The -v option did give more info (thanks JimKnopf).
When run from behind the firewall with only port 2049 open:
$ sudo mount -v -t nfs4 nas:/export/video /mnt/video
mount.nfs4: timeout set for Mon Oct 15 16:43:00 2018
mount.nfs4: trying text-based options 'vers=4.2,addr=10.0.0.3,clientaddr=192.168.100.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'vers=4.1,addr=10.0.0.3,clientaddr=192.168.100.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'vers=4.0,addr=10.0.0.3,clientaddr=192.168.100.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'addr=10.0.0.3'
mount.nfs4: prog 100003, trying vers=3, prot=6
mount.nfs4: portmap query retrying: RPC: Timed out
mount.nfs4: prog 100003, trying vers=3, prot=17
mount.nfs4: portmap query failed: RPC: Timed out
mount.nfs4: trying text-based options 'vers=4.0,addr=10.0.0.3,clientaddr=192.168.100.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'addr=10.0.0.3'
mount.nfs4: prog 100003, trying vers=3, prot=6
mount.nfs4: portmap query retrying: RPC: Timed out
mount.nfs4: prog 100003, trying vers=3, prot=17
mount.nfs4: portmap query failed: RPC: Timed out
mount.nfs4: trying text-based options 'vers=4.0,addr=10.0.0.3,clientaddr=192.168.100.240'
mount.nfs4: mount(2): Invalid argument
…
When vero is on the same network as NAS (no firewall):
$ sudo mount -v -t nfs4 nas:/export/video /mnt/video
mount.nfs4: timeout set for Mon Oct 15 16:52:01 2018
mount.nfs4: trying text-based options 'vers=4.2,addr=10.0.0.3,clientaddr=10.0.0.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'vers=4.1,addr=10.0.0.3,clientaddr=10.0.0.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'vers=4.0,addr=10.0.0.3,clientaddr=10.0.0.240'
mount.nfs4: mount(2): Invalid argument
mount.nfs4: trying text-based options 'addr=10.0.0.3'
mount.nfs4: prog 100003, trying vers=3, prot=6
mount.nfs4: trying 10.0.0.3 prog 100003 vers 3 prot TCP port 2049
mount.nfs4: prog 100005, trying vers=3, prot=17
mount.nfs4: trying 10.0.0.3 prog 100005 vers 3 prot UDP port 56021
(mount is successful in this case)
Please notice the mount.nfs4: mount(2): Invalid argument
error that appears every time the version is >= 4. It goes away when mount.nfs4 falls back to version 3. But NFSv3 needs more ports open on firewall, not just 2049…
Just for a reference, this is what I get from ubuntu client:
sudo mount -vvv -t nfs4 nas:/export/video /mnt/video
mount.nfs4: timeout set for Mon Oct 15 16:58:16 2018
mount.nfs4: trying text-based options 'addr=10.0.0.3,clientaddr=10.0.0.134'