[SOLVED] timeout issues when trying to mount NFS shares from Synology

[ycct]

Issue - unable to mount NFS shares from Synology NAS.

Main symptoms:

• unable to add NFS share to Datacenter Storage (timeout)
• mount command timing out (on Proxmox hosts as well as CTs and VMs)
• rpcinfo -p <nas-host> also timeout

After a day of trying out all kinds of solutions, messing with firewalls, straces and tcpdumps, I finally got a clue when I realized that "rpcinfo -p <nas-host>" worked when run as a non-privileged user, but timed out when run as root. Going through some more straces, it became clear that both rpcinfo and mount were timing out on a "connect" system call when the socket was bound (bind) to a prvileged local port (<1024) - when a non-root user ran rpcinfo, the socket was bound to a high port, and everything worked. Since mount has to run as root, I suspected this was also an issue there - and indeed forcing a "noresvport" option flag when mounting the share avoided the timeout, and I was able to mount the share.

I spent the rest of the day trying to figure out what feature of Linux/Debian/Proxmox could possibly be blocking outgoing connections bound to privileged ports, unsuccessfully.

After eliminating pretty much any other possiblity, I started looking into my smart switches, since they have some basic L3 features - and indeed, eventually I found an option on the TP-Link switch to which my Proxmox hosts are connected - under "Security" there is a "DoS Protection" feature with checkboxes for different types of DoS attacks - one of them is called "SYN sPort less 1024" - turning this off made everything work. NFS now works fine in both Datacenter Storage, and everywhere else as root using privileged low ports.

After googling "SYN sPort less 1024" I found another post here where some other user figured this out before as well, unfortunately none of my many many searches lead me to that post, so I am leaving this one as well in a hope it might get indexed with some of the keywords and help someone in the future facing the same issue.

TP-Link documentation of the feature and screenshot of the setting

The option is described as "The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024."

 

[Liam2112]

Thank you! I just set up my home lab with a TP link switch and had that enabled. It's been driving me crazy.

 

[IS-PBS]

Thanks, I had the same problem, I didn’t know what to do anymore!

 

[kalatos]

Men you save my life! I was trying to search what is happening since the last week and this was particularly the reason, thanks!

 

[Corecounter]

Holy shit! I spend days in searching for a solution and thank you @ycct i found it!
Thx so much. You made my day!

BTW: I like my TP-Link-Switches, Routers and Gateways, but sometimes I feel like throwing a few of them against the wall..

 

[abigail]

Wow I wish I'd found this 48 hours ago! Thank you for the post, good to know I'm not alone.

I was trying to mount a remote NFS share over a Wireguard tunnel. Looked at everything from MTU to state tracking, eventually tried a local NFS server and found that didn't work either. After eliminating all the other options started poking around in the switch and here we are.

This forum post was easy to find, as soon as I figured out what it was XD