there is a "DoS Protection" feature with checkboxes for different types of DoS attacks - one of them is called "SYN sPort less 1024" - turning this off made everything work. NFS now works fine in both Datacenter Storage, and everywhere else as root using privileged low ports.
After googling "SYN sPort less 1024" I found another post here where some other user figured this out before as well, unfortunately none of my many many searches lead me to that post, so I am leaving this one as well in a hope it might get indexed with some of the keywords and help someone in the future facing the same issue.
TP-Link documentation of the feature and screenshot of the setting
The option is described as "The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024."
Main symptoms:
- unable to add NFS share to Datacenter Storage (timeout)
- mount command timing out (on Proxmox hosts as well as CTs and VMs)
- rpcinfo -p <nas-host> also timeout
I spent the rest of the day trying to figure out what feature of Linux/Debian/Proxmox could possibly be blocking outgoing connections bound to privileged ports, unsuccessfully.
After eliminating pretty much any other possiblity, I started looking into my smart switches, since they have some basic L3 features - and indeed, eventually I found an option on the TP-Link switch to which my Proxmox hosts are connected - under "Security" there is a "DoS Protection" feature with checkboxes for different types of DoS attacks - one of them is called "SYN sPort less 1024" - turning this off made everything work. NFS now works fine in both Datacenter Storage, and everywhere else as root using privileged low ports.
After googling "SYN sPort less 1024" I found another post here where some other user figured this out before as well, unfortunately none of my many many searches lead me to that post, so I am leaving this one as well in a hope it might get indexed with some of the keywords and help someone in the future facing the same issue.
TP-Link documentation of the feature and screenshot of the setting
The option is described as "The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024."