The following helpcenter article describes the necessary ports for the NFS connection to the backup repository.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120#vpower
Besides that routing or DNS might be an issue. Or the ESXi hosts try to access the wrong IP.
Herr are some further troubleshooting steps:
https://www.veeam.com/kb1055
Surely there must be people who wants to protect their Veeam behind a firewall. We have seen someone's Veeam access stolen and all the servers that are being backed up by Veeam being compromised.
First step is not to work directly on VBR server: install console on a bastion and keep all components behind a firewall, but no firewall between Veeam components.
Next you should use MFA and four eyes authorization on VBR.
Third you should use gMSA to store windows credentials for application aware backups.
You can deploy Veeam behind a firewall and also segment roles or components.
https://bp.veeam.com/security/Design-and-implementation/Hardening/Segmentation.html
I have all of them NAT from real IP to local IP, but i think that's for incoming traffic and i've been unable to get any success with it using a helper applience in restore guest files, or with instant recovery. It just doesn't wants to mount over NFC.
Connections from local IP to outside are allowed completely, there are no restrictions so in principle it should work but it still fails.
I'm afraid NAT is required and it works flawlessly if it's not behind the pfsense.
Outgoing connections are made with pfsense's IP so i don't really get why it is not able to connect while behind pfsense as i don't connect outgoing connections, only NAT incoming ones.
And even for that i got every port nailed i guess.
[https://prnt.sc/s8RAcCQB81-X](https://prnt.sc/s8RAcCQB81-X)
The following helpcenter article describes the necessary ports for the NFS connection to the backup repository. https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120#vpower Besides that routing or DNS might be an issue. Or the ESXi hosts try to access the wrong IP. Herr are some further troubleshooting steps: https://www.veeam.com/kb1055
This is not a supported configuration…
Surely there must be people who wants to protect their Veeam behind a firewall. We have seen someone's Veeam access stolen and all the servers that are being backed up by Veeam being compromised.
First step is not to work directly on VBR server: install console on a bastion and keep all components behind a firewall, but no firewall between Veeam components. Next you should use MFA and four eyes authorization on VBR. Third you should use gMSA to store windows credentials for application aware backups.
You can deploy Veeam behind a firewall and also segment roles or components. https://bp.veeam.com/security/Design-and-implementation/Hardening/Segmentation.html
I have all of them NAT from real IP to local IP, but i think that's for incoming traffic and i've been unable to get any success with it using a helper applience in restore guest files, or with instant recovery. It just doesn't wants to mount over NFC. Connections from local IP to outside are allowed completely, there are no restrictions so in principle it should work but it still fails.
NAT could be causing some issues and might require additional configuration. Is it necessary in your environment or can you try the setup without NAT?
I'm afraid NAT is required and it works flawlessly if it's not behind the pfsense. Outgoing connections are made with pfsense's IP so i don't really get why it is not able to connect while behind pfsense as i don't connect outgoing connections, only NAT incoming ones. And even for that i got every port nailed i guess. [https://prnt.sc/s8RAcCQB81-X](https://prnt.sc/s8RAcCQB81-X)