[SOLVED] timeout issues when trying to mount NFS shares from Synology

ycct

New Member
Nov 17, 2023
1
0
1
Issue - unable to mount NFS shares from Synology NAS.

Main symptoms:
  • unable to add NFS share to Datacenter Storage (timeout)
  • mount command timing out (on Proxmox hosts as well as CTs and VMs)
  • rpcinfo -p <nas-host> also timeout
After a day of trying out all kinds of solutions, messing with firewalls, straces and tcpdumps, I finally got a clue when I realized that "rpcinfo -p <nas-host>" worked when run as a non-privileged user, but timed out when run as root. Going through some more straces, it became clear that both rpcinfo and mount were timing out on a "connect" system call when the socket was bound (bind) to a prvileged local port (<1024) - when a non-root user ran rpcinfo, the socket was bound to a high port, and everything worked. Since mount has to run as root, I suspected this was also an issue there - and indeed forcing a "noresvport" option flag when mounting the share avoided the timeout, and I was able to mount the share.

I spent the rest of the day trying to figure out what feature of Linux/Debian/Proxmox could possibly be blocking outgoing connections bound to privileged ports, unsuccessfully.

After eliminating pretty much any other possiblity, I started looking into my smart switches, since they have some basic L3 features - and indeed, eventually I found an option on the TP-Link switch to which my Proxmox hosts are connected - under "Security" there is a "DoS Protection" feature with checkboxes for different types of DoS attacks - one of them is called "SYN sPort less 1024" - turning this off made everything work. NFS now works fine in both Datacenter Storage, and everywhere else as root using privileged low ports.

After googling "SYN sPort less 1024" I found another post here where some other user figured this out before as well, unfortunately none of my many many searches lead me to that post, so I am leaving this one as well in a hope it might get indexed with some of the keywords and help someone in the future facing the same issue.

TP-Link documentation of the feature and screenshot of the setting

The option is described as "The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024."
 
Thank you! I just set up my home lab with a TP link switch and had that enabled. It's been driving me crazy.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!