NFSv4 through portforward

I would like to reach my NFSv4 servers though port forward. The big plan will be a cluster of NFSv4 servers loadbalanced with HAProxy running on localhost. But this isn't really important now.

At the server the /etc/exports looks like this

/mnt/x  192.168.0.0/16(rw,sync,no_subtree_check,no_root_squash,fsid=1)

I can connect from my client to the server on TCP 2049 and mount the share like this

mount -t nfs4 -o proto=tcp,port=2049 192.168.2.25:/mnt/x /mnt

I tested that NFVs4 is happy with only this one TCP port open by filtering all other communication between the two machines.

So I think NFS works well.

But when I forward a port for example with redir on the client to the server like

redir --lport=3049 --cport=2049 --caddr=192.168.2.25

and want to mount it as follows

mount -t nfs4 -o proto=tcp,port=3049 127.0.0.1:/mnt/x /mnt

i get

mount.nfs4: Operation not permitted

What I miss? I can't see any relevant information in the server logs.

Update: I captured both the good and the bad connection attempt, at the beginning they are the same then the client sends a

PUTROOTFH,GETFH,GETATTR

command. In the good case the servers responds

PUTROOTFH-NFS4_OK,GETFH-NFS4_OK,GETATTR-NFS4_OK

in the bad (forwarded) case it responds

PUTROOTFH-NFS4_OK,GETFH-NFS4_OK,GETATTR-NFS4ERR_PERM

This point I changed the export to

/mnt/x  0.0.0.0/0.0.0.0(rw,sync,no_subtree_check,no_root_squash,fsid=1)

but the error is the same.

In the good case the server logs are

rpc.mountd[1711]: nfsd_export: inbuf '0.0.0.0/0.0.0.0 /'
rpc.mountd[1711]: nfsd_export: found 0x12dfeb0 path /
rpc.mountd[1711]: nfsd_export: inbuf '0.0.0.0/0.0.0.0 /mnt'
rpc.mountd[1711]: nfsd_export: found 0x12e2810 path /mnt

in the bad case

rpc.mountd[1711]: nfsd_export: inbuf '0.0.0.0/0.0.0.0 /'
rpc.mountd[1711]: nfsd_export: found 0x12dfeb0 path /