NFS4 uses a fixed port that can be opened in the firewall. NFSv3
portmapper (which is on a fixed port), but NFS uses a random port generated by
the portmapper. This makes it much much harder to allow through a firewall
(and it the main reason why NFSv4 uses a fixed port).
To be a bit more specific:
The primary NFSv3 RPC program, NFS, does use a fixed port, 2049 (unless overridden),
however MOUNT, STATD, and LOCK all use dynamic port as assigned by the TCP stack (not
exactly random, and not assigned by rpcbind). With MOUNT not being on a well known port,
there must be additional configuration for it to work with firewall as you discovered.