diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix
index 2217fec3b0f7..57d56cd72877 100644
--- a/nixos/modules/services/network-filesystems/nfsd.nix
+++ b/nixos/modules/services/network-filesystems/nfsd.nix
@@ -56,6 +56,14 @@ in
           default = false;
           description = "Whether to create the mount points in the exports file at startup time.";
         };
+
+        mountdPort = mkOption {
+          default = null;
+          example = 4002;
+          description = ''
+            Use fixed port for rpc.mountd, usefull if server is behind firewall.
+          '';
+        };
       };
 
     };
@@ -138,7 +146,10 @@ in
         restartTriggers = [ exports ];
 
         serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = "@${pkgs.nfsUtils}/sbin/rpc.mountd rpc.mountd";
+        serviceConfig.ExecStart = ''
+          @${pkgs.nfsUtils}/sbin/rpc.mountd rpc.mountd \
+              ${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""}
+        '';
         serviceConfig.Restart = "always";
       };
 
diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix
index e8c3d8ab56d5..c902b9e07905 100644
--- a/nixos/modules/tasks/filesystems/nfs.nix
+++ b/nixos/modules/tasks/filesystems/nfs.nix
@@ -24,13 +24,37 @@ let
     Method = nsswitch
   '';
 
+  cfg = config.services.nfs;
+
 in
 
 {
+  ###### interface
+
+  options = {
+
+    services.nfs = {
+      statdPort = mkOption {
+        default = null;
+        example = 4000;
+        description = ''
+          Use fixed port for rpc.statd, usefull if NFS server is behind firewall.
+        '';
+      };
+      lockdPort = mkOption {
+        default = null;
+        example = 4001;
+        description = ''
+          Use fixed port for NFS lock manager kernel module (lockd/nlockmgr),
+          usefull if NFS server is behind firewall.
+        '';
+      };
+    };
+  };
 
   ###### implementation
 
-  config = mkIf (any (fs: fs == "nfs" || fs == "nfs4") config.boot.supportedFilesystems) {
+  config = mkIf (any (fs: fs == "nfs" || fs == "nfs4") config.boot.supportedFilesystems) ({
 
     services.rpcbind.enable = true;
 
@@ -60,7 +84,10 @@ in
           '';
 
         serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = "@${pkgs.nfsUtils}/sbin/rpc.statd rpc.statd --no-notify";
+        serviceConfig.ExecStart = ''
+          @${pkgs.nfsUtils}/sbin/rpc.statd rpc.statd --no-notify \
+              ${if cfg.statdPort != null then "-p ${toString statdPort}" else ""}
+        '';
         serviceConfig.Restart = "always";
       };
 
@@ -90,5 +117,9 @@ in
         serviceConfig.Restart = "always";
       };
 
-  };
+  } // mkIf (cfg.lockdPort != null) {
+    boot.extraModprobeConfig = ''
+      options lockd nlm_udpport=${toString cfg.lockdPort} nlm_tcpport=${toString cfg.lockdPort}
+    '';
+  });
 }