I'm having difficulty doing address translation of an NFS service. When I go to mount the volume, the client hangs until finally timing out and returning

mount: mounting router1:/foo on /mnt/nfs failed: Input/output error

I know that this client device has mounted this partition in the past, without address translation. But now the client has a new IP address, and address translation is now needed. It is now needed for several reasons, but among them is that the server will only permit mounts from clients in a certain IP address range. So I set up the router to have an IP address in that range, and do translation for the client to its new address.

On the router that does the translation, I can do a tcpdump of both interfaces as the mount operation occurs. It looks like every packet is being passed correctly, with the appropriate address changes, in each direction. The packets lengths of each packet goes through the router unchanged.

I'm using iptables for the address translation, using both SNAT and DNAT. I need to translate the server address for the client, as (for other reasons) the client does not have a default route through a gateway, so the server needs to appear to be on the client's local subnet. So I'm translating addresses in both directions.

It looks like the client exchanges eleven TCP packets with portmapper on the server, then exchanges a pair of UDP packets with server port 1234, does a UDP exchange with portmapper, then I see something that looks like this:

05:36:34.424252 IP client.2711583015 > server.nfs: 40 null
05:36:34.424412 IP server.nfs > client.2711583015: reply ok 24 null

And that is the last set of packets that these boxes exchange - or at least appear to attempt to exchange. I take it these are TCP packets? I haven't seen use of such a large port number - 2711583015 - I thought port numbers were limited to 16 bit integers. What does the large port number mean?

Oh, and why, with the packets being passed through the router, does the mount hang?