Yes the firewall is allowing any port outbound on TCP. But why is the system establishing the connection with the QNAP on some random port? Why is it not contacting it initially on 2049? or 111?
If ESXI uses any port it pleases to make the initial connection, how will we ever figure out what the rules should be on the firewall until we try once and watch the packet get blocked? Right now it's kind of a guessing game.
Our procedure right now is to tail the log files for blocked packets, then add the QNAP to the datastore. OH LOOK, the ESXI server was blocked going to the QNAP on 53888 this time, shucks. Add rule to firewall for ESXI -> Qnap on Port 53888 along with 2049 and 111. All works now.
Does this sound right to anybody? It seems wrong to me. I should only need to open 2049 and 111. End of story. Why is ESXI the only system that acts this way? All other systems only need 2049 and 111 open for NFS mounting. ESXI starts off by connecting to the server on some random port....?
This is an example of our firewall and how it's becoming messy:
ESXI 1 rule
Allow from ESXI1 to QNAP on port 47110,111,2049
ESXI 2 rule
Allow from ESXI2 to QNAP on port 45991,111,2049
ESXI3 rule
Allow from ESXI3 to QNAP on port 53881,111,2049
ESXI4 rule
Allow from ESXI4 to QNAP on port 58283,111,2049
Funny, if I were to add a 2ND mount to the same QNAP on ESXI4, it would use again ANOTHER port. The rule would need to look like this
Allow from ESXI4 to QNAP on port 49223,58283,111,2049
This issue is actually quite a joke. I just don't get it.
Also, when I say firewall, I am talking about the firewalls that lie in between the ESXI servers and QNAPS. Not the buuilt in firewall. The middle firewalls are blocking since they have specific ports set (2049,111/tcp)