Cannot add allowed IP addresses for "NFS Client" in ESXi host Esxi 8.0 U2B or later
search cancel

Cannot add allowed IP addresses for "NFS Client" in ESXi host Esxi 8.0 U2B or later

book

Article ID: 372409

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0

Issue/Introduction

Update option for Incoming/Outgoing Firewall "NFS Client" in ESXi 8.0 U2B or later is greyed out.

Environment

vSphere Esxi 8.0 U2 and later

Cause

With ESXi 8.0 Update 2, some ESXi firewall rulesets, such as dhcp, are system-owned by default and prevent manual adding of allowed IP addresses to avoid possible break of service. With ESXi 8.0 Update 2b, you can manually add allowed IP addresses to all rulesets, except for nfsClient, nfs41Client, trusted-infrastructure-kmxd, trusted-infrastructure-kmxa, and vsanEncryption.

Resolution

Though UI option is greyed out, We could add the ip address to the allowed list using below steps

# add an IP entry using below command :
[:~] esxcli storage nfs firewall add -F xx.xx.xx.xx/8

# confirm the IP is added successfully using below commands :
[:~] esxcli network firewall ruleset allowedip list | grep nfs
nfsClient     xx.xx.xx.xx/8
nfs41Client     All

[:~] esxcli storage nfs firewall list
   Allowed IPMask: xx.xx.xx.xx/8

Additional Information

https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html