Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 8097 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NFS mount fails from WLAN client

Patric Beuthen

Dear experts

as a newbie home user of XG85W, I am struggling getting NFS from a NAS to my Mac clients running. Simplified, this is my setup:

2 Networks with separate DHCP servers:
- A VLAN (GW 10.10.100.1)
- B WLAN (GW 10.10.200.1)

The NAS is located in network A.

Firewall rules
- A to B any service (Match known user is unchecked)
- B to A any service (Match known user is unchecked)

When I connect via LAN cable to network A, I can mount the shares. When I connect via WLAN to network B, I can’t.

I am trying to find the reason why the mount fails. I found several posts with suggestions regarding VPN connections or regarding dynamic NFS RPC ports - but I apparently open all ports.

I also checked the option to Log Firewall Traffic in the rules, but I cannot find any log entry. Can you please give me a hint where to search for the root?

I actually have a similar problem with NTP between subnets. So, maybe it is a general setup error.

Thank you, Patric



This thread was automatically locked due to age.
  • 0

    Patric,

    Please share an output from tcpdump command (nfs port) while you are trying to mount the nfs disk.

    Regards

  • 0 in reply to lferrara

    Hi Luk

    thank you very much for reviewing my post. To be honest, I am experienced with tcpdump and I have been struggling a bit. I actually expected to use it on my XG but it does not seem to be possible (maybe it wouldn't make much sense anyway as it is behind the firewall...). So, I used it on the client and I hope I did not make too many mistakes:

    The current subnets differ slightly (110 is 100 and 210 is 200).

    FROM WLAN

    p007:etc patric$ sudo tcpdump 'host 10.10.110.10 and (port 111 or port 2049 or port 65535)'
    Password:
    tcpdump: data link type PKTAP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
    14:32:37.335594 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:38.340946 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:39.342450 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:40.344158 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:41.344717 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:42.346400 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:43.348017 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:44.349707 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:45.350085 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:46.351572 IP 10.10.210.102.entrust-kmsh > 10.10.110.10.sunrpc: UDP, length 56
    14:32:47.353317 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:48.354508 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:49.355896 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:50.357350 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:51.358831 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:52.360521 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:53.362211 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:54.363692 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:55.368880 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40
    14:32:56.374182 IP 10.10.210.102.983 > 10.10.110.10.sunrpc: UDP, length 40


    FROM LAN (VLAN)

    p007:etc patric$ sudo tcpdump 'host 10.10.110.10 and (port 111 or port 2049 or port 65535)'
    tcpdump: data link type PKTAP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
    14:34:56.035222 IP 10.10.110.100.757 > 10.10.110.10.sunrpc: UDP, length 56
    14:34:56.035686 IP 10.10.110.10.sunrpc > 10.10.110.100.757: UDP, length 28
    14:34:56.035937 IP 10.10.110.100.853 > 10.10.110.10.nfsd: NFS request xid 911470806 40 null
    14:34:56.036384 IP 10.10.110.10.nfsd > 10.10.110.100.853: NFS reply xid 911470806 reply ok 24 null
    14:34:56.065872 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [S], seq 2837843657, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 407108370 ecr 0,sackOK,eol], length 0
    14:34:56.066219 IP 10.10.110.10.sunrpc > 10.10.110.100.59950: Flags [S.], seq 1532930509, ack 2837843658, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    14:34:56.066240 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [.], ack 1, win 8192, length 0
    14:34:56.066252 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [P.], seq 1:69, ack 1, win 8192, length 68
    14:34:56.066566 IP 10.10.110.10.sunrpc > 10.10.110.100.59950: Flags [.], ack 69, win 228, length 0
    14:34:56.066694 IP 10.10.110.10.sunrpc > 10.10.110.100.59950: Flags [P.], seq 1:29, ack 69, win 228, length 28
    14:34:56.066709 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [.], ack 29, win 8192, length 0
    14:34:56.066729 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [P.], seq 69:153, ack 29, win 8192, length 84
    14:34:56.067077 IP 10.10.110.10.sunrpc > 10.10.110.100.59950: Flags [P.], seq 29:61, ack 153, win 228, length 32
    14:34:56.067095 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [.], ack 61, win 8191, length 0
    14:34:56.067178 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [P.], seq 153:237, ack 61, win 8192, length 84
    14:34:56.067439 IP 10.10.110.10.sunrpc > 10.10.110.100.59950: Flags [P.], seq 61:93, ack 237, win 228, length 32
    14:34:56.067454 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [.], ack 93, win 8191, length 0
    14:34:56.067464 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [F.], seq 237, ack 93, win 8191, length 0
    14:34:56.067486 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [S], seq 584368260, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 407108371 ecr 0,sackOK,eol], length 0
    14:34:56.067771 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [S.], seq 2784999256, ack 584368261, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    14:34:56.067773 IP 10.10.110.10.sunrpc > 10.10.110.100.59950: Flags [F.], seq 93, ack 238, win 228, length 0
    14:34:56.067787 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 1, win 8192, length 0
    14:34:56.067793 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 1:69, ack 1, win 8192, length 68: NFS request xid 2572820757 64 null
    14:34:56.067826 IP 10.10.110.100.59950 > 10.10.110.10.sunrpc: Flags [.], ack 94, win 8190, length 0
    14:34:56.068011 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [.], ack 69, win 229, length 0
    14:34:56.068125 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 1:29, ack 69, win 229, length 28: NFS reply xid 2572820757 reply ok 24 null
    14:34:56.068144 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 29, win 8192, length 0
    14:34:56.090168 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 69:169, ack 29, win 8192, length 100: NFS request xid 2572820759 96 getattr fh Unknown/010007000100980700000000FCDDD458A565ADCF000000000000000000000100
    14:34:56.090574 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 29:145, ack 169, win 229, length 116: NFS reply xid 2572820759 reply ok 112 getattr DIR 777 ids 0/0 sz 4096
    14:34:56.090600 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 145, win 8188, length 0
    14:34:56.090694 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 169:269, ack 145, win 8192, length 100: NFS request xid 2572820760 96 fsinfo fh Unknown/010007000100980700000000FCDDD458A565ADCF0000000000000000588E0C62
    14:34:56.091023 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 145:229, ack 269, win 229, length 84: NFS reply xid 2572820760 reply ok 80 fsinfo rtmax 524288 rtpref 524288 wtmax 524288 wtpref 524288 dtpref 4096
    14:34:56.091042 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 229, win 8189, length 0
    14:34:56.091063 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 269:369, ack 229, win 8192, length 100: NFS request xid 2572820761 96 pathconf fh Unknown/010007000100980700000000FCDDD458A565ADCF000000000000000000000100
    14:34:56.091389 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 229:289, ack 369, win 229, length 60: NFS reply xid 2572820761 reply ok 56 pathconf linkmax 32000 namemax 255 chownres keepcase
    14:34:56.091410 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 289, win 8190, length 0
    14:34:56.091433 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 369:469, ack 289, win 8192, length 100: NFS request xid 2572820762 96 fsstat fh Unknown/010007000100980700000000FCDDD458A565ADCF000000000000000000000100
    14:34:56.091685 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 289:377, ack 469, win 229, length 88: NFS reply xid 2572820762 reply ok 84 fsstat tbytes 2294240161792 fbytes 2152780333056 abytes 2152780333056
    14:34:56.091701 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 377, win 8189, length 0
    14:34:56.093121 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 469:597, ack 377, win 8192, length 128: NFS request xid 2572820763 124 access fh Unknown/010007000100980700000000FCDDD458A565ADCF00000000000000000000003F NFS_ACCESS_FULL
    14:34:56.093411 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 377:501, ack 597, win 237, length 124: NFS reply xid 2572820763 reply ok 120 access c 001f
    14:34:56.093434 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 501, win 8188, length 0
    14:34:56.098854 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [P.], seq 597:729, ack 501, win 8192, length 132: NFS request xid 2572820764 128 lookup fh Unknown/010007000100980700000000FCDDD458A565ADCF000000000000000000000003 "._."
    14:34:56.099258 IP 10.10.110.10.nfsd > 10.10.110.100.59951: Flags [P.], seq 501:621, ack 729, win 245, length 120: NFS reply xid 2572820764 reply ok 116 lookup ERROR: No such file or directory
    14:34:56.099303 IP 10.10.110.100.59951 > 10.10.110.10.nfsd: Flags [.], ack 621, win 8188, length 0

    Thank you, Patric

  • 0 in reply to Patric Beuthen

    Thanks Patric. From tcpdump output as you can see you do not get traffic back. Is the NAS using the XG as default gateway?

    Also make sure to disable IPS/scan HTTP,HTTPS on WLAN to LAN and viceversa.

    Let's see if has an idea on that.

  • 0 in reply to lferrara

    Hi Luk

    all subnets (LAN/WLAN VLANs) use the Sophos XG85W as gateway.

    thanks for following up! I searched the Admin Guide. Are you referring to the Intrusion Prevention setting on Firewall Rule level? It is set to NONE.

    Regards, Patric

  • 0 in reply to Patric Beuthen

    Hi Patric,

    Check #1 in my guide here. Monitor drop packet capture logs for while accessing the NFS from WLAN. Any associated drops?

    Show us the screenshot of the FW-rules for intercommunication between the two zones. Again, the tcpdump shows no reply from the server. Can you capture a pcap and send it here for this communication?

    Thanks

  • 0 in reply to sachingurung

    Hi Sachin

    thank you very much for trying to help me. I did my best, but probably have not successfully prepared for what you asked me to do.

    Please find attached

    - a pcap file I created with command sudo tcpdump 'host 10.10.110.10 and (port 111 or port 2049 or port 65535)' -w patric.pcap

    - PDF with the firewall rules

    - screenshot from the Packed Capture UI which I do not understand at all (and I also don't know what interface WLAN4 is)

    - Output from console: drop-packet-capture 'src host 10.10.210.100'

    Kind regards, Patric

     

    console> drop-packet-capture 'src host 10.10.210.100'

    ——————
    in another terminal I try to change dir…
    The output does not seem to be related as I do not know 54.75.253.15.80:
    ——————


    2017-02-10 14:26:15 0102021 IP 10.10.210.100.57590 > 54.75.253.15.80 : proto TCP: F 4089087609:4089087736(127) win 4119 checksum : 48846
    0x0000: 4500 00b3 b6f5 4000 4006 7386 0a0a d264 E.....@.@.s....d
    0x0010: 364b fd0f e0f6 0050 f3ba 8679 1eff 9c4b 6K.....P...y...K
    0x0020: 8019 1017 bece 0000 0101 080a 3d68 3820 ............=h8.
    0x0030: 00d2 ffc7 4745 5420 2f56 332f 3031 2f33 ....GET./V3/01/3
    0x0040: 322e 3737 2e30 2e31 3932 2e69 702f 2048 2.77.0.192.ip/.H
    0x0050: 5454 502f 312e 310d 0a48 6f73 743a 2068 TTP/1.1..Host:.h
    0x0060: 7474 702e 3030 2e68 2e73 6f70 686f 7378 ttp.00.h.sophosx
    0x0070: 6c2e 6e65 740d 0a55 7365 722d 4167 656e l.net..User-Agen
    0x0080: 743a 2053 584c 2f33 2e31 0d0a 4163 6365 t:.SXL/3.1..Acce
    0x0090: 7074 3a20 2a2f 2a0d 0a43 6f6e 6e65 6374 pt:.*/*..Connect
    0x00a0: 696f 6e3a 204b 6565 702d 416c 6976 650d ion:.Keep-Alive.
    0x00b0: 0a0d 0a ...
    Date=2017-02-10 Time=14:26:15 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=WLAN4 out_dev= inzone_id=0 outzone_id=0 source_mac=78:4f:43:6d:84:d4 dest_mac=f2:0c:49:bc:58:e8 l3_protocol=IP source_ip=10.10.210.100 dest_ip=54.75.253.15 l4_protocol=TCP source_port=57590 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    2017-02-10 14:26:29 0102021 IP 10.10.210.100.57590 > 54.75.253.15.80 : proto TCP: F 4089087609:4089087736(127) win 4119 checksum : 34630
    0x0000: 4500 00b3 cd23 4000 4006 5d58 0a0a d264 E....#@.@.]X...d
    0x0010: 364b fd0f e0f6 0050 f3ba 8679 1eff 9c4b 6K.....P...y...K
    0x0020: 8019 1017 8746 0000 0101 080a 3d68 6fa8 .....F......=ho.
    0x0030: 00d2 ffc7 4745 5420 2f56 332f 3031 2f33 ....GET./V3/01/3
    0x0040: 322e 3737 2e30 2e31 3932 2e69 702f 2048 2.77.0.192.ip/.H
    0x0050: 5454 502f 312e 310d 0a48 6f73 743a 2068 TTP/1.1..Host:.h
    0x0060: 7474 702e 3030 2e68 2e73 6f70 686f 7378 ttp.00.h.sophosx
    0x0070: 6c2e 6e65 740d 0a55 7365 722d 4167 656e l.net..User-Agen
    0x0080: 743a 2053 584c 2f33 2e31 0d0a 4163 6365 t:.SXL/3.1..Acce
    0x0090: 7074 3a20 2a2f 2a0d 0a43 6f6e 6e65 6374 pt:.*/*..Connect
    0x00a0: 696f 6e3a 204b 6565 702d 416c 6976 650d ion:.Keep-Alive.
    0x00b0: 0a0d 0a ...
    Date=2017-02-10 Time=14:26:29 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=WLAN4 out_dev= inzone_id=0 outzone_id=0 source_mac=78:4f:43:6d:84:d4 dest_mac=f2:0c:49:bc:58:e8 l3_protocol=IP source_ip=10.10.210.100 dest_ip=54.75.253.15 l4_protocol=TCP source_port=57590 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

     

    5466.FW_Rules.pdf

     

    5531.patric.pcap.zip

  • 0 in reply to Patric Beuthen

    Hi, 

    Reading the drop captures those are towards a different dest_IP address, hence they can be ignored for this issue. The fw-rule rules are plain and holds nothing that can drop the communication. 

    According to the pcap we see the packets sent towards the file server but no reply packet. Does the server have multiple network interfaces? Which could possibly mean that the UDP responses are going out from another interface!

    Thanks

  • 0 in reply to sachingurung

    Hello Sachin

    the NAS server has 2 ethernet interfaces

    - 10.10.100.10 (VLAN_A)

    - 10.10.110.10 (VLAN_I)

    NSLOOKUP on the client returns both IP addresses. The FW rules shall make sure that

    - WLAN_A clients only may access VLAN_A and

    - WLAN_I clients only may access VLAN_I

    Is that wrong?

  • 0 in reply to lferrara

    Hi Luk

    thanks again for your time. I prepared the network diagram as suggested by you. Thanks to your analysis, the mounting issues were related to a wrong routing table in the NAS. It took me a few day to figure it out:

    As described, I use 2 network adapters in different VLANs. That's why I had maintained 2 IP addresses in the Active Directory/Domain Controller DNS running on the NAS which produced the strange routing table. I was recommended to use the switch's VLAN tagging instead of the NAS's VLAN tagging. Now, the routing table looks fine and I can mount the NFS shares.

    Although, since I cannot resolve the NAS host name to 2 different VLAN IP addresses any more, I guess that has a negative side effect on my firewall rules.

    Besides, I cannot print from WLAN via a LAN printer, but as it seems other forums users have been facing the same issue.

    Kind regards, Patric

    8078.Netzwerk.pdf